berbew | 70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1e

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
Size

96KB
MD5

e7c4c0bc2e46303ef21d33570fb5a4a0
SHA1

88cadf8759e525b71a3008a3b6f5c8ca54543121
SHA256

70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1e
SHA512

e4c25392de4422ca34d827966ee4174321cd0901d61c87e73da94f9a68c3e4ff1549528a92594effce652ac0dddfd8fb012d260a40c722f16cfe1fd80e9dc8c8
SSDEEP

1536:J1FroB+S7FMj1FfYjV7YlMZYWyoSgIMo9K2UZiManWX/2tT574S7V+5pUMv84WMm:bZO0a7YliYWyoSdMo9K2U8MBX/iJ4Spv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iefphb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpfbcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doagjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflmnh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
208	Aknbkjfh.exe
3584	Amlogfel.exe
1484	Akpoaj32.exe
4996	Amnlme32.exe
2008	Ahdpjn32.exe
1564	Aonhghjl.exe
988	Apodoq32.exe
1268	Akdilipp.exe
2888	Amcehdod.exe
4440	Bddcenpi.exe
3228	Bknlbhhe.exe
824	Bpkdjofm.exe
4840	Bgelgi32.exe
4560	Bajqda32.exe
4572	Cammjakm.exe
2332	Ckebcg32.exe
1376	Cdmfllhn.exe
3460	Cnfkdb32.exe
1848	Chkobkod.exe
3068	Cacckp32.exe
2808	Cklhcfle.exe
1212	Dddllkbf.exe
3664	Dnmaea32.exe
3868	Dgeenfog.exe
1160	Dakikoom.exe
2336	Dggbcf32.exe
2880	Dnajppda.exe
4344	Dhgonidg.exe
4008	Doagjc32.exe
1464	Dqbcbkab.exe
3588	Dglkoeio.exe
5028	Doccpcja.exe
4680	Ebaplnie.exe
4788	Egohdegl.exe
4280	Eoepebho.exe
4960	Ebdlangb.exe
4912	Edbiniff.exe
720	Ebfign32.exe
4744	Egcaod32.exe
1544	Enmjlojd.exe
2356	Ekajec32.exe
5064	Fbmohmoh.exe
3432	Fndpmndl.exe
880	Fgmdec32.exe
5060	Fbbicl32.exe
4904	Feqeog32.exe
2304	Fniihmpf.exe
3220	Finnef32.exe
1604	Fohfbpgi.exe
3820	Fbgbnkfm.exe
876	Gokbgpeg.exe
4884	Gbiockdj.exe
1964	Ggfglb32.exe
1480	Ganldgib.exe
468	Gkdpbpih.exe
3676	Gaqhjggp.exe
4520	Ggkqgaol.exe
372	Gndick32.exe
4528	Ggmmlamj.exe
2572	Gngeik32.exe
1716	Ghojbq32.exe
1032	Hpfbcn32.exe
3168	Hahokfag.exe
4104	Hlmchoan.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Khihgadg.dll	Qikbaaml.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Ggkqgaol.exe	Gaqhjggp.exe
File created	C:\Windows\SysWOW64\Ccbolagk.dll	Gngeik32.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Ebdlangb.exe	Eoepebho.exe
File created	C:\Windows\SysWOW64\Hbnaeh32.exe	Hifmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Lhcali32.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Oihmedma.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Fgmdec32.exe	Fndpmndl.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Doccpcja.exe	Dglkoeio.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Ipihpkkd.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Hfibjl32.dll	Ghojbq32.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Ondhkbee.dll	Eoepebho.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Iimcma32.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Qhjgbbnj.dll	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Abhqefpg.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Nciopppp.exe	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojqcnhkl.exe	Ookoaokf.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcfbkpab.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Piocecgj.exe
File opened for modification	C:\Windows\SysWOW64\Qamago32.exe	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Gkdinefi.dll	Egohdegl.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Koonge32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Oflmnh32.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Icifhjkc.dll	Adepji32.exe
File created	C:\Windows\SysWOW64\Ldfakpfj.dll	Ajaelc32.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Jfhmgagf.dll	Ebdlangb.exe
File created	C:\Windows\SysWOW64\Hlmchoan.exe	Hahokfag.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Eeclnmik.dll	Lohqnd32.exe
File created	C:\Windows\SysWOW64\Cgogbi32.dll	Loofnccf.exe
File opened for modification	C:\Windows\SysWOW64\Mfbaalbi.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Lhpapf32.dll	Fbmohmoh.exe
File created	C:\Windows\SysWOW64\Ekjali32.dll	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Kibeoo32.exe	Kolabf32.exe
File created	C:\Windows\SysWOW64\Efoomp32.dll	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Keoaokpd.dll	Hbnaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Adepji32.exe	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Lebijnak.exe	Lohqnd32.exe
File created	C:\Windows\SysWOW64\Lhcali32.exe	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Mcaipa32.exe	Mpclce32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8092	7924	WerFault.exe	314

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfidb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahokfag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbldphde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggkqgaol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ganldgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekajec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiphjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjhmhhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbaalbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiplmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fndpmndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abhqefpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcjqgnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iialhaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpccmhdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibeoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qamago32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggmmlamj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpkknmgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afockelf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghojbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfepdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebaplnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlmchoan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgkjlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggfglb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebijnak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Finnef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jojdlfeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dakikoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbmohmoh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dggbcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gndick32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnajppda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Finnef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgogbi32.dll"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Njjmni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibgdlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njogfipp.dll"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adepji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doccpcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doagjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edbiniff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll"	Ibcjqgnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgbnkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjali32.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnele32.dll"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feqeog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndbpeal.dll"	Ggkqgaol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 208	3388	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	89
PID 3388 wrote to memory of 208	3388	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	89
PID 3388 wrote to memory of 208	3388	70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe	89
PID 208 wrote to memory of 3584	208	Aknbkjfh.exe	90
PID 208 wrote to memory of 3584	208	Aknbkjfh.exe	90
PID 208 wrote to memory of 3584	208	Aknbkjfh.exe	90
PID 3584 wrote to memory of 1484	3584	Amlogfel.exe	91
PID 3584 wrote to memory of 1484	3584	Amlogfel.exe	91
PID 3584 wrote to memory of 1484	3584	Amlogfel.exe	91
PID 1484 wrote to memory of 4996	1484	Akpoaj32.exe	92
PID 1484 wrote to memory of 4996	1484	Akpoaj32.exe	92
PID 1484 wrote to memory of 4996	1484	Akpoaj32.exe	92
PID 4996 wrote to memory of 2008	4996	Amnlme32.exe	93
PID 4996 wrote to memory of 2008	4996	Amnlme32.exe	93
PID 4996 wrote to memory of 2008	4996	Amnlme32.exe	93
PID 2008 wrote to memory of 1564	2008	Ahdpjn32.exe	94
PID 2008 wrote to memory of 1564	2008	Ahdpjn32.exe	94
PID 2008 wrote to memory of 1564	2008	Ahdpjn32.exe	94
PID 1564 wrote to memory of 988	1564	Aonhghjl.exe	95
PID 1564 wrote to memory of 988	1564	Aonhghjl.exe	95
PID 1564 wrote to memory of 988	1564	Aonhghjl.exe	95
PID 988 wrote to memory of 1268	988	Apodoq32.exe	96
PID 988 wrote to memory of 1268	988	Apodoq32.exe	96
PID 988 wrote to memory of 1268	988	Apodoq32.exe	96
PID 1268 wrote to memory of 2888	1268	Akdilipp.exe	97
PID 1268 wrote to memory of 2888	1268	Akdilipp.exe	97
PID 1268 wrote to memory of 2888	1268	Akdilipp.exe	97
PID 2888 wrote to memory of 4440	2888	Amcehdod.exe	98
PID 2888 wrote to memory of 4440	2888	Amcehdod.exe	98
PID 2888 wrote to memory of 4440	2888	Amcehdod.exe	98
PID 4440 wrote to memory of 3228	4440	Bddcenpi.exe	99
PID 4440 wrote to memory of 3228	4440	Bddcenpi.exe	99
PID 4440 wrote to memory of 3228	4440	Bddcenpi.exe	99
PID 3228 wrote to memory of 824	3228	Bknlbhhe.exe	100
PID 3228 wrote to memory of 824	3228	Bknlbhhe.exe	100
PID 3228 wrote to memory of 824	3228	Bknlbhhe.exe	100
PID 824 wrote to memory of 4840	824	Bpkdjofm.exe	101
PID 824 wrote to memory of 4840	824	Bpkdjofm.exe	101
PID 824 wrote to memory of 4840	824	Bpkdjofm.exe	101
PID 4840 wrote to memory of 4560	4840	Bgelgi32.exe	102
PID 4840 wrote to memory of 4560	4840	Bgelgi32.exe	102
PID 4840 wrote to memory of 4560	4840	Bgelgi32.exe	102
PID 4560 wrote to memory of 4572	4560	Bajqda32.exe	103
PID 4560 wrote to memory of 4572	4560	Bajqda32.exe	103
PID 4560 wrote to memory of 4572	4560	Bajqda32.exe	103
PID 4572 wrote to memory of 2332	4572	Cammjakm.exe	104
PID 4572 wrote to memory of 2332	4572	Cammjakm.exe	104
PID 4572 wrote to memory of 2332	4572	Cammjakm.exe	104
PID 2332 wrote to memory of 1376	2332	Ckebcg32.exe	105
PID 2332 wrote to memory of 1376	2332	Ckebcg32.exe	105
PID 2332 wrote to memory of 1376	2332	Ckebcg32.exe	105
PID 1376 wrote to memory of 3460	1376	Cdmfllhn.exe	106
PID 1376 wrote to memory of 3460	1376	Cdmfllhn.exe	106
PID 1376 wrote to memory of 3460	1376	Cdmfllhn.exe	106
PID 3460 wrote to memory of 1848	3460	Cnfkdb32.exe	107
PID 3460 wrote to memory of 1848	3460	Cnfkdb32.exe	107
PID 3460 wrote to memory of 1848	3460	Cnfkdb32.exe	107
PID 1848 wrote to memory of 3068	1848	Chkobkod.exe	108
PID 1848 wrote to memory of 3068	1848	Chkobkod.exe	108
PID 1848 wrote to memory of 3068	1848	Chkobkod.exe	108
PID 3068 wrote to memory of 2808	3068	Cacckp32.exe	109
PID 3068 wrote to memory of 2808	3068	Cacckp32.exe	109
PID 3068 wrote to memory of 2808	3068	Cacckp32.exe	109
PID 2808 wrote to memory of 1212	2808	Cklhcfle.exe	110

C:\Users\Admin\AppData\Local\Temp\70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe
"C:\Users\Admin\AppData\Local\Temp\70fd16a49527b5f476f95bb177b41ae4ceb3e3625f9167199efb46c8910d0c1eN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\Aknbkjfh.exe
  C:\Windows\system32\Aknbkjfh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\Amlogfel.exe
    C:\Windows\system32\Amlogfel.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\Akpoaj32.exe
      C:\Windows\system32\Akpoaj32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        23⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        25⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        29⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        31⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        39⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        40⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        41⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        45⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        46⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        48⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        50⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        52⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4780
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        68⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        69⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        73⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        74⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        75⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        79⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        80⤵
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        81⤵
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        85⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        86⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        87⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        90⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        92⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        98⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        99⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        100⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        101⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        103⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        106⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        109⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        111⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        113⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        114⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        116⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        118⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        120⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        121⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        123⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        124⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        125⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        128⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        134⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        135⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        137⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        138⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        141⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        142⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        143⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        144⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        145⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        149⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        152⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        153⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        154⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        156⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        160⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        163⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        166⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        171⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        172⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        174⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        176⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        178⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        179⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        180⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        188⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        189⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        192⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        193⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        194⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        195⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        197⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        198⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1720
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        200⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        202⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        203⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6816
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        207⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        208⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        209⤵
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:7316
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:7360
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        213⤵
        Drops file in System32 directory
        
        PID:7404
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        214⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7448
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        215⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:7532
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7592
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:7636
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        219⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7692
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        220⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7740
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        221⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:7868
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        223⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 420
        224⤵
        Program crash
        
        PID:8092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7924 -ip 7924
1⤵
PID:8052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
96KB

MD5
fac6f77c1a1503f73624fb4cc3730226

SHA1
923d00606c42fd9622f6c5dad64883e8cc446853

SHA256
eb9b2869e5850a4193ee623f6090a3dc7e894294dba40af0cd3784d2c0a83c3b

SHA512
70da5714f51688bfc78e0fcf73c6033f609c33888caa6238219d40b7d818507a5f8a9ec7e07e97293cf03b3274eed26283d33caa0a2d181f515989c2afb06eee

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
96KB

MD5
15c556a23ebefbd4b1e7e9362be99761

SHA1
911fa243a46785b72b87d9b030ac505ce692a42e

SHA256
c2c016647eceb3fd1d2d6405b1cbe08ce898ddfb3b32d371eb9aad84ddcea3d2

SHA512
66197fa66b7815c71621d1e5d87b72c146c1c9290bd3a13239e3d239ddbcd9c28b4052a5def8d170230f33b38077cea64dbcb7801e99e037b98447d7dd37e468

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
96KB

MD5
bbd6e9bf151bb1cc4200071002b8482e

SHA1
c5e0c5ec45507fbbdf4687ba929b873fe215c95f

SHA256
df2594bc40af0d55708da9193997ce366c7f019c45f3c8f9aad676d118cd3456

SHA512
d00b2f364d67e1a2a3522af71ca7856950c02a4a3884b970ce6a062796b1b6394c428b655d032b2da76b3a00961cef5d072438f7b3d5b2ed05a97fe79394a3d1

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
96KB

MD5
f6c973d44bf873bd094db7193bf2d7eb

SHA1
5a3844c8b919ec61c53c1a1de6e188de776e91a3

SHA256
c7b1100ca6a062b25a437c0d9ecc9f4d93637c75c37c20f8babb6ac18ea757c8

SHA512
793b97384fff6b2bbc25512b3774178e7b830613d885c65d9083c88edc1fdd56f9d2431ee911ea45485df433eb92b1c2dcad2b1dbbae5d9f0d45cf7843322e99

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
96KB

MD5
0b04306e5ea91a4711d20cdbed6a3d5c

SHA1
30e4b796b1fc04e0d2d34570ed6b2b15479bfd42

SHA256
cb2e358aaba801718f2f15eca56b9b0ce0e700947f2b8d7cdbeb007fd44e4bbf

SHA512
0a10127ff8b11492f87b6c87a054a0a6f8c48088eb79542402307d843312c2bbaef0eaa4809214b1c2ba4082b2bf4309ebc17dd100ec9089f4e5b901b68e26e1

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
96KB

MD5
a3492fe5d427fa39f27be10a95a24c5c

SHA1
e7a9e6d1b223c5a10ae291befcd9a187d566485d

SHA256
a7d61ea9a4dd42fc9d5c689ba9216096a2b2d3c5cb373b1f19f7d33a0bb13b09

SHA512
956b6b7dad0d27d3908c06335c74f09f70f4af113955f60fd1d02ba3ca164ec2558660c3be76afd34d757e6cc7de1aff0646f7dd6c25cb5a3fc28c8f73045351

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
96KB

MD5
ab98f4d3f8a16455af055c871e5509e6

SHA1
b7899cd31117c7c57771a609a8de60c593a07877

SHA256
4c38969256b7d61781e0e02673436f1f2f0c6e39afa540e57d61b4097244fda3

SHA512
b1d2ad9fa19cffbc1af7b9eb3452bb62d2d17183c1dcbd2738c50dbb746fb77ff60fbef0f180bfc1732b5e7c72def79a6520b95c18a08373dc46e286c7e7215c

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
96KB

MD5
dd7b28365c70f8d3b95a721e9033e38c

SHA1
b9954df58b1418c340eaf9815aff02aa4988889e

SHA256
1fe9c51e57ea2d9c7674c967cd1b69b5d55488a79a76b4bde3437ebb0a9cbe9b

SHA512
3c9ce4da096db22968c7e74d9a26a23c47ce45882773b6f9c45782a791bb873637327d538c758efb7d92a810f90dd3a8e423c15211e787c4011144710ceec571

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
96KB

MD5
7aaf558cffc8af3c62204b5cda62463f

SHA1
f547017c7de8dfce54560ad6e8556006f2a63ea4

SHA256
a59076405ea4624509fe046260d3075bb6a9baaac7cf20e197058ca6b0fa1973

SHA512
d43adbab2396307b350efb564d9748cc1b85bf100b68b64398f67a34984509221879e325c6459b733114a8b5afd2598eacb21a4c1e6ef37c78b809087bd8d687

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
96KB

MD5
a5ff7360c02578dfa81e24051e32a2f6

SHA1
357d665acec9fa12fd2793e3c386994ec26ffd4a

SHA256
a2bb5305fa46ddab5d520b2fdc1586ee43db737a21728d594cda68703b8b5eb7

SHA512
2fdc954c35a8ffc9f1480d9a3007981d8d306324faaa9dbd0e82ce783b042a0e4c53ba14f1c8e955d2aa6703553acdb14c413156a0d6427f2fea3bfa84e8aafe

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
96KB

MD5
1515e2ca023fbe7525735a3ff0bd40bc

SHA1
169b78db262a049c67d279bf0fae24867365d1a1

SHA256
8d0b8af42ba65a920472044af4cc24c3d9471ce8873351b6ccfe044bc8929936

SHA512
226aa8d0b76a5a0a3f7485b123bed5303962fe86aa5dd7cd3a9361518509446121764e24008b2c28faf01680b4ce571eb66a04a76e76e28cf5bf0fed737e7699

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
96KB

MD5
7021f40d381ed823b2ed8da2af2540c5

SHA1
9cbd3e49285f8f306395f8bb45aa12a19d13e3db

SHA256
338346bccc1e6f2dbb6dbdb4747c3b815f9e7d85d52e53583aff5dd0bc70f1b3

SHA512
9e7f6790919da9fbec69e5938cbbf7e062431ffb1508bfd1f3e622aee39b6cf5f6aaf4eb0867d28ec28b4c0a3fd9363df24f108b91dcc13519656a0d6cda23bc

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
96KB

MD5
7d916b7784f44eda20593d92dd4b23bd

SHA1
4462ee4849d59fc9a7a767dc9609277dec4c50e7

SHA256
c0237d0a00a7f70402add5bb49d7ceb5b736d65225674a47b8f409f2a4b7401a

SHA512
c681ec82724c04c7e3187555f8885190011d7915132fff94bec2eb373442f320df81222ef1882047b23f1dc65a74f409fe1f328d256e06518c616a0066973357

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
96KB

MD5
f49b1369cff377dc3c460068efe89c80

SHA1
21417725c0d9160c2cf5c54145ea73ec0583a023

SHA256
008fcb4e3f455c028e23940883bd6ea7133298aaa2e477549ada182a5c084328

SHA512
20a5dd251e6fee0783fd4062901c08260c1515a0c20845e5f77eb53880f1a0e8368c0cb439c234fc042062db733f5b49bbe9d6a05ae18d63a42bb9c03d3589d8

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
96KB

MD5
bc401007edbed1cc0e92a9eb3bb37bbc

SHA1
82fc3748583c6383e524e1df75aa25dd2e70d62d

SHA256
9750016b0849037ea156b5b2101256c68bd69bdede347322d6c9054cb5b0cefd

SHA512
1dc824aa67b3d73578f674f012686342d89cd4900894de8b3c34dbf4ba7413e490889cacfde951addfcdfddc199aa27a48a1bdb6905408cd4b37cc07c1507200

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
96KB

MD5
89c61b5fab91dcb8729bf0e671c3921d

SHA1
243e55b610d33d4e4acb536ede5ace78e51d4ea9

SHA256
ca4c54137096aa5a3f4dfd9da86d27cb75d2bd28d17c0c1a07be5c4f2bddd466

SHA512
a7bb79294ea3c26bc64414265e9dbc0adf7b429dd00f13f4a80b208799a8146e048864bde003223fc12fb9a1c9e8c7261446b315bed96374aae677de1abe2934

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
96KB

MD5
e5c40db227293afa287f321629afc668

SHA1
76421bec808b0826259450dd9905045baf8bcc60

SHA256
e58ed4e58efe8bdce246a7246ad99355cfae975a4ea6856fe9b085b5c1501b8d

SHA512
4150a090cf6361c167f83d66528b631fd5e2b85f4edcc6f6461363d84447c9d245c1e3864fcec95611b95247510c7cc97d08fca5ccb10a7cce1deaa8129e57e5

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe

Filesize
96KB

MD5
a30d7fe241de5df5ea5e9880162cfd5d

SHA1
53ce0fdf3acc6a8417ae11fe5de35e6614f7fcee

SHA256
2d2ff97a4a8da75a5095dd548c24361a809ce33278efc81fec56aa5fd0e62d4d

SHA512
e8cd47967809e93d1719043e10560c295efc09e87202b8bb61690c07af9e88ee94cf4d0df517beb1dd4c9977653b9d68212044a5af9360cb962974a11375e8f6

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
96KB

MD5
695ea43810c2a682462bcc1f75a85325

SHA1
305c93c1cc36837898587d72fd8db7292a9060e8

SHA256
7faed4ddcc380c5f1766a05bf7d3e7858039d3e1cc3b5370bbc4d9bafdeba6f5

SHA512
1eba3d66bbacfe4a0ca07fe9207b517954f8015b4a63657f8b00b8f8ed207aa934b5a73c8463c275e37dfce66a191762637404e0c324e92aa29d8501b17a6cc4

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
96KB

MD5
1973037f7ab44f1c687860d007633dd0

SHA1
fd87bf59fab42ad241c358feaa798934cb92b730

SHA256
900df2f524dfa72c117ef008d8388eecb1a1bcb5c595f461bafc0706d46593fd

SHA512
db029a3413ead0f0e62d3e10b18fd2a0c16133a6e6c6c1a241e63ce2450224a8d143540661bea88daff6d6b3e3ef0a7197ad1262500e48b151528cc333d1a4d5

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
96KB

MD5
4afe9cdf9bea9b54d9110935bdb8b127

SHA1
a061d27c9462674627ec9cd4901c50a10e3143e8

SHA256
fbf1dcf8330a3e0f39bbce129a24861b3b1a931ae5bafce03857e7ee1f2f3c7b

SHA512
2151d2d3d95a024f3a624f1a7e681d526ee38020941f597826145b6e81688c5c168a54e6500aa9e7a317a77c54d14bcad34357831deae5f03fc5d97943f5b56b

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
96KB

MD5
6c52f90920dd53107eb94aa4f4524909

SHA1
341fefbd536aafd464fec98f601e8bb0a95b068f

SHA256
0fc0b2a8ad5996af6ed17a9274b35238b7b8c9b13ac5739f564987d40e206e1c

SHA512
94d5613c53f96294aa7132285b2f628afa8892b1b97ec79cd4f224a96d17b85f8ad8b6fd8976f7d0ea024a4df2dc70133efb2731a7fdacc8954ea1b4c65168f1

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
96KB

MD5
34b0f81d82a7ba1330c5390b34de6bbf

SHA1
0be1fb3b81b8899c9be556a92971a664367fe690

SHA256
970d365701dc72b7b00b3c0e02ef35936a932fa2dee6c7ca52de2571748ab24e

SHA512
3eade4b810cdd06fffaadd5024b8af924e65a169ceba0c38cf06c4d97bd371a7c994e19efaba350b8d2ad4c8a7d9dd87f69236af273dd8ea33ea8a59b6aa0c43

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
96KB

MD5
8fe472d212776edc1024f9ff85070d63

SHA1
e2a4df29ea0539069e83332bfd3e88aa686789b2

SHA256
d78d1591b34aa0f9175e2eeb4d88d47b530b01b69ba69636d5da501f06d3956d

SHA512
41b68afe4450841592872ed749ab1705b5788cd6ee3ed6934a4ddf7f62e673aa8ed175915945b0c9d814d8848d985ef458693f41b95d0a0be7bef19817e66154

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
96KB

MD5
0f42707719fdd5645903842292460203

SHA1
c30dfe1a00a0ca41538a744e5d22289bd0c22b59

SHA256
f97c3b291f5efc8b33e93356c1e47a702a72a761cdf1645fe0f985d05e37a43d

SHA512
46433049b49e4f1f6a5897848326c3bb81f5a45ec356bf94d2b09fec62149c3cef11549cbc4ba0c716be9651f5524a2da42ca42239045e9a91799fef45c19fb6

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
96KB

MD5
0cc9dab2961c0bd0fb142ff05a518497

SHA1
096060cf812303b135b2a6f0bd2c3a01bd7b3a1c

SHA256
36412726bbf79d7c31541b8a4edd5553605b8ee09fc818773258d04dd87782b5

SHA512
0f1227c92cbc884f40b2691b10ba3a312c4336f3ce982b1762fb04865c2bf0a59c5a883c03c31a393c2f129591db7254ebeecfa09391c0a90ec652e63be8062c

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
96KB

MD5
06fbd45e907f2a95eaaf4dc05933daf1

SHA1
93efc984415ea6af9d475c574e9b50da031804df

SHA256
5383259b19a907cfbdecab07a2afddf8f5cf8800a7c1bd562fd71060bd91234d

SHA512
2cd6a849d6e521b4d8a9b681debc8a93a7d4dd5f64b0a5465aca620e34528ce064dbb34cbb8a79adc4c4732eb07981b69a0c375962068cb876ffb6550a29ba44

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
96KB

MD5
172f9bad3ce56151c3eae7003c817a56

SHA1
4fba8b979d89901093ae5955916bb0234c5c0337

SHA256
ff1f0c48e00c3ef237b2e9b982ed111c0b6cf4c07074df5440c022052e7149e5

SHA512
630748160ac1405bd1548cbe48f46c61f80c4fd53bb345a0ad7d4e454598ae81411103508cff5d2b07a3347926414a0459a177fd1d413895dc57158b90298c44

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
96KB

MD5
6ef4a08c00533d95f1899d364aea3e81

SHA1
cd4047f7522558e34244c44564f5ea134f408fd8

SHA256
66d563541d1ccc80d5e0643ec04a5c0a262df9aa9c287cfe890b073ba6e82f0a

SHA512
41987583068d451ea03d7cba25537d2bb0e66760622f85675e78ee15e895f24ed9a5cbe47d71c056590e2f27ef8a8a38651e5aa9b453a54daebd9837c6ac0d0b

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
96KB

MD5
c786e636231dd1ebf8e178cbc8c5abf5

SHA1
64ac6943a3b2f5f5d4e0bb2fefe276f77e59baf6

SHA256
52ead3d8a00b20ef41a5822a5b14311f98941b33a46348526e96944de8332b8d

SHA512
4b7a7e43810479153b7aa338f438300682cd4f3c947c14d3b1430c0e2304abcadf59bc04fb018f1801d052446af4c17469294fc8d0490fbfb49495d2ce7f0309

Download Submit
C:\Windows\SysWOW64\Dgeenfog.exe

Filesize
96KB

MD5
9ca61f8d3d9fc20c615f33c70626183c

SHA1
b5d3f8d2938b7b79db2ea2f47e76217f7122ed3e

SHA256
2736770c3a06649c04ba09b9248d13096b3f45abc58f0f22b37d571e27e73547

SHA512
3f76dcc7816c7c5fd6acf81be3b23dd556c0ec362f8a145877ebbc2f323742e9b6bd4a9fb376618e5234e3ce0242504fb53ae1227869e4dd2d79b744bdf40e77

Download Submit
C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
96KB

MD5
d3c3645df6767fc296e7bdb6bb74bcaf

SHA1
dc13e6f27ffe9ea28f5a3063adcc10d24c934af7

SHA256
bbdbc170d99b82b95dfa0606b384e1f876d43aa903ae7cc7ce504aca44429079

SHA512
028c6f7efd411205548b25815d88d3357720e07ecdcdc236b7bc22091686f27ac284f9395d29347188299700ec4023f07ccbde0f4104a8aa06ea3fedbbbeee4f

Download Submit
C:\Windows\SysWOW64\Dglkoeio.exe

Filesize
96KB

MD5
953fb75e919f92f9f5f023ecbf288234

SHA1
87e4cea68e705b00005e7c482dfed9158a8621e5

SHA256
134d04a81007235e2617ea5d3cec1bae6082e718779f72db80bb34031df23fec

SHA512
1b28769d998a0cb59c6551da29ff42ef652004eb3317a48a1f0736651230649e8fd12e4fc1cb4f8559abe3ae8122f7d5dd3d06a1ee2c41619975731c6fc76a1d

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe

Filesize
96KB

MD5
1f11c7fbd3c55cf5e8e7c63cc3cdac0a

SHA1
23ce2c343ac12411c004e3f1ca7e185e10f12fcc

SHA256
f406a669d752c8474527c5b19ff84e165e9fd355402cd0d7538adde983295c34

SHA512
7349dae57fbede90a3418e012b64b989bf43ff4eab4307af890fadf255f9a3532584a7fb768f2cb5e7580c9a199d8813f465be181c393aaef6fb32318192bf7f

Download Submit
C:\Windows\SysWOW64\Dnajppda.exe

Filesize
96KB

MD5
117c2f979c1cbf136fe2765f38d1deda

SHA1
0d174ca7b3f69b51db907e2fb313fba3bf75b402

SHA256
42a35532ad4a0db89b6e3a2b3bb668fc0a33bac6f078cafd96bc071bb52c3cd6

SHA512
b124c8315eab0e721a0906ac17039d01da8d9bd6844b072d95a3722ff2a909aeadbad57fd4f887c27150906242ac553d36216181bab17c8582a828d824a6c332

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
96KB

MD5
6e634f7de537d5aa5731c860d38953a0

SHA1
0cbb1364bb47dae38a5b5a67e3d405f93783e24b

SHA256
ab92e8c58c246eaef9ff39d7bbd8068a579566f9076e90e31df3187d44ae64d6

SHA512
73c8f45b768aed8223bde038ba09ae57f567036cd7e18c37ca275ce00015cc844a5529529813cca7f8648ae9fa7982bbdea6e6e6c4a6fb1058be91202cc5505d

Download Submit
C:\Windows\SysWOW64\Doagjc32.exe

Filesize
96KB

MD5
e69deb61327263ffff18f8005bf863d4

SHA1
790eadd6726eff85b6198421b816e353de784bd6

SHA256
2141aae19ed7e603c507eb2576eb4263ac37ae59013fe8bd73bf19bab60787d7

SHA512
93e5ec2a492091dbece8c6babc38c9a01f057a568d1f1c5e1169c53aef479b29e1a02649952604cbd6cb90b1fdc9c2394eb687fc568725c591b54e1ac4a6c88a

Download Submit
C:\Windows\SysWOW64\Doccpcja.exe

Filesize
96KB

MD5
9e426f84a93f22435995e1b22ab5d7fa

SHA1
c08785df28166d1c169d9d7d8b2cd319036cdc24

SHA256
8f1ceb3728d0581b4aa5fc4e352b2df4ea6058b15dac6c533d7886bf1deab8db

SHA512
3c307e6231d0374541ee20fa1cbadff1c8ee09b7fa2efc89a96fdad549e56defee91c7de46ef7c00d81ba14f347bc8af325d88daed8aef31265010c32730e573

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
96KB

MD5
1ad485bf6fa86cf9229f02a9af5704bd

SHA1
76fc574e5c18c6f690e8f788330540e849d6034b

SHA256
9373a436d1dce25303f4472bb6ff40179438209b9b0fb535bee51f579cfe374f

SHA512
9bfb5e2084b89bd4a3d5b67d2b9a16649f9ccb7e0c75857a546cbf8318087e7d9ec3171c05e5af8b493b102676d10f11d14dbebdee9204fa3ee5cf845dc4a250

Download Submit
C:\Windows\SysWOW64\Ekajec32.exe

Filesize
96KB

MD5
43649b1707c33f14bff29db940899b07

SHA1
4e3ed576637781c49f6cb744807519d91542c550

SHA256
2ea4b40013ac93ea3c5ae99d4a6e3180e881e291fe8afb4fb4ac27b76b844aeb

SHA512
4538487485b194cae194418783bbc0777b17b9f8b1dbe7cb536320b26e8584c8655b17b9249c148fa3516a3c72c5adff2858e88660619a22b080f638d0971d0f

Download Submit
C:\Windows\SysWOW64\Fgmdec32.exe

Filesize
96KB

MD5
c3bbb02ed7ad9f832b6248deb88bd480

SHA1
af0d590a21b3382de766126bdca2033454fc0178

SHA256
ed981307f5c153895123c82fe105d8a3df8b4cd12f457e383e6dc25050ac8a30

SHA512
aa2322d0bbb2c6434e7ec3bcdfebf79900a228e6d9eb68fa894f614343eb87d1c484ccb935f33dcdc2c4bd91ad81413aed3810adf8b6ef606d94b1872c3a593c

Download Submit
C:\Windows\SysWOW64\Fohfbpgi.exe

Filesize
96KB

MD5
7425b0c0cc585bffa7b1b5314c93f108

SHA1
e07ec90c55b2efedbc8ab0c3deee3c902eabb03a

SHA256
8f7768397f026919acb481a305ba4d8b54cdafb12f8885786bf986b3f146f0be

SHA512
fbb57fd8c052101e83900ee4420eae98ce2a14731928ee2401bd5bdb8a5d9fe6c0180c060d3d7ac20ffebbfe8302ca02ff62e680d37337ef9beda302c2f1699f

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
96KB

MD5
5e3dba6fb95a63c61d02923711b2a890

SHA1
9930855410ebedb3194e9a3d1a5ad89d042bfecd

SHA256
8bc951e49c42811d3c6fa1fdbd38bd907aa1fa1510688ab91a913c3f6881d643

SHA512
448bb33179c669d65fedfdf541de011ab302047bfaaba46590d2f9af28b7fb06a8846c1b42f6cabd64e2858dc1d0f1024b8a2f6a620ea0f96203fecf1a27342b

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
96KB

MD5
dbafef7063086c0918a9252913ad8725

SHA1
f2c1000ae6782b495d1ed456dd62e7644ac7ea21

SHA256
2bd44ccd844bc6ccf000380419b3812ed65e74b397d16369cc1da2a494de2421

SHA512
9282cf005b706301dbb95b49c9be03456d1e0b3ed1e5686a229a0d8ab9569cfa92ec0b6bfbf187c4159a0ea1611d2742f7d0c091af826168dbc35e4a6d31118c

Download Submit
C:\Windows\SysWOW64\Heegad32.exe

Filesize
96KB

MD5
9ce7cdccd171c16321245713d6aa7643

SHA1
29ca49a10d546a579186eb407dde30d917120790

SHA256
89db2088033f78a4778025b76432156b35ba881031951f08011cedfd1871a0d4

SHA512
11a13333b6395a1d255b8b7a6910f65f62efa0446fa1da4a776c56ac39ebe09b3dc968150c40d9fea3b18d773841de8cbc3fccca27a59af0e1a4057a8177aa9b

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
96KB

MD5
bf68670dffddc8f2bb33a7dd4bb9b91e

SHA1
55aee544beb7eb3a5951df462da2ef98dbbe5d9d

SHA256
0ff763c031bdb7004c98db3cf659cff38fa02025d6c75dbb3d7e119e7edda780

SHA512
ea971415664a208099ce9c2b492f8ee1cee3b33c05d1914885e0ae6405727249c4d89b2d6ed92be528b18be365e398f7b094f7cf475fa19113c444fce233fd3a

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
96KB

MD5
1b5e35f338489800e8816afa9dd8e246

SHA1
3a3b1d9f40852d5e174c0cdd397b5b047e8d94cf

SHA256
68667adf605b1cb2bcb7fcf522b732e5705ac5fb0e5e052578f73808b47c448f

SHA512
d128208db780a37d1a08bbd7f7c6463cdbe279faf738ec37150c41b792ebf64d75b3f3190cd11b9cb506d20d339d6fa9999d10db0487ee612bd3fee45174cc45

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
96KB

MD5
08abad2270ddae8cdf92c6a6425c8eb3

SHA1
a27d9040fe8536504de7a64eaa154eb6efd60d9e

SHA256
ebb9e9dc1d8ce941e6228d86a28eacb4657a977e2ef051bdb4ee07ca1991e6dd

SHA512
62549519ca56f21106d9228423f7f485c363f8d7f1d411d7c980ebabe8626fc368f51631b77b5436f2786d3df5e6972881f84950990bbd3bb0563f2057615d92

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
96KB

MD5
7715bba00404317d2e977b788fb3b21d

SHA1
092df7c80d29189dff293774e82825db8209a796

SHA256
efb6c65ab56a9229810091ca44074545c9bed7a7bbe60587f63ef70973e4d0a6

SHA512
b09edb22d10a6106e9661c11d94d78dfc693e0e40b2952bb0c6f4d5e73c3f2d6251835e1c9a9ea90158f73a503b2381fb84c71a18798b36cd6462525cf7c1eca

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
96KB

MD5
5d5383ac329fcd012e189a8818f0ede7

SHA1
005a602b06d8f2b35ce853807851bfd8303451c6

SHA256
a514a96830425cc0a14534a1965222bc4bf2553612beb584d2cabb72d7cf0bef

SHA512
2b707765a54862f550c4fabf51dbfb82432714ab12d23a526d266ce9f30ae2b057cc2ec8c5a4307ac10e469c6e46175c489464bede7f346b854bfd1a4cc09d14

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
96KB

MD5
57e3d297279fabb97e08094a3cd63dab

SHA1
f175da364785fc055e45083f41ad591baeba97ec

SHA256
4c8866005edc5e161b60684d03e8e7b23ae7794efabdeaa439349c3f3eafb7c5

SHA512
9a23814d38aa489955200770fff5c504fb89a12c0e5806e0dc8698f904a3f8d0e23ec06bcd453ce5d7fc7b0b4de997e7b17d0189d09805ce725eb0573b0f407f

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
96KB

MD5
0e625f419611afcbd141c18619c9c5fc

SHA1
a3ae980a8c2577abd5c98f4596bfb08cb2a97b2c

SHA256
6dfd05da4cfb0deb09b70b3a7deb695ff99446fe363306ff533ebda1ed403302

SHA512
5e3afbca633116f57fa5ff088db62154099df1edb0a20c8299db4471c9551846c542c473854306b59c18e779535ad17487153725e60d6e87fc27941f9561ad5f

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
96KB

MD5
8e95d96424985f860794765ee7225abf

SHA1
5e90e2dedf5c774fc79f117c7e090f31085f9df8

SHA256
6a0cfd40dccacb54b8f859049b51a4e2b46e7f92558bdb5ead5b5f052f21ed70

SHA512
9e6da8356e434a61ec5dbd0b51ee8751e71906d5b71c84b6253fdef7ecb81313897ef450ae96c5f60749287dbb64dc302cdb35dc9b1773b4dcdb39bfdd83aa39

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
96KB

MD5
192da2b2d1467587943fc28c1acd886f

SHA1
2b5d05c63c9035270a0c7b7f74da5416e823ae1f

SHA256
57954b739c8e88abed96052e6c23a673cd3a5194938b19dc003f67cd7b541ddd

SHA512
70ef6914db44ef14c06d59d1fef413ab23d708a8e908b5c5bdd5576d0ad30c412d081a752a6b6d5578c0c4e7027ef376cc530ce3615b1a523e2f88ddfe599d9d

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
96KB

MD5
418b359c128b9d0fade81e7722136ffa

SHA1
fe53fc23b8a6ae6799745c82910fe1fc9fa968a3

SHA256
7cea875057c466c250b5c65d3f04a77266d31b68a3259c6729d9ecd2f4711b7b

SHA512
c265765108aa4da1db442f13c780200c79289b20c3d9761d79974d6e8e6a5e333e04281f83f52913c80425e4817ee2da376291cfd302c968f02abf03215323a6

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
96KB

MD5
024540f1f5f59f3b2eca6eaa12241ac2

SHA1
305cc16c3a5e2c26bb3fec3bcbf31d6bbe14daa8

SHA256
5ea788b07aa86c2c017c162960a47f7527eba4a8ceffbd51d85216464fa9d685

SHA512
dc33e5b85805c592aeec8fcad4f14d00296cdc3a01c6dda5b7807fe58bbd9dd8d9cad3634ddfcba67530dcf10bdedf4c437a1f224b410b083f741656ebae2429

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
96KB

MD5
c65f4df702ffaa397195d72c6ef2ab57

SHA1
4d43d0a4a6f6d0a5b66524b10026d0bc0bccb568

SHA256
b628c5e3fe54fc1e29956d5fd2a5712452656a5c778c87057c7c4ba2a59f7dbc

SHA512
d1f00c70f9a74176247f821d5ee73596744d40764ad2b2db412bef8149712e7de4c7ea8da3f6b50b8b0e92ee0d41f58efe09a8125fcde5dc311901327814fc24

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
64KB

MD5
d351c8e711273f37996b30344216aed5

SHA1
d332d1490a2be64401ba25a10156eedd2a37c779

SHA256
c88f6027f324d32db19c7c91df9b6455adfb4ae6cf62d8f70574cd450d8d0419

SHA512
d526270c1f0bf3c00c4a9d5da503727769a4d6469b7ca11544f1a09229f046eaa30e5197ac2cd5de1d2da4405c916e3e412aebf3beb5be17baeba33815b04f93

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
96KB

MD5
4c5493bb0e5192be3fba1dc35e088cb6

SHA1
1636898efe48187cf325854603fcc740a1ef1f3c

SHA256
f5ed04d4be53612b710669dc1fd586c686b4721c9dee274ffea1bde85946f80e

SHA512
0f471365f33146e449f16dddccfa60f0630c0d7b4b1fb2c2ed3b668581cc0703449c97d9563e31ee623b24fa6bfc5682d358125f785f5c64aecf4793ff572d25

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
96KB

MD5
5cba0133792cc973b528705786771a02

SHA1
b128d0d614619ac0e48392e44900cf72f810d644

SHA256
2d0acb8ddc5cb4f2373dd73ac26d00a58ce509ec030da8f5cda6cfefebe79d2b

SHA512
aa7eee2deb98a1385cdb5f04876a3c50a5c5fc627e4d7e3a957d42b7e9c7b2ecdffde7685664d70e109ead7127eb0968b574a546daedf3d0a3295d727cd68319

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
96KB

MD5
4ba01a606a99b29b853eef278deb9aba

SHA1
539d1658f7b5c4b5a5cb4fbd110bbfefe8c4ece5

SHA256
6c1f10467c1143e646392b73b5251867152de4c3c5bffc361f70a038b7496392

SHA512
1c31cfb8a208315d693c6231d278d3c5f967a7408bd8bb96f4f972c37fc1d596aea276d6573faeaa872a62533583ca236c73c728e07a8bbf56a64473b529f5ec

Download Submit
C:\Windows\SysWOW64\Nqmojd32.exe

Filesize
96KB

MD5
4fca1191f5ea6dc4608a659ddba7d8e1

SHA1
f1e70a85b5670963f4d3422fc1bbce79a0c7b4e9

SHA256
45ba4cbb780935d1e4907ff0b19aff44f47df014fb3a226c3f363f57ff8da164

SHA512
c231fdf236905ba6fbe2a400500684d9c9bd5879542a6cadbfb6c7c2c1466e2d5a721e0a0084a0aa8f4180fd73e7233f55031cfb02e95053b399b5533e383923

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
96KB

MD5
fcba59b2c008d9ab0af52caf952ad6f8

SHA1
2617a4173916e0957ae126f36dfe8a1a828e4d76

SHA256
b6597f189568485d54247ae8f9f9b6c9976b3a4b550468793b3738786bc078c1

SHA512
fdf63ae3c5572fdfade2f3af08935d28654e853786884a339c9916b7f852b54b84891b1bc2319ed407646f796b8c01c4f2281568b5c879d0bdf04b8c00c341d3

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
96KB

MD5
3d44f2c9b92c7f31780adf0ffb323c7f

SHA1
fdc0879f97613e4288d5776f82685dc34896e6a1

SHA256
a99bfa129e2e6571400c32e0d524be06a24d851d909e7a8545ee61467b5fd951

SHA512
e214159d33cbae4faa9a28a3b86bd6e664a89033fe7f7203dd8cc575fc8dd8532231f5b82bb0b697f1f20a56c65bbcb1323d294a2675c3de34446979edeee859

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
64KB

MD5
f76ec92e3b48b2dc9497b09a0a80b479

SHA1
1ad43f2f26ed05098e8a707bd4b166863fd3e359

SHA256
654982a9f8840c6a69d369b48bac4ee799e832ff30996ccdd6476c3499fe4a9e

SHA512
497335fbc795de2d13b80aa1d4969dc50fa5379e88bf8b8f12af0ed31457f09f4e7c2aef318afbb1370e0068b83cbdefcc388161b35e8ff6a90d80aadaac96b1

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
96KB

MD5
716fe5f03f1de9846ebfb33a33d520ba

SHA1
15cbd607bf38696f77ddacbe73b99ac659e31d78

SHA256
9df5b264ef83ea5e54d0a2eed75a58a5872e34343f0aa7406562daf2681dad75

SHA512
8e303204c47d805afcbdf7b75acf9686460fb32fb01773f1cc1d9def16cefea0e93bdd9a8b7d4d86dd911b3c4f2e24bd66e5828e49ca5cb2638b21181495f29c

Download Submit
C:\Windows\SysWOW64\Pfccogfc.exe

Filesize
96KB

MD5
95d5fb7646574450583c3b07ad985b66

SHA1
75ffc2ab6f12be911e9c52c34fa0b2b90b5e625d

SHA256
bcb4042dd584c1fe206e368fbf4bf73930d2d03ad655b4bf6758c4ca97d37b8e

SHA512
c2f64f188e8f20bb0b7b5a389ae26e1a84ecd6a8e861d4d8f15f3fe1c677b2054afd562c6f2247e105ea319457efeecac13ccfe850d781de3c96eeb5000ec8b1

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
96KB

MD5
6e718c368c027f4305a7df09854d9166

SHA1
9a971d00ce99c7d584cb00c7078d10763fa7e95e

SHA256
00e668c24778da172e4fdd4fd46aef9b435001a0cd4a9db67146ad71bde75b40

SHA512
9d6431f1217e88a7e425c8032f3865f454de8a41a82eaf991d6ab3d244fe9f841e8a4446a9cb700429849c7c97cc51c82cdeb55b56b11101bfe591f32e61c92e

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
96KB

MD5
a900d08918cfbaa3c9c97a5e8cc20efe

SHA1
e4861adc4d7a05e7ebb028440b7a5cedb8a53b2c

SHA256
f5de91be8a0507b4da3d2160e1ae6d55c48d35d8f79f25ff323a4403aa188723

SHA512
f9651afc409a338eebe79e8f9147a831a3ea6357325778fa120394806b554fe8061fce23541ca0d4c9a0ae42b0dd72d73216d0a76f20e6a27146f21689169077

Download Submit
C:\Windows\SysWOW64\Pnbddbhk.dll

Filesize
7KB

MD5
70f89c0a8422d405ed43a30d30a675e4

SHA1
3336ad4be989da1d2571d2120384092bcb173674

SHA256
87ef322831e475af2ddb07978d242567105ded8f5b797a29a016643cfb5114b2

SHA512
9860eac14589e1d22f86ff58e6048919a4f784da50b97071d0dcaa4a15e01effaffe592c2f43e8ecbe3f4ee654d27bb91a07e3ed9f36c00f9d5c9a4108f2b275

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
96KB

MD5
9f46864081610b1d302adbabe80615ae

SHA1
439c4ffb898fc8ba49aa6bed7f03b2b674cef414

SHA256
f31d4f6d28620426a64f95a75d725131fcca5d83ddc545b42cb25d296af6525a

SHA512
87bb83f81071470dc64db0c2bc6a8ebb3580e6e3b70e195a1101ec81ed71a7b0c27ffb20bab8bb7b41e62ed7987506c746556f5ed7eb70bcb30304c939909099

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
96KB

MD5
0126867cbd491e4e7cf36d9673007ffd

SHA1
50911279bec8eeafe1744c3422d8bc82f7afd41d

SHA256
346a6107e14f302306aab87dc342ee82f12346befdc3d308db4f8249b0e849e6

SHA512
066a2817b76a9c92b219b752ecc129426cd3ee02b6998902bc154ef4eac02a2d999f2ffcd3802f017b5efb18a9930dfb5a8ff2812572f6db15b41e9c962fa7da

Download Submit
C:\Windows\SysWOW64\Qikbaaml.exe

Filesize
96KB

MD5
9820540a1e0cab02a4d25c02ce4a23c2

SHA1
97d390a74e06cb50a47a8dada8e4ecd0d7c7ac5d

SHA256
4fd24fb9d07601be411355765029594fd5c8923a4c53d901d8367cbc251b1371

SHA512
aa4351fa7cae76446db5c68fba1228efe0279002d8619d838c0a208f874d43e16603d013f27e02b3a91db9ae8dfdf71378a1931002e0d8355682341d0dfe7b63

Download Submit
memory/208-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/208-555-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/372-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/468-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/720-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/824-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/876-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/880-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/988-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/988-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1160-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1212-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1268-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1464-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1564-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1608-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1716-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1848-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1964-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2072-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2332-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2888-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3168-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3200-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3220-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3228-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3388-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3388-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3460-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3664-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3676-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3820-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3868-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4008-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-557-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4344-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4772-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4780-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4884-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4912-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5060-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5112-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5200-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5244-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5288-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5332-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5380-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads