berbew | 054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe
Size

464KB
MD5

c6f4b16ff5d8ce65bfb9e95427106340
SHA1

3d0068928469436b2cd109a7562403e8a979e0f7
SHA256

054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63
SHA512

beb5eff17f7961cb7e3a3da10db00ee27e8d5d3821bfa301fb2e006532a2cc77cb36ac75838ba264f5eb388e7d46a2ce7e95bb30b5d12a1ecaf0fcf03b364011
SSDEEP

12288:7ZgKah2kkkkK4kXkkkkkkkkl888888888888888888nusG:rah2kkkkK4kXkkkkkkkkK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fchddejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofbch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hijooifk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4460	Eemnjbaj.exe
428	Eofbch32.exe
4728	Eepjpb32.exe
4232	Ehnglm32.exe
872	Fohoigfh.exe
3908	Fllpbldb.exe
3368	Fdgdgnbm.exe
1028	Fchddejl.exe
928	Fkciihgg.exe
4524	Fckajehi.exe
3540	Flceckoj.exe
244	Fcmnpe32.exe
3876	Fhjfhl32.exe
2168	Gbbkaako.exe
2292	Gfpcgpae.exe
5020	Gbgdlq32.exe
3464	Gokdeeec.exe
4472	Gdhmnlcj.exe
3508	Gcimkc32.exe
4856	Hiefcj32.exe
1068	Hfifmnij.exe
4316	Hkfoeega.exe
400	Hijooifk.exe
756	Hbbdholl.exe
2008	Hkkhqd32.exe
2396	Hfqlnm32.exe
1628	Hkmefd32.exe
3688	Iefioj32.exe
4020	Ikpaldog.exe
3772	Icgjmapi.exe
3084	Iicbehnq.exe
3500	Ikbnacmd.exe
2884	Ifgbnlmj.exe
4192	Ippggbck.exe
4400	Ibnccmbo.exe
772	Imdgqfbd.exe
5036	Ibqpimpl.exe
4912	Ipdqba32.exe
2380	Jimekgff.exe
512	Jfaedkdp.exe
3784	Jlnnmb32.exe
4412	Jbhfjljd.exe
1176	Jmmjgejj.exe
2896	Jcgbco32.exe
1136	Jehokgge.exe
4420	Jmpgldhg.exe
3216	Jfhlejnh.exe
2128	Jlednamo.exe
1876	Kboljk32.exe
1148	Kiidgeki.exe
1576	Klgqcqkl.exe
1668	Kdnidn32.exe
3056	Kepelfam.exe
2576	Kmfmmcbo.exe
2764	Kdqejn32.exe
640	Kebbafoj.exe
1604	Klljnp32.exe
3340	Kedoge32.exe
2612	Klngdpdd.exe
3408	Kbhoqj32.exe
632	Kefkme32.exe
4368	Klqcioba.exe
1536	Lbjlfi32.exe
4904	Liddbc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ehnglm32.exe	Eepjpb32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hbbhclmi.dll	Gdhmnlcj.exe
File created	C:\Windows\SysWOW64\Lcjnop32.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Naqcfnjk.dll	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Imdgqfbd.exe	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Lmldgi32.dll	Iicbehnq.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bqhimici.dll	Ehnglm32.exe
File opened for modification	C:\Windows\SysWOW64\Fllpbldb.exe	Fohoigfh.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jbhfjljd.exe	Jlnnmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Fohoigfh.exe	Ehnglm32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ikbnacmd.exe	Iicbehnq.exe
File created	C:\Windows\SysWOW64\Jfaedkdp.exe	Jimekgff.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Fkciihgg.exe	Fchddejl.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6860	6632	WerFault.exe	286

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikpaldog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibqpimpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flceckoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgjmapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkkhqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcimkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gokdeeec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajolcjk.dll"	Eofbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmldgi32.dll"	Iicbehnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geplnioe.dll"	Fdgdgnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjfkm32.dll"	054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll"	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llgjjnlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4460	3436	054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe	83
PID 3436 wrote to memory of 4460	3436	054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe	83
PID 3436 wrote to memory of 4460	3436	054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe	83
PID 4460 wrote to memory of 428	4460	Eemnjbaj.exe	84
PID 4460 wrote to memory of 428	4460	Eemnjbaj.exe	84
PID 4460 wrote to memory of 428	4460	Eemnjbaj.exe	84
PID 428 wrote to memory of 4728	428	Eofbch32.exe	85
PID 428 wrote to memory of 4728	428	Eofbch32.exe	85
PID 428 wrote to memory of 4728	428	Eofbch32.exe	85
PID 4728 wrote to memory of 4232	4728	Eepjpb32.exe	86
PID 4728 wrote to memory of 4232	4728	Eepjpb32.exe	86
PID 4728 wrote to memory of 4232	4728	Eepjpb32.exe	86
PID 4232 wrote to memory of 872	4232	Ehnglm32.exe	87
PID 4232 wrote to memory of 872	4232	Ehnglm32.exe	87
PID 4232 wrote to memory of 872	4232	Ehnglm32.exe	87
PID 872 wrote to memory of 3908	872	Fohoigfh.exe	88
PID 872 wrote to memory of 3908	872	Fohoigfh.exe	88
PID 872 wrote to memory of 3908	872	Fohoigfh.exe	88
PID 3908 wrote to memory of 3368	3908	Fllpbldb.exe	89
PID 3908 wrote to memory of 3368	3908	Fllpbldb.exe	89
PID 3908 wrote to memory of 3368	3908	Fllpbldb.exe	89
PID 3368 wrote to memory of 1028	3368	Fdgdgnbm.exe	90
PID 3368 wrote to memory of 1028	3368	Fdgdgnbm.exe	90
PID 3368 wrote to memory of 1028	3368	Fdgdgnbm.exe	90
PID 1028 wrote to memory of 928	1028	Fchddejl.exe	91
PID 1028 wrote to memory of 928	1028	Fchddejl.exe	91
PID 1028 wrote to memory of 928	1028	Fchddejl.exe	91
PID 928 wrote to memory of 4524	928	Fkciihgg.exe	92
PID 928 wrote to memory of 4524	928	Fkciihgg.exe	92
PID 928 wrote to memory of 4524	928	Fkciihgg.exe	92
PID 4524 wrote to memory of 3540	4524	Fckajehi.exe	93
PID 4524 wrote to memory of 3540	4524	Fckajehi.exe	93
PID 4524 wrote to memory of 3540	4524	Fckajehi.exe	93
PID 3540 wrote to memory of 244	3540	Flceckoj.exe	94
PID 3540 wrote to memory of 244	3540	Flceckoj.exe	94
PID 3540 wrote to memory of 244	3540	Flceckoj.exe	94
PID 244 wrote to memory of 3876	244	Fcmnpe32.exe	95
PID 244 wrote to memory of 3876	244	Fcmnpe32.exe	95
PID 244 wrote to memory of 3876	244	Fcmnpe32.exe	95
PID 3876 wrote to memory of 2168	3876	Fhjfhl32.exe	96
PID 3876 wrote to memory of 2168	3876	Fhjfhl32.exe	96
PID 3876 wrote to memory of 2168	3876	Fhjfhl32.exe	96
PID 2168 wrote to memory of 2292	2168	Gbbkaako.exe	97
PID 2168 wrote to memory of 2292	2168	Gbbkaako.exe	97
PID 2168 wrote to memory of 2292	2168	Gbbkaako.exe	97
PID 2292 wrote to memory of 5020	2292	Gfpcgpae.exe	98
PID 2292 wrote to memory of 5020	2292	Gfpcgpae.exe	98
PID 2292 wrote to memory of 5020	2292	Gfpcgpae.exe	98
PID 5020 wrote to memory of 3464	5020	Gbgdlq32.exe	99
PID 5020 wrote to memory of 3464	5020	Gbgdlq32.exe	99
PID 5020 wrote to memory of 3464	5020	Gbgdlq32.exe	99
PID 3464 wrote to memory of 4472	3464	Gokdeeec.exe	100
PID 3464 wrote to memory of 4472	3464	Gokdeeec.exe	100
PID 3464 wrote to memory of 4472	3464	Gokdeeec.exe	100
PID 4472 wrote to memory of 3508	4472	Gdhmnlcj.exe	101
PID 4472 wrote to memory of 3508	4472	Gdhmnlcj.exe	101
PID 4472 wrote to memory of 3508	4472	Gdhmnlcj.exe	101
PID 3508 wrote to memory of 4856	3508	Gcimkc32.exe	102
PID 3508 wrote to memory of 4856	3508	Gcimkc32.exe	102
PID 3508 wrote to memory of 4856	3508	Gcimkc32.exe	102
PID 4856 wrote to memory of 1068	4856	Hiefcj32.exe	103
PID 4856 wrote to memory of 1068	4856	Hiefcj32.exe	103
PID 4856 wrote to memory of 1068	4856	Hiefcj32.exe	103
PID 1068 wrote to memory of 4316	1068	Hfifmnij.exe	104

C:\Users\Admin\AppData\Local\Temp\054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe
"C:\Users\Admin\AppData\Local\Temp\054236aee19b83123883b77209b0b2ecb3cbbac961413a688eb9d21044f07e63N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\Eemnjbaj.exe
  C:\Windows\system32\Eemnjbaj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\Eofbch32.exe
    C:\Windows\system32\Eofbch32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\Eepjpb32.exe
      C:\Windows\system32\Eepjpb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        23⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        25⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        33⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        41⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        47⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        57⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        59⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        60⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        69⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        71⤵
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        72⤵
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        73⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        75⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        78⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4516
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        81⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        82⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        83⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        86⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        87⤵
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2744
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        89⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        92⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        94⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        95⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1304
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        97⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        98⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        99⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        100⤵
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1660
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        103⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        104⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        105⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        110⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        113⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        116⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        118⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        119⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        120⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        121⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        128⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        131⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        134⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        140⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        143⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        149⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        150⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        154⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        155⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        157⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        161⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        162⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        163⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        166⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        173⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        174⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        175⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        176⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6684
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6772
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        182⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        185⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        188⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        190⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        191⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6720
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        195⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        196⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        197⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:6364
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        201⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 420
        202⤵
        Program crash
        
        PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6632 -ip 6632
1⤵
PID:6812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
464KB

MD5
89413018982d6b1dd873dad81a690f2d

SHA1
e9cef83d5a3f64003c6ba3794528986d2d575e3b

SHA256
ef2fea96f8dd7d238d94bbcebe715a2d3f2d7987b9fd1424beaf002e2e842671

SHA512
92bac616201f63f1e520046c91a7aa852963e1f297e894a74fee116fe5beff4af671ac4341f1a2fcedcb24fc90995886a50b7c51946ac71c84088866b0d1428a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
464KB

MD5
3499e23b92d69c2972247de0c987ccac

SHA1
4b9a8025f2a5d142f5f0885ebc9f4eeca61b15dd

SHA256
86341c4202f5b9f76001ffafde3c8350b3ae8f25cb5c79066407e7e3605849a1

SHA512
ba59ffe665c75914fdb573a098a0bc3899029d9fa4201ac208412baeeb1e9df029d62b5eeeed2d7296755f4ad4e3f5ba359f077bb18266c1f18af281b6b744d2

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
464KB

MD5
db44886e52b95ed8cfb6ece7af8ab62f

SHA1
44820b2acc8be136c192cffaac69a455152bb87e

SHA256
9b8968c84f0f6418a41b8968bca8af2d4891d9eb77a92427564030bb468f1e08

SHA512
238affb780ebde809926554ba592bc2d000a850262fb57cec06b75c8a1f1da4ae04e2dc0fd5cd6a3ae34f038f8c33cc0e67d546a71fba59f2ef20df1bcbfa4d1

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
464KB

MD5
d449d95dabb6c56880207c47fbe2074a

SHA1
3a80c3b79ffabc54aa289c0a304d7460daf25889

SHA256
e2d828c2b69afdce05e84a0d12c3df4838810fe5a11de17cd1231ab97e3b8f01

SHA512
a305cf1e6dffca7f302c4c35b19d359c414e6d9039ddd178d8be3c2f8bca838073829aea2d069b7bd57df3f852d15b8fe3a5a1d49b40e0b5a21f38248b44acc2

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
464KB

MD5
e06fa86e2889034acc2aea26ff6e5265

SHA1
3c567fadeaf20c37e290b8fc60c53ed23cb633b2

SHA256
c1f532698b2b7d9193771aade6b1b4b6d1a8e5054b2105318322ac435171f155

SHA512
a24d81ffdc6de58830c46b5f5ae63d79c19cd73500761e1253b38200f75479f1c8eda78805077dc34690f2ae604de5cbb9f08e15552fc63e6ea88055c4d3f9fe

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
464KB

MD5
d4b4420052eff905e96f30df0cd8ecdc

SHA1
bf074f0f23152ce2f18a1ddaf0eb3fa8cefa1898

SHA256
4c2af531c626cc8b98b86b54e5ed952b034d0632ae1633bae6056f0308721055

SHA512
be564b3ea44172c6c9751af9e7dff081f6141bda1449eb9c89fd834b6709d184e8ce8c52187d4a522364e480724272647404886d67d0ed091f581204d4515add

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
464KB

MD5
5ba7a37f8c10c13f42c152f4875ad3a3

SHA1
c61b675d39ec592bb8628944e17dd5bc74645c38

SHA256
17f0616cfc487f7bfd168a9e154b3e360fef846c9438bd68035f6b5d30be9933

SHA512
34f5fa1c14a8805fb12a2176e40e71cccb41ac8f75dd251fd3d73b96f8eafb30885424d630d086c411693f99fb427b0bcd20d5a0eb3fb8261ddd84d003b753d6

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
464KB

MD5
6e5771feda463f57894d83296f5b4463

SHA1
5b98f7b053d799a51743c5a6f0ecc8bcaf20320b

SHA256
42e257c28b2cc806ecc616772109168001ed2cb55d725a07c1d1ec7cddc69ed6

SHA512
7c5a7f6f7607603004a277793cae0b72753f1dfca6a48e351db96c76da94883d5fac1b60a8d4212594a4a8bb32a7bc99128e5c80d1df6edf137f654a607eff9f

Download Submit
C:\Windows\SysWOW64\Bqhimici.dll

Filesize
7KB

MD5
6cc909092882a46e8783e55b29297694

SHA1
aa238f0c47777b239c7757099fa4cd1ab2dee345

SHA256
09da9b23bb33de02b611e57074039334daa66692922b3c35877156909bf57358

SHA512
7300e1d9676b8835b038e9fd6bc73956427cde1f31f2a794d01dbde43d53558fcadc6810bffcb3886435ab32c4716eb6b8432870cb1ec41bb31cf0cf1c8a3b64

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
464KB

MD5
53f5e32921ac8f527edc2adadc59f30f

SHA1
13e355621f2d43448350116b774c956a5841a80c

SHA256
ca6bae39d0be38119f295cc30f7b6f86cdff271e879eaf6f42c3d4fbe00f3381

SHA512
4e6b7f7aeae6c1f8c017c85c927a80a465d5594e82685c0e043a1b5a855125cd7a26d0392602d27fda158b31c12d24bd015d08f03409cb6eaa9c8d0234d65d14

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
464KB

MD5
643c5bdb18367b33613adff90f04fe7c

SHA1
83f431514df31159c6db1dfd95bad52af18f1e09

SHA256
1373e8c6f1713cf972c1efc8771563c320c9a2a76db250ace68fb9d5c733b14b

SHA512
6bc62b1b1debdb11a6b463e72a7f962ca7de0df8101b31900654e56eaac6d2f2667b322ddf059dabc1cc3aaeeedfbb8953d09692663f43942dfa8a8b839abc6c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
464KB

MD5
c9b0446f3e37f57c6132f222840667f1

SHA1
24071914ce8e2e2300a815fa167abe04de17a165

SHA256
d2179d23ad86a2b6f1d33d31ac09d7f1c102fcbffe5b873300514916a47aa01b

SHA512
9ff33192d4ee0877970fb418b535016b03ed7e958c1aaf43f93f25a2b9bd1b422b6a92bdb6bbc18ca9cd576f73b49742d060dca9fa7aabef0fc1a386df5baaac

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
464KB

MD5
9837cc74ea6ad360815f615edf73e1c7

SHA1
18f98f93cc8e657d61e33e1da0aad55d44c577a0

SHA256
7d06fe351f76cf780cc291835b9f53fe43f9daa48fee06b06b6cf92591345d57

SHA512
85b8b7c745a8384fdafd7326b58c0bb06b77fbd7d38e18d01baa90a3908c5de13140216c8222aee2d816aba3821a154d3a80f5879b92358ecf490169f0f5a0e1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
464KB

MD5
748333e49539fab3d6fba8a0aba4e2b8

SHA1
91111b3e7f4aeba5a8fe4f633e01e2f4ce78221e

SHA256
88c26905ed97f27a551785be72b2cc6e66485f6818902a0df94f538c82f25409

SHA512
b0d47e33d6c128678f7af9124cca72c3378b0090176ac83c54e7d1d92d7b285beb1cac75cec27e5246835038e5fd38a7362ab196dc3b385bb6faad53370a8a69

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
464KB

MD5
7b4f51a7445541a8e17c1ade78524b92

SHA1
829f66490b80da884235287d56a6dadcfa1ef506

SHA256
b99195170d026fff91ff644b08b612dec42083a35e4e5819b86f8b8854c8db76

SHA512
7ea9cfe0d95d55b2eb43f8a883c9d5aad9d4a53780cdfbae425cf5e4bdfd98ac7ddcf638ec68f7edda5c793d4e89c09441cf01b64d7690dbd23559745ea92a1b

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
464KB

MD5
561b9df2b05ccdb2c9141c76ddc1a93c

SHA1
917a0c8977940e38e75d866cbf4077cbf8ebcc71

SHA256
8900c0e6bfa5458257235b2c6e1b14640be4cc50665ffd80a1d76460eec4c347

SHA512
4d85d99cc9d05913ec0b4dc865afa86c6bd93baed98bfcbf61480aeef6ae0603cab8530fdbfb5964d79989929c00d5544ec9003f4d72c75bcb96fd493d5ce3e1

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
464KB

MD5
ee90e9d54b71ffbfbe114cc1ff954596

SHA1
bbf39374586f2224bd2983df45265a844741139e

SHA256
4c240fb6c915232ac0a63e751c6b3b753c5209f94275a13fe1b32e96cd201d4d

SHA512
00d5b017af4c9d444af7cb1fbe235588924e2d554578b0ca2bf73164804c541425972089ee20c5dc9d6d7180bc2fe8ae6898d9a029167db72ec2425531b85d31

Download Submit
C:\Windows\SysWOW64\Eofbch32.exe

Filesize
464KB

MD5
14514a62ae96e278fa961352f26c0887

SHA1
694eb8e7f369cde2f7457300546f88f33df3d3f7

SHA256
0c833bdc2179828c741a1b5854913b5477dab3455f6e7b866342f714c53f90e0

SHA512
3ba7f9c1e852ac96db24db10c0604fb382bad88f8679e71265236df47a5b39e5c7a9fe847ec57b087682919557ca9ba60f30e101fbe8d9b744292a0a248073d7

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
464KB

MD5
1da529f60419834ec06028e0ba53f1bb

SHA1
0f6ce918ab5b87265e4f2bd99e35444d4976523c

SHA256
57943e61daa6bdc1f3b1d458a393d0e100ebe834484d7a809a2698ed5804fa6b

SHA512
79430b17c11d2a65b7a616eaac9536fe4cb5bc0a7873dc5dfaa8241aad2175bad58b59dff67537f4b5e7827573e444c23076e4575c94e417d05924921ef173f7

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
464KB

MD5
3267fbfc697f869e9843901da2c1d987

SHA1
a7f12450f990e89f5fbae7c291a713e296b3ee0d

SHA256
fe7b84941124adf1cee266d8979b60f97c541edc7e6737976414824b47633124

SHA512
022ac26c518509bf3d50357accec9605ed44fc7be0f7f77a5a6a65183bd63a4c18774ae80d3c5e6ee1ada27b4112d04a0c7c07cd434c1ce6bf59e11e8a8bc5e7

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
464KB

MD5
51386d3290057289c55aec52867710f0

SHA1
c8ab7c192eb36987f20ddad4f657f584a687c6f0

SHA256
46e6208e000fe6adaa298192f42c1e1f71eeec9364cdd7fcc42292c34c624369

SHA512
c883d5eb07661d4e510a810531a191047b9a4607ded5fee868916ea05533b98fe49daa7260ac9df3fa195834a8ea86a27600c9f042aa303844f981f5ce010ed8

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
464KB

MD5
c12cd1f880fb0f3becbb93a597b1ba1d

SHA1
773b382204a43a21cd1091ccb94b9b9f0215f641

SHA256
609ab1c9b59fd4a3a5c87c7125dde8a880ef5e393a18d8dd5d1f1bcccacfcf0b

SHA512
f652f9bc7ba84b893ac43e871982f16a49e4ce55a920b00388487f88575fa35a7bad2c213057e6629e861b4d3f73cc46931949aea69e4156139be13770d5d1cc

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
464KB

MD5
fa338e41d36a47b18fca275cebe63f3c

SHA1
d3f09c83138a9c093cd75fb03bac6c8cd96a728b

SHA256
1e547090c02b9b902d9f5302230d4335b00c1d4937abe57dc9dcaf9b10f76e9f

SHA512
5a896fbb3ca41c6b7092cc1a230731246484f37c4eff3e17b2d57529800339da04422ac5ee408337e960e1f856c8539e3550f09b3a1ccf48e05ffaf53295d8ea

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
464KB

MD5
3097661f03e924f226744080ad6d3c9e

SHA1
53ff4ea728397379bac93b40641a317ac15c0f93

SHA256
ad1d4c9395e3c34b5797d7847fd6fb41bfae2cc18b9af8e7e48262b91b7267a5

SHA512
7fdb361995a19b11a8dffcd9154c3c17ae1fbbb4691131ab015fa8528db53c3a126c7dc6fab112eef9c15f4521b569e90c01bdf1fda46d68e9a7c0119fa70d64

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
464KB

MD5
36f3ce084a59ca80d596048c8bf9cc08

SHA1
ae3e47505847507381f11aea832ab4a4ba22977c

SHA256
7d87057d8a165574b63ae105f39c46787fbd5801f57886655d4b93618d9f0085

SHA512
1518215b834537732573dd9f80172a26ff62e52335c53f553336c6b280762c3b3cc2b9908e8d34cd16784a8c2f887579ee47770de545c389e1a60f787ba700dd

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
464KB

MD5
96f5e618cbe687c9efc226878d7387b6

SHA1
d4bdb22096037cbdf3f112ce3aed7ccccbcd608c

SHA256
764d052ca7c96eb16c649d8d669cc898aa68afd08191e72e08fbee9101695e74

SHA512
be59bc4635cce2cbe90aaa13a7cb704585233ceb6edd5ea227f68130f3602ec2d438c11e8372569acb556d51739aefa6ed72278abef95c4d447137ccb8480afe

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
464KB

MD5
4c9c61ff88e88359ea078b8b97d69eaf

SHA1
1f62a26292b7a8bf5a0317c1fde82c0e2511866a

SHA256
29a605f269fbb04473b2d8d4ab184723aaa5462e4e0267b1a69e189f4e6e0987

SHA512
3dacb169e840720c625b40769161fb79e37d1196a40b1cf8d363d2114f14c4b5123ec8fdc9375188dc7c8e1158b763d5e414d3528c42319aa547889529db5042

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
464KB

MD5
200b9e959bbdf11b9208e6d71dfb4b30

SHA1
2c79bb534df547f89ecbfc374490372df07ca22f

SHA256
f39589e28574fd7cf2388447af67ce68d04bf922ef8e136ba0e5a9ead6291cf7

SHA512
216a7a73f92d2525fcae368552914b9c80193b5997e3632cf47ad68bfe921c503e52d0dfa986c041576c43d894b60852e98fbcb884eab376a559485648627c93

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
464KB

MD5
e9b8b6e7efeb10940dd6a925ca1d7dcc

SHA1
487a2df735f25eadbf03aae539f4b2fe20c90068

SHA256
0240c7163c9bc6712470053b646fff764277072217427634a0c9fec2d6572391

SHA512
2ccff0ca4fa8411b03f0dd863f1b9c771d5f7c359a276da33f0478cb559e56ea694122e2dafc5310c165ad753f868d5fc20e6a25d763a08975f19ccaa729f030

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
464KB

MD5
7c7e5941bc34633d76f90a4d1dc1e773

SHA1
ad7222e82441d3c1be8f33e4426968e1af0b552d

SHA256
8c9df97c2e31bd6e91e899eac452ee9a7c2167abf6ea824172d895e48b57597e

SHA512
cab9a205639c0164cda70c8940cae7d55181e5c0228c5cd405f495b742370d99745b4f9db006ebab65169e50e726b570ef0adb4e3cacfaff37ef64238a5fdf0b

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
464KB

MD5
dfa36ba07031f805cb48f03553bfc0f4

SHA1
b3d3b192e181cce8566b4c1920ca4d580f29cec8

SHA256
160c010730a64c90fa288a71de9d0743417fe2a12373ab9df8c150f230b1d272

SHA512
27bc3f13e2d4baeb54e4e9697b6eee9d76afdb99c058900670c0c241f117c9816d2c7450f30f843e3720759d8985ba2d7a678fdb38435edf1db014a8282d7243

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
464KB

MD5
16e8f399e4f6e691ac14553d4d9bd22b

SHA1
e9e5979d64d3354a797240b4fa8bca4de3a1c6de

SHA256
5c54c5fea71671214328fdffb1b3ce63d7279811afcb8e4f79f383ce935c1c72

SHA512
4fa2bfdac3fb217344854840791898ac3ec7f0c0cd2ece45f1a425bf244901b3d4acf772d2a501f2e9afdd96a8f25cf72ad950b96f1598b2d4b9841a88a25afe

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
464KB

MD5
a75ae216337b79a2f172c4556c6977e0

SHA1
8c86a1a2586574b3830cc05d816a1c466cb08125

SHA256
1d2442d749483898c17bf365799633f290a8565fcf0bb32ee864045331317172

SHA512
3e7a685510f077f474798082c03bf874a7cffa8bd0f872561759b0332084e356e7583249c5d1bcf0e801820cffdfec40e686a21c5cf1d6e59d66272f05bca26d

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
464KB

MD5
2cca8aafe7a52c4714cb08e903351dfb

SHA1
d25f6bb784ebcf4ad6dfd09d9e8103d516047c67

SHA256
88b1803caa9d9ecf24bd899b3d5232dbab6504ce14c72d551abf78d2a95521ca

SHA512
64404011eab65706866e28d7d7424287cc2350b571bea822ab4df1a0b4bd9984d9e6a806be822004779caf5237e122dfd4ef0ce8efd1772431a41f3780c0b945

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
464KB

MD5
af2eb2147a5bc75e4c7f29a1602ffa8c

SHA1
f46ff6a91c53e0936de03e56dbe1dbec4ca7fdf3

SHA256
af2ef0db2f0ba298067af827e5a3acd5ed76fb19f74f24ad7b6ccc8dbe8c0220

SHA512
113e407262943255abce4ab8374a750f31f9ea9b46d7d30105daca8587b858366dba625abee4a082d1947b1a4bf82380bdfa1069f904511c23b1f0b2d9282fc4

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
464KB

MD5
1606782726ad588c84ac9ad49260a4f6

SHA1
d51599156e4a5db9bb2095a4498b25a0e355ecc3

SHA256
157e08934ae58342bd873585033857346bab5c88f66869e232addb28d881e4f4

SHA512
8ec58ccbf61b4401246c352496d0439b2c9d40dc49d2c5986befff8adb77afc0572ab898656b219f7d0423760aedaa1e1ffb98a22208eb67d45c59f15d4d3667

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
464KB

MD5
316d2c42e35cd25ed1cb4d6632c87107

SHA1
d13c3123841f9a2556287f3821370194c0e0e2fa

SHA256
a6613fdf7e8df30353ef28098a52efdd88e6cc4cdcca17f05f59c350054f37ab

SHA512
57552959e23c7fb03b4d88f48572c1d9b08841bdd15acfb7233e9615cc1d7e9a63cf9489a9a6a3930daa9f11d153c3db4dd0bdfe149cbd8a7753b7c4ce432d5f

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
464KB

MD5
984c5fd216e8875fe9955bca436adf33

SHA1
86af27425352e835ddbe7a4b35a7392b9871e821

SHA256
0825434f9f2dc356b4de12effb5e7f6ff6dd232fa4a9256634eeca08f06d4f0c

SHA512
d9350e2d9323d8f3d1e79779849ebd597bc91ba6b4f4fadfec2b6e0703a58b34ed97b6992b881dd46e09e0cee4ff57073409403e53956129ab7bc8e77d8b06ee

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
464KB

MD5
40db835b2d05741ee17716ffb799305e

SHA1
87eca4db46b34fcb9242b28578342bb89fad4b95

SHA256
6bb32201feb279de93cc77fba3031230f050a443c8fb564c403896496a01c29a

SHA512
25e2c1c86c35115574827ddd6bd8a359ec05574b808f387d2874d9711b72fd45d220f3fdda41d85a90cc3eae8c6372d155ef28e47808cd9d3194ae55f02163ff

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
464KB

MD5
72e2493366640a510f97d9c71dcabdc4

SHA1
786d94218f9a9ce8d3dbb0a532b164c6db609316

SHA256
8b43adf3a470af7dfb69c562d665e4a6ae1e0e0edc494a5cce78b65c30704bbf

SHA512
a93b1ac8c93302828dba0b937d720ee566f10816024f76a3b9a648e871bde292147014b11f9b23caa080c3e0bfaba4f9bccda872932126d951f678edc69d7fb5

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
464KB

MD5
2c2d397d539f047d5aa966bb65fb60b5

SHA1
434c7d14534e6f682a2ace2575dc385ee42d8a75

SHA256
03d9d7a1a633a44d7874e734025378edffcbd9f6a5cfbc9766c68003d73d6d53

SHA512
9cddd4a62be78ce40d6972f530190b042c49c50c272f7e0a47a1b5be83a1f881fdbcc424931f277dfe3714a04ab7af21bf1585b9ad4dc5d302b0318e714fe79c

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
464KB

MD5
fc833cbd863452528fa7aa92c2f06e3f

SHA1
2b25e5863aeb5f1ffc80c6efe153087a3592483f

SHA256
4ec80a46044c4c920da5a31c49816d44695fbaa5839bc05ddc843270cc642c19

SHA512
811177a4f9d781ab142e06f312875ef8bc282f6e79e14fe4346215918312988b35fe26a297a096a6ccfac5598c3e4d6af613701be1b1154b9c124efad58f9e0c

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
464KB

MD5
59cc4821b695a504fc4ef848ba19d504

SHA1
a20eeea6267b05ca4412b1712de7957c13e0df43

SHA256
3e0b99c9b3e179f666012ffb28989ccbdda9a4ce7dc9f258ac0fdf5199bcd86e

SHA512
bc28ee83a044c42d0c2f6aab15a5d5f917b504d36cabeb14cb2fe170fb9d6e3e5f8b2e8d8d591a6e6ac3f22d51cf538a6d4efa9fb9a1c4b69601c95e85c74a40

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
464KB

MD5
b78c020f25e3fb538f147a2471cb6a1c

SHA1
1bbf70183741b33c9f79c0987bb454863ffe3b43

SHA256
1f1ea5283add25e75114dcf9367321f0781c3234dd29f03b6728ee8d247b5015

SHA512
f7624d2810178f13d7fadb075fcf86e46d3deeafab24d9fd43672aeef29fd8fde8955b8b4a82c4aa56e0f9b627290f1fce6c0d6b3d2ee91576c9a21f349d6193

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
464KB

MD5
add27e14d21a111e8d8281dc6d1a88fb

SHA1
19e81efd63123731e7250cc014149f16540146bf

SHA256
770c053e2b179e54507b96afa06c6f453e20a2a9cc9d9ffe4a5b08fc90ac2b12

SHA512
99d5e8411271e133211e69c7c14a577f7a45eb038274ee456ef10cc5003ea86caa819d87d9c9d2c81190faabfe535c75c97b340679db51ccaa66c68be56a3a57

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
464KB

MD5
d2dee5d64426950ff4de5642d36f8e33

SHA1
95cfc8d7f0ad69a35477d42006e50e9e62387471

SHA256
1e026acf93720ef28de77dac89d499c648d25e2f5e4d02b011ac906ba160330d

SHA512
7038c17187c80847c0fbcffc7af523ceda2bd559d3b0d1d9493bdaa1eaa503c2c47e6a9f4c4ab5956906fb16beb333e6fda7f24c2c4bd3363777a46b281f47fd

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
464KB

MD5
8f3c136a538a35ab90176e67b5c36604

SHA1
ff3bb8cc748f6584fe1e95356aa179e11886abf2

SHA256
9469ae3a157127c0f4f60208f4835e55c93f3e8c33cd6efa8e9acf60b4dec5c9

SHA512
47acad5a27dd0bb1ed5d99f7c25f2b52467c32e1fddd72f4cfd36a8c791698d7c7e3d4b917b17398ea7c0d5afb0c174cedcbabeb856ce4a176a8d8018fbe88e7

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
464KB

MD5
052573c7e0c1a3b5c4dab53a2fc70add

SHA1
43c2c20fce266bcb74e9a2c5767c87d061c15b20

SHA256
c341d1fa3c322927077146f9ae62d4cc611914d02e8824128f41275f166695a2

SHA512
ae34d7518508237abf4062a4779201a826b99035f02de4218badccbe43b546ba05e6375bffd68afdcb7f29501cdf71b6463e4c9f92365408050aaf1a89d9b0fe

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
464KB

MD5
04116ee19ecc3229025aaaa8aeb6a778

SHA1
4dc72a88e529439e8a3f912eb7cfca6581cbadb4

SHA256
40526b878bdea87d666009ac3eb3863acc23bc5872a5a31fce07cd0a291bade6

SHA512
59aa9b63438867f23e5af307d5e56dcdf75f248af333e7fff28ff9214c5db919ab4d48e8bac2aec94d83d418438da22ebc36916c5bedf16a6321ff3a98c61224

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
464KB

MD5
fedbb4088982b3ab6c121b99e08458a2

SHA1
10d3105184be4a041fbf391891b0d50df39b0f5b

SHA256
51d2cdbdeadc94d7d17f55d348f261ebbc7d8036f45e293484d6fafaa1a26e12

SHA512
a9852ae5258c84b5b148f8ee98e1841c83896d1a3e4d08f59579666a74be2b553f64846bd02269fd5d5c51271cc1cf9f70c6dd2806cf94843c8c3198e78cf469

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
464KB

MD5
1d00172e0bb1525d0125157d8da3faae

SHA1
e09a949ce3c3ee4b4d0ae778cd0da78445ab4554

SHA256
e1733dae80ee6c0c86e30bf721006ea0ff8e914924fd094a9937a2505a1383c4

SHA512
9fea0f733195a1c51b1bf05430921e40844bfe04c80895a11e43428f949ac3b3440992b24b5b1fdcaaddc2bc3d1ee2a7964c27f55771cd33773fd48f1eec7288

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
464KB

MD5
0cccb77ccbb9c50d8d76e36e9d7100d2

SHA1
4abc8be188258d26f09f8084ad4ba8ee0e8c2237

SHA256
bc8c6ccf82030015562305d1c6f0513169cb3e7c294ee527a5808e390a0c91f3

SHA512
e32149eb2fa20cec330b3316c926f7e007e72639f06e2ca9d8fc997da04338da0f1c759b96004fb3cfbb385a1302977f876446f221de77ec46286494ad2f74aa

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
464KB

MD5
78a212aac99e2aa747c2e611758ca8db

SHA1
2b9ab84f7a76c825902895b400e41e252be629fa

SHA256
e56bcd79b862c0bec136bb3e2e496977dc1b42e4488c72035dd11be849a9532f

SHA512
eeee5e67f6e7550014e72a4003df3c1167be93180b5d6f0cc0b20cda919b07098f102c26870339812b501ac20e9b657be90fc55fd8f3aaecbe2dc68f7cde8ba2

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
464KB

MD5
126d3cf844b974ccf3deb93dea8ac6ea

SHA1
ec5451b85df6eb3e5f72e3dfbbe055652742ad2f

SHA256
d9eb0182b750d796379a2c0004c12a5725c1d566f9d06f57e83648e76d512996

SHA512
d229955febcf8b544c76b3d16583faaebda12a7e57eeb288c40d2d16727306b93bc24b491aa97e90039c7152892382275b67b67972bf166474a15cc324268311

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
464KB

MD5
2180e4355baa0b32f03a49b65dea44ee

SHA1
538b6dfc1a83025b60dd945b2fe80f859ab48004

SHA256
d5055b3303e81bf0c94a35085cb149694fd4ef0d80a9b8e21dc8e5fa164b9ab4

SHA512
b83b40ba999cfd3b4ce693a199fb8b70c63893ca7d6ab7882778723d8a8daf10566436935dfa14a09534c51a3e8850eb724aeb3bfec44fbc616dc35587948c7f

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
464KB

MD5
8129d944a7cd1a085038599c18394b43

SHA1
253c5151b8147c75b7c6bd616f4c8c59e07e5498

SHA256
03d69138ad276c0ee3d1c5bf1fad7b9cdf6726c03205a9dea6396a2724d94e78

SHA512
f60df05ec6f954afb861ee269d65cf3d38483dbff2d86d868ef71f9e04ec067190cbd4223033c47393d65ebbe7c2f89c5aaad41681c45d7e188404f8ce7831c7

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
464KB

MD5
b66093340b5d4d00a3ad6c13999bd59b

SHA1
2669fe089531f29e3167d9ba2317de3e8067b51f

SHA256
a11ba8cc7618ce1ff24a9ccb1113488f4e23f6287d07979c183f4452bffded1f

SHA512
142036b0afacdf89847e79c68581977dd60344e24daa270ab79636f91a69aaed294b3495d65a9699020e1414fdbb403018a79b301390f028809e4b6199554acf

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
464KB

MD5
f1c110551bebc6774b5413ce3c84802d

SHA1
f1cf0bdbec0baf566bbaef5a9ab74037e91834b7

SHA256
dde4c75b03cb5a77dfa7db7bbf0742118413f77709c1d90472ec41e370d2f6eb

SHA512
6bf4b03ca19014c41de5d2530e0b8f2ce6b7dc4967fb7fbd26ac24772f9942a7a48e8156c51645c81653c8eb7d978f8dab0b45ed902d9201fd75576beed7c6a3

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
464KB

MD5
a87088df254760a59ebaece9a9962f94

SHA1
2f4ed2ad0106d499a07b9f5ae1badd7902a453af

SHA256
dd6cebd364c354bc4bbc0ae443c203d43faae8cb122b4d4924276a8f51e3034c

SHA512
12a5e06dd6c44965b280cc03bd0def1d87988bd7bc104c07f4672147e364a34051120c6cfdaff223646507665d0ea119b405ddcaee48f94c20742e9ac5704fbc

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
464KB

MD5
608f9435efc7b4cb1812fff6dd77c4a8

SHA1
684721ea4eeed7c05f5825af7a4e6d2962015f30

SHA256
82ad10315b84d55d8c9de2d9e76509db5bffa09465191631ee4fe7c6f16cf6a3

SHA512
e966a7e5d89862cede266299e8082cf5772dabba4de1a5e7dcff1bc6c998d2c5f768382757c93725cd106fad7afe35198e8e0e34ee9b0e0229cb26c127bf8cc1

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
464KB

MD5
176ebcb865588ce48f43aeddfc68138b

SHA1
349a5fc0dedd187223efacecef26de5ce9bc6010

SHA256
c115ffa37a96fdb8bedd195bb1b3a4d4cc0f978b49d605eacbe754bc36c48513

SHA512
d2a0ddef29ba2259a7ff554b1939cbb1110b698bdfd3c2975ca9763d59bb13ff6cbf98698d6c0517f5b7582e9072883f16b5eecd8ba0f042a6b2a8dc9a5753db

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
464KB

MD5
f4d113aed85eb84bcbf24b6dd925c447

SHA1
d67365002e1e9569752a9dcc67a03bfd54cb2588

SHA256
f8192109609c9d6af2c7656da3e98aeb588d0eb340f1bcfbdbb9e7c2cdb92cc7

SHA512
557a820dd733d247f3d9ca25b20b433a5d19d3673fef619c4836ea5a29bd8bb38a4280b89676a6b8324f72aa0b8a13e14c68adfc214733168e9c8df6be6126e9

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
464KB

MD5
a6f5afb916ed5d2e377589a170fa4758

SHA1
66758955e33ae1687bcb586d0e21e4aaafbab1ef

SHA256
c3396bc9760875b9d98fb466a014bae7c7a4b87077cd825cf309fad6639f47a5

SHA512
4dbbc933ae563713f791e9c26b1c3f16f594bcd6dd1590cb458b7900ba6ea7425e5f9d3333b492ebaea652f294501f9f2ee5d0b1fae26b71f0cb82d23c8000d5

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
464KB

MD5
8b831842560d25e11439fd6cd36e1e1b

SHA1
2c29717d4d9e5d0e374a791eae30b75fbf27b1b0

SHA256
b90ea2bef6bfe34e929ca1c975868fc89b60c274e40dc24637c95e064b46967e

SHA512
76771bd26e35d6488e97814ab4d99cbef49bdd22943c8b2f18c76eb0250a527ee96816ada8a56536fdb4b0da4238860c01ff116e63d0ef439620ab2c36a073d0

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
464KB

MD5
71c9cd7eef330a707adecca42171b0eb

SHA1
241f8cd0413162a770797c74c65fca208792d0bc

SHA256
b9691c2b497d611029bb23570c991ee832ce4613a9ae4efd30a94b9591a93044

SHA512
ba9f44ccc5c1826a697078b14d6a13d81db83ad3fe14bef733ba09adce8ee369d925bc457b3dd4853c9f751e0ac1c080e87ada6f1324ef361274fcf3fda839b7

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
464KB

MD5
a4bb566dbba30908f66067e486c52950

SHA1
2596efa16f7818069431e6142c8e201f224343d4

SHA256
13a7d9223a4c7d397cc993ac02a43ba62096b7aaceffed7e1839ed7c3a2ec813

SHA512
e15218914b148d762d8a364e6471090c96afcaeecc6da23dc4d319738c3a4f9bbaaef001822f8c87a0bf7b5940e4e99979f027ea9155aa523a3a11e49aae2992

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
464KB

MD5
f43e370116d810c0e38f540e665b7449

SHA1
7fca3fd6790d709b527ce9926db37a79747041c1

SHA256
30dcd1fb6ecbe6f4eeec2b25e68c7d77fd58ae3615d66f770493275a22bee7c0

SHA512
47e651a6682335d9e0b22ee4d8f2190fbb12aa5fc42f2dc49b10bef75a1bfcc92f4fdb314e3a9ac4aba7b0450b044348eb8834633ace0dd4bd8544263cc61f55

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
464KB

MD5
3d83d3126079b3d45d3a9c18aa3912a8

SHA1
a33f46a4f4c95aba31e7681056c0edb8648de187

SHA256
7d77bc6b09ba3c6e7496f2f3bb02c946557421b48997a321298ad0ed3d84f7a3

SHA512
d665cb76ebc7e9400a5f17ca6f4aad35862dcb87271a9de787eee413456c1a04f4fbfefece64885512439d5e97a36d2db2aa6c0c3b482d9514d04ee7926f769d

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
464KB

MD5
661c0e3e110042e12f42dec87c5861d8

SHA1
b830812d696ff901448160e9fc6aea5d286bec6d

SHA256
79415586bbdc32c5d4f2a7795399258f39e3813981ca8e77406be55c6bbf987e

SHA512
a820d502a11b39bd0cda5c4514e419428d9ce6dd459c87756cdc4aed226c5a247ae26256d00c3b7a3e1cb4830c30d5724bf71d38416df8ffccbdcf03b44e54d7

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
464KB

MD5
262ddc0e4f3f682e74e4dae39d800d21

SHA1
f1abcd6d515b3b3338014bdd29fb4b202dc1686a

SHA256
db4a5c206e7f99810d89675557a89739545c53613a7a9903c8243c65aeb54f43

SHA512
3bc5ee4ef52b5ce325143e31b562958439d86e8374ce37d419f287e0f7b674ec80ee8a6eb4b932c1b06d2b26f167cc09d04074588125461831ed434e06a2e45f

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
464KB

MD5
70c0d28e0068ff9c68f27015db980891

SHA1
34ed06fbafab9ee0e5a07490ce5860eae315657a

SHA256
35453d3f006c58f0c5482b7162a5552ac89c240797dfd94a617ac2c714d71b9f

SHA512
20c77c6f0c7e1edc280b601a74304fdb6eb14d16bce3aa7957540af3060fc659ccd7c6abf8ddd326f7da16a81833eb74ee6c732b741ea27ddcd43bff93691e20

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
464KB

MD5
09f39e79cd6b5a17afd246759de83878

SHA1
cd0e4d774d8903e9f78bb397150d8d010ddac424

SHA256
4186fa43c2f3f284defe29b5b8c5130e9231daa14d12a7b5d7baa34b544cd5d9

SHA512
a4b2e0871d2c5a874b4f6e517b314f735f086e9a56051edbf27e2460b4da8453d0f66101e5b96b0f10dbf81044658d36329d2394f4ad703acde06bd8800a7bd7

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
464KB

MD5
d6067ec3ceeebe7c7ecd4b11e5d5e354

SHA1
86858668f3a9041c59a9433f8c4cad03918041a4

SHA256
1f9e1bfbdca21837c840634acae63b3cb69d1ef77dcadce807b44a382188d117

SHA512
acab02f2a386442612cfb34a4355c650bf2446f3ecec598e8bb7acd53f48eb960dac6b6b1378e4e21b830323f217af56dcd5805f92c2fd9a17c46f9973ea1fe9

Download Submit
memory/244-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6364-1386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6720-1399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads