berbew | 933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536f

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe
Size

64KB
MD5

572b854cfe3bad47b0d29d3f436d94c0
SHA1

b380ffed340670a0f4210a5836e25b4a25a93568
SHA256

933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536f
SHA512

d30a2e5fd4f20f86d6461c80faf66ae3d9b43e33dffc220447a85b6db4c524a4c566cc3c0262dbd96a24d2dd671bbe35be24aabdc4d09d951868f017bcfe833f
SSDEEP

768:WTtfWanO2WCGaHicJs9DPQ7cmNbFUTK0FFpm6g0GFS5TTRQZRQA/1H5eXdnhgl7j:WTtnnO2WMicSDP4Ss1cgigNtn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgjjoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnienqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hchihhng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdaqhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbkeacqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iohlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kokbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfofjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phiekaql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njceqili.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahinbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoindndf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhlnjpdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihndgmdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpgalc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjcmpepm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilcol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elkbhbeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhdocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feofmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Golcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilphk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefedcmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngklppei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohdlpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pacfjfej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqilaplo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbecljnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihlgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcphpdil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpinac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjheejff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpchbhjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adbkmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glbapoqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdafa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljoboloa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjheejff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpjnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjgcgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffljjfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkcqdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnghhqdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dajnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieknpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnopjfgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkcackeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjomldfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Celgjlpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhcmbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koiejemn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oahgnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjjfkcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hafpiehg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbnopbdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcbded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifcnjpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niglfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaqphgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckcbaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnghhqdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnienqbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhflhcfa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2188	Mpchbhjl.exe
348	Mhjpceko.exe
2236	Mmghklif.exe
2716	Mdaqhf32.exe
1140	Minipm32.exe
660	Mhoind32.exe
3504	Nmlafk32.exe
2248	Nhafcd32.exe
2760	Nibbklke.exe
3988	Ndhgie32.exe
1532	Nkboeobh.exe
1544	Nalgbi32.exe
1144	Nhfoocaa.exe
864	Niglfl32.exe
2884	Npadcfnl.exe
1644	Ngklppei.exe
2004	Naqqmieo.exe
4844	Ohkijc32.exe
4716	Okiefn32.exe
4468	Opfnne32.exe
3688	Odaiodbp.exe
3736	Oinbgk32.exe
1216	Oaejhh32.exe
4372	Odcfdc32.exe
1496	Ogbbqo32.exe
4264	Oknnanhj.exe
4304	Oahgnh32.exe
4948	Ohaokbfd.exe
4420	Ohdlpa32.exe
1176	Pdklebje.exe
2688	Pjgemi32.exe
4060	Phiekaql.exe
3520	Pgnblm32.exe
1484	Pacfjfej.exe
2072	Phmnfp32.exe
4824	Pjoknhbe.exe
4864	Pknghk32.exe
1148	Qpkppbho.exe
4656	Qnopjfgi.exe
3564	Qkcackeb.exe
1072	Aqpika32.exe
4220	Ajhndgjj.exe
3916	Ahinbo32.exe
996	Adpogp32.exe
1976	Adbkmo32.exe
3992	Aklciimh.exe
4552	Aqilaplo.exe
3048	Akopoi32.exe
3064	Bjcmpepm.exe
4168	Bbkeacqo.exe
680	Bkcjjhgp.exe
2268	Bgjjoi32.exe
1636	Bdnkhn32.exe
1752	Bjkcqdje.exe
4348	Bdphnmjk.exe
1820	Bilcol32.exe
1824	Cqghcn32.exe
3080	Cgaqphgl.exe
1800	Cjomldfp.exe
4900	Cgcmeh32.exe
3196	Ckoifgmb.exe
4100	Cegnol32.exe
3716	Cgejkh32.exe
2952	Cnpbgajc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nbogaaom.dll	Mhjpceko.exe
File created	C:\Windows\SysWOW64\Mhoind32.exe	Minipm32.exe
File created	C:\Windows\SysWOW64\Cmefomdo.dll	Qnopjfgi.exe
File created	C:\Windows\SysWOW64\Gajfpi32.dll	Bdnkhn32.exe
File created	C:\Windows\SysWOW64\Glngep32.exe	Gbecljnl.exe
File created	C:\Windows\SysWOW64\Mogdhape.dll	Lbnggpfj.exe
File created	C:\Windows\SysWOW64\Mfofjk32.exe	Mcpjnp32.exe
File created	C:\Windows\SysWOW64\Fkgeph32.dll	Nalgbi32.exe
File created	C:\Windows\SysWOW64\Kkofofbb.exe	Kiajck32.exe
File created	C:\Windows\SysWOW64\Nalgbi32.exe	Nkboeobh.exe
File created	C:\Windows\SysWOW64\Ahinbo32.exe	Ajhndgjj.exe
File opened for modification	C:\Windows\SysWOW64\Ljoboloa.exe	Lfcfnm32.exe
File created	C:\Windows\SysWOW64\Npadcfnl.exe	Niglfl32.exe
File created	C:\Windows\SysWOW64\Hchqnhej.dll	Oknnanhj.exe
File created	C:\Windows\SysWOW64\Fjpoio32.exe	Flmonbbp.exe
File created	C:\Windows\SysWOW64\Hcabhido.exe	Hkjjfkcm.exe
File created	C:\Windows\SysWOW64\Cfdfhe32.dll	Kifcnjpi.exe
File created	C:\Windows\SysWOW64\Knfaph32.dll	Mhoind32.exe
File opened for modification	C:\Windows\SysWOW64\Eacaej32.exe	Eihlahjd.exe
File opened for modification	C:\Windows\SysWOW64\Fkehdnee.exe	Fhflhcfa.exe
File created	C:\Windows\SysWOW64\Gaffbg32.exe	Glinjqhb.exe
File opened for modification	C:\Windows\SysWOW64\Nibbklke.exe	Nhafcd32.exe
File opened for modification	C:\Windows\SysWOW64\Aqilaplo.exe	Aklciimh.exe
File created	C:\Windows\SysWOW64\Bjkcqdje.exe	Bdnkhn32.exe
File created	C:\Windows\SysWOW64\Epplai32.dll	Iadljc32.exe
File opened for modification	C:\Windows\SysWOW64\Kfejmobh.exe	Kcfnqccd.exe
File created	C:\Windows\SysWOW64\Mjcljk32.exe	Mlbllc32.exe
File created	C:\Windows\SysWOW64\Gehhom32.dll	Nmlafk32.exe
File opened for modification	C:\Windows\SysWOW64\Lfqjhmhk.exe	Lpgalc32.exe
File created	C:\Windows\SysWOW64\Elkbhbeb.exe	Eimelg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjinjnj.exe	Kjlmbnof.exe
File created	C:\Windows\SysWOW64\Dflfoi32.dll	Dijppjfd.exe
File created	C:\Windows\SysWOW64\Foenplji.exe	Fkgejncb.exe
File opened for modification	C:\Windows\SysWOW64\Iefedcmk.exe	Hchihhng.exe
File created	C:\Windows\SysWOW64\Icdhdfcj.exe	Iohlcg32.exe
File created	C:\Windows\SysWOW64\Fepbfj32.dll	933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe
File opened for modification	C:\Windows\SysWOW64\Oaejhh32.exe	Oinbgk32.exe
File opened for modification	C:\Windows\SysWOW64\Cgejkh32.exe	Cegnol32.exe
File created	C:\Windows\SysWOW64\Aphiikma.dll	Gajpmg32.exe
File created	C:\Windows\SysWOW64\Ocaocfbb.dll	Iameid32.exe
File created	C:\Windows\SysWOW64\Kkabefqp.exe	Kfejmobh.exe
File created	C:\Windows\SysWOW64\Gjqojf32.dll	Nffljjfc.exe
File created	C:\Windows\SysWOW64\Ogbbqo32.exe	Odcfdc32.exe
File created	C:\Windows\SysWOW64\Fajgfiag.exe	Fjpoio32.exe
File opened for modification	C:\Windows\SysWOW64\Joobdfei.exe	Jjbjlpga.exe
File created	C:\Windows\SysWOW64\Adbijq32.dll	Lcndab32.exe
File created	C:\Windows\SysWOW64\Nibbklke.exe	Nhafcd32.exe
File opened for modification	C:\Windows\SysWOW64\Nhfoocaa.exe	Nalgbi32.exe
File opened for modification	C:\Windows\SysWOW64\Opfnne32.exe	Okiefn32.exe
File opened for modification	C:\Windows\SysWOW64\Qnopjfgi.exe	Qpkppbho.exe
File created	C:\Windows\SysWOW64\Ceeojndk.dll	Ghpooanf.exe
File created	C:\Windows\SysWOW64\Giddddad.exe	Gooqfkan.exe
File created	C:\Windows\SysWOW64\Hkgnalep.exe	Hleneo32.exe
File opened for modification	C:\Windows\SysWOW64\Ckoifgmb.exe	Cgcmeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dlmegd32.exe	Decmjjie.exe
File created	C:\Windows\SysWOW64\Iameid32.exe	Ilqmam32.exe
File created	C:\Windows\SysWOW64\Kiajck32.exe	Koiejemn.exe
File created	C:\Windows\SysWOW64\Jnjjekeo.dll	Kfejmobh.exe
File created	C:\Windows\SysWOW64\Phhjdncl.dll	Lfcfnm32.exe
File created	C:\Windows\SysWOW64\Mmdekf32.exe	Mjehok32.exe
File created	C:\Windows\SysWOW64\Ecnehfee.dll	Mdaqhf32.exe
File created	C:\Windows\SysWOW64\Dehgejep.exe	Dlobmd32.exe
File created	C:\Windows\SysWOW64\Jbnopbdl.exe	Joobdfei.exe
File created	C:\Windows\SysWOW64\Jdbklkdg.dll	Lobhqdec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7252	6752	WerFault.exe	296

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oinbgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giddddad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqmam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieknpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmmoklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odcfdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fajgfiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbnopbdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbefolao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqilaplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icooig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfqjhmhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmokpglb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnkgbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdaqhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaqphgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikejbjip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpofd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npighq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffljjfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nalgbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcjjhgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlobmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghpooanf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gajpmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahlnefd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eacaej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjpoio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaffbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcnmhpoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlialb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpjnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnblm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaoihfoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhcmbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjlmbnof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njokei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnopjfgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpogp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iofpnhmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfcfnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dilmeida.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlmegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhdocc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjjfkcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfofjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcabhido.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmccnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naqqmieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgjjoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoifgmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgejkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckcbaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcndab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oahgnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckfofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfndlphp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Limioiia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgalc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kilphk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhgie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elkbhbeb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolqioah.dll"	Dlmegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhbdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieajfd32.dll"	Jjbjlpga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpgalc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknkkci.dll"	Ogbbqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfqjhmhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqiejphh.dll"	Mmdekf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmdggnj.dll"	Odcfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilphk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfofjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhgie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqilaplo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gooqfkan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glbapoqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihndgmdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbijq32.dll"	Lcndab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbfdm32.dll"	Koiejemn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odaiodbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phiekaql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmonbbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiajck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcndab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghdmn32.dll"	Ljleil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okiefn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oknnanhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqilaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eakcie32.dll"	Eoindndf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnppaiii.dll"	Ileflmpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdafa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpkppbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkcjjhgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iameid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjoknhbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmbfpea.dll"	Icmbcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopgjjag.dll"	Mcnmhpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oknnanhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eimelg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbklkdg.dll"	Lobhqdec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnkgbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pacfjfej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdicce32.dll"	Aqpika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghpooanf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giddddad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adbkmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hleneo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mclpbqal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdibqp32.dll"	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkcackeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iohlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidgmfgl.dll"	Joaojf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgkle32.dll"	Pgnblm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbnqa32.dll"	Pacfjfej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkcackeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elednfne.dll"	Adbkmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kifcnjpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhjpceko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjcmpepm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjppniq.dll"	Dlobmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilqmam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2188	2804	933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe	91
PID 2804 wrote to memory of 2188	2804	933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe	91
PID 2804 wrote to memory of 2188	2804	933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe	91
PID 2188 wrote to memory of 348	2188	Mpchbhjl.exe	92
PID 2188 wrote to memory of 348	2188	Mpchbhjl.exe	92
PID 2188 wrote to memory of 348	2188	Mpchbhjl.exe	92
PID 348 wrote to memory of 2236	348	Mhjpceko.exe	93
PID 348 wrote to memory of 2236	348	Mhjpceko.exe	93
PID 348 wrote to memory of 2236	348	Mhjpceko.exe	93
PID 2236 wrote to memory of 2716	2236	Mmghklif.exe	94
PID 2236 wrote to memory of 2716	2236	Mmghklif.exe	94
PID 2236 wrote to memory of 2716	2236	Mmghklif.exe	94
PID 2716 wrote to memory of 1140	2716	Mdaqhf32.exe	95
PID 2716 wrote to memory of 1140	2716	Mdaqhf32.exe	95
PID 2716 wrote to memory of 1140	2716	Mdaqhf32.exe	95
PID 1140 wrote to memory of 660	1140	Minipm32.exe	96
PID 1140 wrote to memory of 660	1140	Minipm32.exe	96
PID 1140 wrote to memory of 660	1140	Minipm32.exe	96
PID 660 wrote to memory of 3504	660	Mhoind32.exe	97
PID 660 wrote to memory of 3504	660	Mhoind32.exe	97
PID 660 wrote to memory of 3504	660	Mhoind32.exe	97
PID 3504 wrote to memory of 2248	3504	Nmlafk32.exe	98
PID 3504 wrote to memory of 2248	3504	Nmlafk32.exe	98
PID 3504 wrote to memory of 2248	3504	Nmlafk32.exe	98
PID 2248 wrote to memory of 2760	2248	Nhafcd32.exe	99
PID 2248 wrote to memory of 2760	2248	Nhafcd32.exe	99
PID 2248 wrote to memory of 2760	2248	Nhafcd32.exe	99
PID 2760 wrote to memory of 3988	2760	Nibbklke.exe	100
PID 2760 wrote to memory of 3988	2760	Nibbklke.exe	100
PID 2760 wrote to memory of 3988	2760	Nibbklke.exe	100
PID 3988 wrote to memory of 1532	3988	Ndhgie32.exe	101
PID 3988 wrote to memory of 1532	3988	Ndhgie32.exe	101
PID 3988 wrote to memory of 1532	3988	Ndhgie32.exe	101
PID 1532 wrote to memory of 1544	1532	Nkboeobh.exe	102
PID 1532 wrote to memory of 1544	1532	Nkboeobh.exe	102
PID 1532 wrote to memory of 1544	1532	Nkboeobh.exe	102
PID 1544 wrote to memory of 1144	1544	Nalgbi32.exe	103
PID 1544 wrote to memory of 1144	1544	Nalgbi32.exe	103
PID 1544 wrote to memory of 1144	1544	Nalgbi32.exe	103
PID 1144 wrote to memory of 864	1144	Nhfoocaa.exe	104
PID 1144 wrote to memory of 864	1144	Nhfoocaa.exe	104
PID 1144 wrote to memory of 864	1144	Nhfoocaa.exe	104
PID 864 wrote to memory of 2884	864	Niglfl32.exe	105
PID 864 wrote to memory of 2884	864	Niglfl32.exe	105
PID 864 wrote to memory of 2884	864	Niglfl32.exe	105
PID 2884 wrote to memory of 1644	2884	Npadcfnl.exe	106
PID 2884 wrote to memory of 1644	2884	Npadcfnl.exe	106
PID 2884 wrote to memory of 1644	2884	Npadcfnl.exe	106
PID 1644 wrote to memory of 2004	1644	Ngklppei.exe	107
PID 1644 wrote to memory of 2004	1644	Ngklppei.exe	107
PID 1644 wrote to memory of 2004	1644	Ngklppei.exe	107
PID 2004 wrote to memory of 4844	2004	Naqqmieo.exe	108
PID 2004 wrote to memory of 4844	2004	Naqqmieo.exe	108
PID 2004 wrote to memory of 4844	2004	Naqqmieo.exe	108
PID 4844 wrote to memory of 4716	4844	Ohkijc32.exe	109
PID 4844 wrote to memory of 4716	4844	Ohkijc32.exe	109
PID 4844 wrote to memory of 4716	4844	Ohkijc32.exe	109
PID 4716 wrote to memory of 4468	4716	Okiefn32.exe	110
PID 4716 wrote to memory of 4468	4716	Okiefn32.exe	110
PID 4716 wrote to memory of 4468	4716	Okiefn32.exe	110
PID 4468 wrote to memory of 3688	4468	Opfnne32.exe	111
PID 4468 wrote to memory of 3688	4468	Opfnne32.exe	111
PID 4468 wrote to memory of 3688	4468	Opfnne32.exe	111
PID 3688 wrote to memory of 3736	3688	Odaiodbp.exe	112

C:\Users\Admin\AppData\Local\Temp\933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe
"C:\Users\Admin\AppData\Local\Temp\933f821fc023a1d7a633bb099acff2a00e93db94b477b45f3ecb1e1bc88a536fN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\Mpchbhjl.exe
  C:\Windows\system32\Mpchbhjl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\Mhjpceko.exe
    C:\Windows\system32\Mhjpceko.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\Mmghklif.exe
      C:\Windows\system32\Mmghklif.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\Mdaqhf32.exe
        
        C:\Windows\system32\Mdaqhf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\Minipm32.exe
        
        C:\Windows\system32\Minipm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Nibbklke.exe
        
        C:\Windows\system32\Nibbklke.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ndhgie32.exe
        
        C:\Windows\system32\Ndhgie32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Nkboeobh.exe
        
        C:\Windows\system32\Nkboeobh.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Nalgbi32.exe
        
        C:\Windows\system32\Nalgbi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Nhfoocaa.exe
        
        C:\Windows\system32\Nhfoocaa.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ngklppei.exe
        
        C:\Windows\system32\Ngklppei.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Odaiodbp.exe
        
        C:\Windows\system32\Odaiodbp.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Oinbgk32.exe
        
        C:\Windows\system32\Oinbgk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Oaejhh32.exe
        
        C:\Windows\system32\Oaejhh32.exe
        24⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Odcfdc32.exe
        
        C:\Windows\system32\Odcfdc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ogbbqo32.exe
        
        C:\Windows\system32\Ogbbqo32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Oahgnh32.exe
        
        C:\Windows\system32\Oahgnh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        29⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        31⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        32⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Pacfjfej.exe
        
        C:\Windows\system32\Pacfjfej.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Phmnfp32.exe
        
        C:\Windows\system32\Phmnfp32.exe
        36⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Pjoknhbe.exe
        
        C:\Windows\system32\Pjoknhbe.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pknghk32.exe
        
        C:\Windows\system32\Pknghk32.exe
        38⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Qkcackeb.exe
        
        C:\Windows\system32\Qkcackeb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Aqpika32.exe
        
        C:\Windows\system32\Aqpika32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Ajhndgjj.exe
        
        C:\Windows\system32\Ajhndgjj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ahinbo32.exe
        
        C:\Windows\system32\Ahinbo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Adpogp32.exe
        
        C:\Windows\system32\Adpogp32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Adbkmo32.exe
        
        C:\Windows\system32\Adbkmo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Aklciimh.exe
        
        C:\Windows\system32\Aklciimh.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        49⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Bbkeacqo.exe
        
        C:\Windows\system32\Bbkeacqo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Bjkcqdje.exe
        
        C:\Windows\system32\Bjkcqdje.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Bdphnmjk.exe
        
        C:\Windows\system32\Bdphnmjk.exe
        56⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        58⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Cgaqphgl.exe
        
        C:\Windows\system32\Cgaqphgl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Cjomldfp.exe
        
        C:\Windows\system32\Cjomldfp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Cnpbgajc.exe
        
        C:\Windows\system32\Cnpbgajc.exe
        65⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Ckcbaf32.exe
        
        C:\Windows\system32\Ckcbaf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        67⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Celgjlpn.exe
        
        C:\Windows\system32\Celgjlpn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1332
        
        C:\Windows\SysWOW64\Ckfofe32.exe
        
        C:\Windows\system32\Ckfofe32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        70⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Dnghhqdk.exe
        
        C:\Windows\system32\Dnghhqdk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4632
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Dnienqbi.exe
        
        C:\Windows\system32\Dnienqbi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4068
        
        C:\Windows\SysWOW64\Decmjjie.exe
        
        C:\Windows\system32\Decmjjie.exe
        74⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:208
        
        C:\Windows\SysWOW64\Dlobmd32.exe
        
        C:\Windows\system32\Dlobmd32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Dehgejep.exe
        
        C:\Windows\system32\Dehgejep.exe
        78⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        79⤵
        
        PID:960
        
        C:\Windows\SysWOW64\Eieplhlf.exe
        
        C:\Windows\system32\Eieplhlf.exe
        80⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Ejglcq32.exe
        
        C:\Windows\system32\Ejglcq32.exe
        81⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Eihlahjd.exe
        
        C:\Windows\system32\Eihlahjd.exe
        82⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Eacaej32.exe
        
        C:\Windows\system32\Eacaej32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Engaon32.exe
        
        C:\Windows\system32\Engaon32.exe
        84⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Eimelg32.exe
        
        C:\Windows\system32\Eimelg32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Elkbhbeb.exe
        
        C:\Windows\system32\Elkbhbeb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Eoindndf.exe
        
        C:\Windows\system32\Eoindndf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Flmonbbp.exe
        
        C:\Windows\system32\Flmonbbp.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Fjpoio32.exe
        
        C:\Windows\system32\Fjpoio32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Fajgfiag.exe
        
        C:\Windows\system32\Fajgfiag.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Fefcgh32.exe
        
        C:\Windows\system32\Fefcgh32.exe
        91⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Fhdocc32.exe
        
        C:\Windows\system32\Fhdocc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Falcli32.exe
        
        C:\Windows\system32\Falcli32.exe
        93⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Fhflhcfa.exe
        
        C:\Windows\system32\Fhflhcfa.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Fkehdnee.exe
        
        C:\Windows\system32\Fkehdnee.exe
        95⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Fkgejncb.exe
        
        C:\Windows\system32\Fkgejncb.exe
        96⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Foenplji.exe
        
        C:\Windows\system32\Foenplji.exe
        97⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Feofmf32.exe
        
        C:\Windows\system32\Feofmf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Glinjqhb.exe
        
        C:\Windows\system32\Glinjqhb.exe
        99⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Gaffbg32.exe
        
        C:\Windows\system32\Gaffbg32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Ghpooanf.exe
        
        C:\Windows\system32\Ghpooanf.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Gknkkmmj.exe
        
        C:\Windows\system32\Gknkkmmj.exe
        102⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Gbecljnl.exe
        
        C:\Windows\system32\Gbecljnl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Glngep32.exe
        
        C:\Windows\system32\Glngep32.exe
        104⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Golcak32.exe
        
        C:\Windows\system32\Golcak32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Gajpmg32.exe
        
        C:\Windows\system32\Gajpmg32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Gkcdfl32.exe
        
        C:\Windows\system32\Gkcdfl32.exe
        107⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Gooqfkan.exe
        
        C:\Windows\system32\Gooqfkan.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Glbapoqh.exe
        
        C:\Windows\system32\Glbapoqh.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Gaoihfoo.exe
        
        C:\Windows\system32\Gaoihfoo.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Hifaic32.exe
        
        C:\Windows\system32\Hifaic32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Hleneo32.exe
        
        C:\Windows\system32\Hleneo32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Hkgnalep.exe
        
        C:\Windows\system32\Hkgnalep.exe
        114⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Hhlnjpdi.exe
        
        C:\Windows\system32\Hhlnjpdi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Hkjjfkcm.exe
        
        C:\Windows\system32\Hkjjfkcm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Hklglk32.exe
        
        C:\Windows\system32\Hklglk32.exe
        118⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Hafpiehg.exe
        
        C:\Windows\system32\Hafpiehg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Hllcfnhm.exe
        
        C:\Windows\system32\Hllcfnhm.exe
        120⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        121⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Hahlnefd.exe
        
        C:\Windows\system32\Hahlnefd.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Hhbdko32.exe
        
        C:\Windows\system32\Hhbdko32.exe
        123⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Hchihhng.exe
        
        C:\Windows\system32\Hchihhng.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Iefedcmk.exe
        
        C:\Windows\system32\Iefedcmk.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Ilqmam32.exe
        
        C:\Windows\system32\Ilqmam32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Iameid32.exe
        
        C:\Windows\system32\Iameid32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ieiajckh.exe
        
        C:\Windows\system32\Ieiajckh.exe
        128⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Icmbcg32.exe
        
        C:\Windows\system32\Icmbcg32.exe
        130⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ieknpb32.exe
        
        C:\Windows\system32\Ieknpb32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Ileflmpb.exe
        
        C:\Windows\system32\Ileflmpb.exe
        132⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Icooig32.exe
        
        C:\Windows\system32\Icooig32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Ihlgan32.exe
        
        C:\Windows\system32\Ihlgan32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Iofpnhmc.exe
        
        C:\Windows\system32\Iofpnhmc.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Iadljc32.exe
        
        C:\Windows\system32\Iadljc32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Ihndgmdd.exe
        
        C:\Windows\system32\Ihndgmdd.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Iohlcg32.exe
        
        C:\Windows\system32\Iohlcg32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Icdhdfcj.exe
        
        C:\Windows\system32\Icdhdfcj.exe
        139⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Jllmml32.exe
        
        C:\Windows\system32\Jllmml32.exe
        140⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Jokiig32.exe
        
        C:\Windows\system32\Jokiig32.exe
        141⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Jfdafa32.exe
        
        C:\Windows\system32\Jfdafa32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Jhcmbm32.exe
        
        C:\Windows\system32\Jhcmbm32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Jkajnh32.exe
        
        C:\Windows\system32\Jkajnh32.exe
        144⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Jfgnka32.exe
        
        C:\Windows\system32\Jfgnka32.exe
        145⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Jjbjlpga.exe
        
        C:\Windows\system32\Jjbjlpga.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Joobdfei.exe
        
        C:\Windows\system32\Joobdfei.exe
        147⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Jbnopbdl.exe
        
        C:\Windows\system32\Jbnopbdl.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\Jmccnk32.exe
        
        C:\Windows\system32\Jmccnk32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        150⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Jjgcgo32.exe
        
        C:\Windows\system32\Jjgcgo32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Kcphpdil.exe
        
        C:\Windows\system32\Kcphpdil.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Kfndlphp.exe
        
        C:\Windows\system32\Kfndlphp.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Kilphk32.exe
        
        C:\Windows\system32\Kilphk32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Kcbded32.exe
        
        C:\Windows\system32\Kcbded32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Kjlmbnof.exe
        
        C:\Windows\system32\Kjlmbnof.exe
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\Kmjinjnj.exe
        
        C:\Windows\system32\Kmjinjnj.exe
        157⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Koiejemn.exe
        
        C:\Windows\system32\Koiejemn.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Kiajck32.exe
        
        C:\Windows\system32\Kiajck32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        160⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Kokbpe32.exe
        
        C:\Windows\system32\Kokbpe32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Kcfnqccd.exe
        
        C:\Windows\system32\Kcfnqccd.exe
        162⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Kfejmobh.exe
        
        C:\Windows\system32\Kfejmobh.exe
        163⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Kkabefqp.exe
        
        C:\Windows\system32\Kkabefqp.exe
        164⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Kifcnjpi.exe
        
        C:\Windows\system32\Kifcnjpi.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Lbnggpfj.exe
        
        C:\Windows\system32\Lbnggpfj.exe
        166⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Lmcldhfp.exe
        
        C:\Windows\system32\Lmcldhfp.exe
        167⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Lobhqdec.exe
        
        C:\Windows\system32\Lobhqdec.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Lcndab32.exe
        
        C:\Windows\system32\Lcndab32.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Lkiiee32.exe
        
        C:\Windows\system32\Lkiiee32.exe
        170⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        171⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Limioiia.exe
        
        C:\Windows\system32\Limioiia.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\Lpgalc32.exe
        
        C:\Windows\system32\Lpgalc32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Lfqjhmhk.exe
        
        C:\Windows\system32\Lfqjhmhk.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Ljleil32.exe
        
        C:\Windows\system32\Ljleil32.exe
        175⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Lpinac32.exe
        
        C:\Windows\system32\Lpinac32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Lfcfnm32.exe
        
        C:\Windows\system32\Lfcfnm32.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6812
        
        C:\Windows\SysWOW64\Ljoboloa.exe
        
        C:\Windows\system32\Ljoboloa.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Llpofd32.exe
        
        C:\Windows\system32\Llpofd32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Mbjgcnll.exe
        
        C:\Windows\system32\Mbjgcnll.exe
        180⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Mmokpglb.exe
        
        C:\Windows\system32\Mmokpglb.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\Mlbllc32.exe
        
        C:\Windows\system32\Mlbllc32.exe
        182⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Mjcljk32.exe
        
        C:\Windows\system32\Mjcljk32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Miflehaf.exe
        
        C:\Windows\system32\Miflehaf.exe
        184⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Mclpbqal.exe
        
        C:\Windows\system32\Mclpbqal.exe
        185⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Mjehok32.exe
        
        C:\Windows\system32\Mjehok32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Mmdekf32.exe
        
        C:\Windows\system32\Mmdekf32.exe
        187⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Mcnmhpoj.exe
        
        C:\Windows\system32\Mcnmhpoj.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Mjheejff.exe
        
        C:\Windows\system32\Mjheejff.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Mmfaafej.exe
        
        C:\Windows\system32\Mmfaafej.exe
        190⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Mlialb32.exe
        
        C:\Windows\system32\Mlialb32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Mcpjnp32.exe
        
        C:\Windows\system32\Mcpjnp32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6216
        
        C:\Windows\SysWOW64\Mfofjk32.exe
        
        C:\Windows\system32\Mfofjk32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Nbefolao.exe
        
        C:\Windows\system32\Nbefolao.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Nlnkgbhp.exe
        
        C:\Windows\system32\Nlnkgbhp.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Npighq32.exe
        
        C:\Windows\system32\Npighq32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\Njokei32.exe
        
        C:\Windows\system32\Njokei32.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        C:\Windows\SysWOW64\Nlphmafm.exe
        
        C:\Windows\system32\Nlphmafm.exe
        198⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Npldnp32.exe
        
        C:\Windows\system32\Npldnp32.exe
        199⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Nffljjfc.exe
        
        C:\Windows\system32\Nffljjfc.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Nbmmoklg.exe
        
        C:\Windows\system32\Nbmmoklg.exe
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\Njceqili.exe
        
        C:\Windows\system32\Njceqili.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Nifele32.exe
        
        C:\Windows\system32\Nifele32.exe
        203⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Nleaha32.exe
        
        C:\Windows\system32\Nleaha32.exe
        204⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 400
        205⤵
        Program crash
        
        PID:7252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:8
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6752 -ip 6752
1⤵
PID:7228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adpogp32.exe

Filesize
64KB

MD5
34e3366aa0158d5ca0c365a22d390019

SHA1
800434330ca2a9ec29a30c2f2029428130107e24

SHA256
b6ff56e81f2bdd66887f432bb128a591f4481a71262e5c3f9289aa3b72c8718a

SHA512
ed0f2881b9d0f6b494d01ea0ccc45ebf08562a28bdccff06bfe0a167164d83fb63f8b16b058629fc68420492b8909d9152555c8391a172ef342bae3fdb47d7c5

Download Submit
C:\Windows\SysWOW64\Ajhndgjj.exe

Filesize
64KB

MD5
4b79f276e505d050cb0d436ad8ccb211

SHA1
bb9dd6671f537a63d104812ab222390ef56d4fa5

SHA256
4aba39f6e6b14e48b4e40f59b435e5cbc04c52fa9543d3f8e0786c58f2fa4394

SHA512
9ea1fb2622e292e28f47ef1416cd0ec9f180370edf9da8d6aa4ee659084d22ae794fc4bc01705039b70f2b104ac25360e75c0a4c560b97b946dd9269ba423cbe

Download Submit
C:\Windows\SysWOW64\Aqilaplo.exe

Filesize
64KB

MD5
1e7807689a96c0cf44d1a49462ae4fb8

SHA1
62186d566bed7fd126865d5959ec9458b8b657b6

SHA256
0da38c7a37562252505cd9b9b90105d1666c693a7ecbe98a435dc6953e4fa451

SHA512
0e8f22eda8199a1626aa9a76e9f77ee0a9d98579d2472e59bd5dc44cab32a033f9fb63d55d3534914c2d231c2e5a9a764c3d412fc7c94bf239fc1038025aeb6a

Download Submit
C:\Windows\SysWOW64\Bdphnmjk.exe

Filesize
64KB

MD5
89e0d8522c6d8c44a1a223dad92dec6c

SHA1
6ee1602b01efacd016b603ff6ba9131240afc48e

SHA256
a91335b8d0fd64751e61fd99dd422beea456d0b284084c0b5e03f46fe3209a06

SHA512
d2fe1369b8b66d69319d6d9392c289b9cc7a4f23f0090aff33ad3425a1644449b7577500e36726ac39d50d9a76f57b0257715c7b7c2a9609fd4ffc8f2e2d4f25

Download Submit
C:\Windows\SysWOW64\Bkcjjhgp.exe

Filesize
64KB

MD5
d7ee0ec94511402ed18f5d360bd251f1

SHA1
fc4990ed54b83454e6e9255d413f16530c9a8fa7

SHA256
bace6510319d21838f1da1826b400865dc710d6a1e06556f62853cde3e1ad06f

SHA512
101f9a8cef87983387ff1213695101f73a6c042eb59f1238964bd1ff14ef101b39fa54064b71de2cd84ef762852bf817c029696434a848b93b0a7c03eaa8ac9b

Download Submit
C:\Windows\SysWOW64\Cegnol32.exe

Filesize
64KB

MD5
7910a6b8ad711d02374ffd095d402d12

SHA1
eebff152057fc486ad5dc57040c9b91106efe994

SHA256
9322caf029062d1215b990abac99b001c6c5c3753ffd6006257983d760bd245c

SHA512
0cbfaf36ba292b6eec6e16681d96671ba8f6bbef57ac70ed36036f4d29951a9564656e7c21c0595d937ee15ee2b1a71e8e32f371ed187ad72df672857ac68a0f

Download Submit
C:\Windows\SysWOW64\Cgcmeh32.exe

Filesize
64KB

MD5
3f3764fef8fc0ea19dc5455b355b10f5

SHA1
f7bac52cdb21f826034ef07a6cda324840dbb40b

SHA256
65a927cfaf0a694b7b69d7b3083e8ff715870a327078cbc7e7472acba9d05187

SHA512
e7f286c9704006f9f47c1d07c283f6f1b389b550b093fd339232f44d2ce5aa9019917d2af522daf988ad58d287b7d654a1f736dad128bf7d26a490e948b50727

Download Submit
C:\Windows\SysWOW64\Cnpbgajc.exe

Filesize
64KB

MD5
52f8c5a950e88178463d99f73cd6a926

SHA1
3d6cf8afae6904bccc12855ccfb8413cbeb38ac3

SHA256
078fdb36c8b10f7c3a18b14989dd3b59ae989affc2b6f37fb8f7daadb7492b70

SHA512
4a21360e02333e17618855b92d7a0c7fec999e3c94986b2bcdfcfeda195b4d31c3af1f0f5663eb48a76316142d268431e62b4a7d29d4d252e8ad06f075159310

Download Submit
C:\Windows\SysWOW64\Cqghcn32.exe

Filesize
64KB

MD5
7b4cee6dc0b389ad3757c840d04dd77c

SHA1
0783fb16f1c17fedd66a4da7ce932b4be7302da6

SHA256
e5dec40e125234ab6df09bbd27b874332c13ecfcc4cef19eecd37600b44f592a

SHA512
02757e2a125fba7e302724615d02f56fcdececb52e93d85d2d44745451504b1a8475be58ff23038759c85ffd727938f54721ffd7c179a3960eac66c000196500

Download Submit
C:\Windows\SysWOW64\Dajnol32.exe

Filesize
64KB

MD5
99b30ae2e85c8aca95c691b37b30bf80

SHA1
06575562189982594057ce0c19af62619b8200c5

SHA256
52dde438ca88e359e01e7de92cf1f27a8f1f8e2aaa5041f80b879f76c009c2d5

SHA512
0871f64f5f4c19d272845eee73502985b7bfacb44b13dfd732fbde5ebf43f7533413bae5765dc3039a00caf4b5e8e323943ec3b28dc4ebe640faf8b9362f041c

Download Submit
C:\Windows\SysWOW64\Dijppjfd.exe

Filesize
64KB

MD5
24914d98fc55d079e256cfa6cc0dc703

SHA1
4bed6e021bb0bf53cd17d15a356b7d10b338f899

SHA256
0d7856997f8890c28db6ec3e1130509ac35bf2cf6ee53c7511be4abd7dbee0d7

SHA512
042b6b13b8038ae0452e19ba83440ec5fadc2775fc8f382ab9428644a20190eb0eaa7b5977782a7f401504806c8e707eadfb0f3b85cc175e11b2c2dfd484c507

Download Submit
C:\Windows\SysWOW64\Dilmeida.exe

Filesize
64KB

MD5
8420674b208d7d417a46a6411eca0c40

SHA1
a9174bc7aa8f2ccd23ce81b1aa1dac7b0c616241

SHA256
3a67e9b884f3bde6319392472eead8a4a83c6da5db8b452822f5fdde569eea7b

SHA512
f753e4bb102e68459a486c87180a43a57830ecc835880c95a64fe2d0163261b9b16c7e456dbfc60208c519469a5c5b98962640ad4c5ae81fee1b4b8f8668285c

Download Submit
C:\Windows\SysWOW64\Eieplhlf.exe

Filesize
64KB

MD5
a0bc12c8ddddcaa094357885d1aaf057

SHA1
74748c8f98e3555bfbabd1c93f9a9d746734c599

SHA256
c3a80a53b6d82efe6e6f2087592e970feb5cd2670a3b5e28dc278c24a07a51d9

SHA512
a7c0a7529380dff08f3bb3a509bf97cd3a70b78db03d5ace79e0d0dcb177a60b0a0166adf07485f62b4d41040d68b9996165bf178aba5b115b649f76be4e433f

Download Submit
C:\Windows\SysWOW64\Fkehdnee.exe

Filesize
64KB

MD5
8b2918edd1fed96ccc8e8a3c0a530236

SHA1
bd6b8fa104cad39aa46a8111eb0ecbf946b5d363

SHA256
d3cc0a7068fb4cfe0f6d0d1bed53a5e9c8d9ebdd0ee7f220d3ea48f8025e794f

SHA512
44f99a22bcee0e73ab973a73481b398b60d81c14d95fe4a85896517197075be2a4ee846bc6b7eb98d3f4a1a1738fcd43c8a3971135f1da48c5dbc61eebc71763

Download Submit
C:\Windows\SysWOW64\Foenplji.exe

Filesize
64KB

MD5
f0165f3949cf16e7dc236f74fda56276

SHA1
a270404b3182b54403cd3c0bf3fddf2f0fa15dc6

SHA256
d90719aac752ae861c731bb14868194446bda1796596c7cbf82202f320b6b9e6

SHA512
aef2642a6d89c67ed08834591e83cd9b00790e20ff9b414311b832cc52bd5fbbc499a35100de6441b0e0365b6b0360db15cd4560e690c274c7a1903b771b1a0b

Download Submit
C:\Windows\SysWOW64\Gaffbg32.exe

Filesize
64KB

MD5
0fdbcd1066120c941070ece5e3acf073

SHA1
92766bdbd07a721ce1e7d0b257c4727cc98ec3dd

SHA256
24fc8bbb5422f8b9762c65e348642d22a3d2d4e1753a9df4693b95dc9c44b0cd

SHA512
2287791c5d28ebf792d4f667bb1e7763172aaa1c963bcb4e9891d8eec391b24e3d8d71c220d4735cc775ffe1ea93d3d2aa9f64622fa6799e7632110701440a20

Download Submit
C:\Windows\SysWOW64\Gaoihfoo.exe

Filesize
64KB

MD5
013a41220588f7def31d82306ef435dd

SHA1
a3362987670ac378595c0a64f111b36afab8887f

SHA256
0522faafa8176ed8c7a62b474a7f922d80af09d53ca45d1cabab35e7b29e1d14

SHA512
f4bc084abeb5246c75ffded5b10b4c71765fd6be6b89c5c4b4298a53325229a3c8c216e289fef82f52ef0840a19c1d954b664f4beb91592a5bb34b7cef7c34ab

Download Submit
C:\Windows\SysWOW64\Gbecljnl.exe

Filesize
64KB

MD5
ac2625a45f7da845c9383661e660c31b

SHA1
a9d20ccf01dff465af574b7af7a0fea3bd99cd34

SHA256
bdb8ac1d759aacb7073ff3b09f34de5150db59ad52fb91765fc63ae6da76b1b8

SHA512
c81b49c085bd557a19c6095cc55b961b627248c8e108e550479d4d1f1393fd292e21fb058033f75138c93a0977616e3fa136b32b316739f5233aff91fb454d5a

Download Submit
C:\Windows\SysWOW64\Glngep32.exe

Filesize
64KB

MD5
5722c5bd402d201485019777b0c41821

SHA1
0bc08126f2236ab5982a64e578daf7ab94233e31

SHA256
6f67e7a2e4c77402a0ec3bec3345edc8e34a2260f7144212a740ccb3ae3793d0

SHA512
05e4cf04d12c89dd8259c22b56cae6f12544295b9114d7234c2c036e6c71b8c25ca61c41a4cd8d31d9bddde80dfbe71820a0837ace5f544a6f7280549df8af99

Download Submit
C:\Windows\SysWOW64\Hafpiehg.exe

Filesize
64KB

MD5
7bc0ec1c2a81a84c777bbbe6e61d8ed1

SHA1
6e603588eceae18df7a1c0dc290022bdc0db073a

SHA256
329f08f7c1d715af6868d4223ce9f15d7a43bbb3f515805eb711627ce371a59a

SHA512
ecd104ad5f01651e53ebd047d652e47080b59697d6355114cef9107b59bc080790a4f4edb916a8fbea5a04f4f2d64bc3859c8583b44fc7dc5ac0e7498cdb8098

Download Submit
C:\Windows\SysWOW64\Hleneo32.exe

Filesize
64KB

MD5
d724a4f882f5295624083a0b04f210da

SHA1
46063aac7f714b83c9466276c4b7cbf2bb39c330

SHA256
7695076adadf523a47da1386f5bc7a186f672719e84325b4a7a5e01e331d44da

SHA512
0f98adb2e04c978162331d17d0f6a196907f3fc1755b79fb17aef8bdee78ce5e7eb9ca4df032e54c3f5157e4a64e60eac81bf3942ffc55f518801b8e58d5396e

Download Submit
C:\Windows\SysWOW64\Iameid32.exe

Filesize
64KB

MD5
ed4f69fc10d43fe74a90140eb5706264

SHA1
c3de76b6bad400148814d44cc9f2296f3627167e

SHA256
2618e6de1e5bb3941e9bf5ba1b3dee54a28c3a20782711c6c376e7ca99efb58f

SHA512
bbd4c8297bf7247f317abf866296ac6156f4f8f6b052470dbfae7c782eeb7e3a6e7f86b38ccb8bd9d6247fa0fc85f66921602055472231e9e4bc38ee06fe3e88

Download Submit
C:\Windows\SysWOW64\Icdhdfcj.exe

Filesize
64KB

MD5
cdd1343ea946bb35a5bc70ef4105f56d

SHA1
84514f6398af47a74f5a3561a49ed50e4027cdaa

SHA256
998416ee75bed89797024759a0085f0aca732390718c1b0f9e0c8f9637dcf02d

SHA512
9ca8cdc5465ae8fd3435aff41fcccbb7b9264f666f34dbe8003f90027e1af098b8542d52173e18c064062a6c134bb4179fdc8764782acbf75dc77bc1e3907d0f

Download Submit
C:\Windows\SysWOW64\Icmbcg32.exe

Filesize
64KB

MD5
50461db78fb2cdac9af8f7712a7f96ef

SHA1
552b7deba188e3b86cf2761b8569a575f3412b51

SHA256
90a6f4b58ed687101965faf8307545e5035b32d1ecb58b72d7ae3039b137bdee

SHA512
dc8b607f6bd2a0d9a9901894342b06757f79552f9f4c3a70d54ee8587c3f19184f81300ce30a7deaed8349f37fdca52390d8581311cf30e6d5b7ce65d12df6c8

Download Submit
C:\Windows\SysWOW64\Ihndgmdd.exe

Filesize
64KB

MD5
18df853c3fd1c4c764c1bd3847274398

SHA1
ba7cb6dcd6978f75d1a07a6de31446a483b4a087

SHA256
d62543e1abcb49b5e619fbd95803e3085c54adfa70235be52d7d84b2c38d7c3a

SHA512
c9088a817eb7f1cf53035ddd18e36a6fdbaae68718df4c8b2c02a6fca6654fe6dbd95aae409f3c20f24bc169d0c1e8c0c1c784626ed8b30cc1497c3e351430f2

Download Submit
C:\Windows\SysWOW64\Ileflmpb.exe

Filesize
64KB

MD5
66bf219bd3584b2452a043ff95d958bc

SHA1
7cfc0f7f2fb35e467767a50b21ece6ac66d8ec42

SHA256
67ceb418a0a2ef148d215d239a9e94b0b30a249882d1e3b5788be730f3e10af8

SHA512
5f706265509053242fe92ff003048f0321c8170df9315d7305b99b76be72fb986cfc02cc9e8e8852431b8775fd2000ad4ef1a3a059e01dd58379289f8bd0ee38

Download Submit
C:\Windows\SysWOW64\Jfdafa32.exe

Filesize
64KB

MD5
8031d692e7663a74ed02c004eca19552

SHA1
663d9855729acbdb4ff966e677ad9a34b1d3f2fd

SHA256
c483aae4c29305e38f8c479ef4868f752f6cd0c8142e161ad7dcea49b537190b

SHA512
15ea1f7a6beda617e7f66ddb924b47b3b208902ab6d505a0ba14fd8022665f69061984a533257a5dcddb093df0015e180720657ea21beced3d95f3d8e64c8c13

Download Submit
C:\Windows\SysWOW64\Jkajnh32.exe

Filesize
64KB

MD5
858dd058afca139042d36d53c183d34c

SHA1
76f14c7e85550c752d3e7fb1e62ed6d79a7daa96

SHA256
dbad7571705522212ff8f4dbe38205863a1b4b6702894eb1f483dbe36edbfe23

SHA512
7ffaea93e0aa3d4aeca4fe4e1ed913aea6b86ef43249a4204cf416a0278091078870714503c68cbe442e8b215fa630438096468f3918143931066b12506fab2f

Download Submit
C:\Windows\SysWOW64\Kfejmobh.exe

Filesize
64KB

MD5
adf081d8bd0f1245debd618e46b86a9f

SHA1
278617c02edf5e45b0c61aa4aea390ceefbb7519

SHA256
313c0a4655cd1200a46fe18d52100d81a827f4572599c81dd85e668839a166d3

SHA512
467570133f9ab4c329d53c152273ed358acb9e57127f6b6adac22277de3239784266824aad4c195eada3278bb81ccd4f4405f9bb0b681a4630ca7d921f50b974

Download Submit
C:\Windows\SysWOW64\Kilphk32.exe

Filesize
64KB

MD5
22d869163789d78de9065e6d8c4f361e

SHA1
e86ddfffc3079466ff2fa707c2a7dd0153f6508d

SHA256
e12c959894fa45ab4b832155bfa3fe0f8ae539cf35e9681e7e3614b13f34c89b

SHA512
62619559ce6aeceece32d3a5cf8c03808497f15a9068defa6763a65c77f29f268a937ee2a5cafa3a0bb687ffe2b537aefc1a68dab5094d9d156aae4f263558d7

Download Submit
C:\Windows\SysWOW64\Kjlmbnof.exe

Filesize
64KB

MD5
d72762ddd2fb610f9764012a7df9ecbf

SHA1
b1cefced46125f31ececf4836f48469ecd5ae8fa

SHA256
7feb11346c2318ee22100d3865d8374a1da496a1d75298f6de5342c00ea87e41

SHA512
91afde37380d22f49864f9d16c13162dd5d704d1efe27f7a5a2e361837ad34b0ebe6fda4dc023d5c2249eb97a6dba8c77618b9b56403cc271bf387b259a4ac81

Download Submit
C:\Windows\SysWOW64\Koiejemn.exe

Filesize
64KB

MD5
e6a176dc4cbc4f4b32122a54549ee06e

SHA1
1a549761385feca778dd6ec44b009575cf299bb0

SHA256
3aef7a657d0070727fcb83fc32821e2856ed7894cd81136671e78ba49480b5d9

SHA512
c1c3fbb75b4cd30fc9644f905457014b4fcffa32294c3ce2ba4088293a284ae5f6ea24f4ccbf91cc0c2a3a9f480679a1751dff1513183e6344ef223ddd5711c8

Download Submit
C:\Windows\SysWOW64\Lcndab32.exe

Filesize
64KB

MD5
fe06742406bbcf974aa94276ce730251

SHA1
fa99fe1b7af1c4927b8b261a6c6ac1590f490e02

SHA256
0db03433c7bf0e6517781d8c169cbd9845d7d2747de9d256a8a12a8553e3918f

SHA512
370aecefb448a5ff4aa4bfc213ca4b37684dd428585801be62ade67012a9c9793d31eaa27a025ae2c57e7408187c736ad71ec5ddb9a5212e3f151f9cba7cf12b

Download Submit
C:\Windows\SysWOW64\Lmcldhfp.exe

Filesize
64KB

MD5
53b4194bc61cec4d8d9440de62c45ef8

SHA1
fbfcd5fc00c5ab8a36fd5b081f4288c4875094dc

SHA256
9774c0c992b0136574851b956a11ce7f63d4a5df5d7c00c92cc6cee5bf5ea34d

SHA512
d2eb1ffebf6644774710b279812da6bf18d436e3ba75b5b14d1fa6ae8bed8291256f4316aaaddd8488800d85158dd17c00a625cbab37c0f2e55e45805ab8e0d2

Download Submit
C:\Windows\SysWOW64\Lpinac32.exe

Filesize
64KB

MD5
3c17cb830cba122d0b819bfd0a0efc1c

SHA1
6f5575a8585db0a1714e1707f0336d42e3fa9cb1

SHA256
ff4d50101b80403ffbc43e40fb1412b24de9162efa788469d4b4a3fad2fcba34

SHA512
45f8ea5cd79bc8dbb50af5011f15f22614c75ad5451583466a1706dcf34f67f8ea78864ba54e816c0c287542a6fd3309b78b87688b073aa0a1eb807d8d507b9c

Download Submit
C:\Windows\SysWOW64\Mclpbqal.exe

Filesize
64KB

MD5
39444409c3bdb83fc2e255297de65000

SHA1
4fa0549f6616dd3564aea07ecda2db6b9b09f861

SHA256
254cb9927fff6ab740777dea7c942be61ec194665c2124b0d3edbd3dbd3d549a

SHA512
f075479e635c14d1f980f66762b15261749a2ee003202b364346dd0d19a4a7186ba76e2f42ecdb230bbe2a9b87f80fff4d1a3c2c22b8e0fea43001a3016eecb8

Download Submit
C:\Windows\SysWOW64\Mdaqhf32.exe

Filesize
64KB

MD5
89d35a4926a7c6f46c6b66fe2ec3f335

SHA1
dcecfddf424b518e3fa489fcf9ddf38829cd2e6a

SHA256
6f546f5f6598c0bef52e4e40f913df80bbbac6f82a0df937cf765b798d43d235

SHA512
2a7a564bb86dc2cb0b7db5da8aa855bc8f77730af6d7645e63cb815268bc0620290bfa4a7086731752e34082419eead4447723e4a38b01f814daa8f98c8d9c2a

Download Submit
C:\Windows\SysWOW64\Mhjpceko.exe

Filesize
64KB

MD5
4525ae9ef9680dd92be389a9e7406569

SHA1
d0cddca5b359ee898e33bd2f2385f991475f967f

SHA256
225c9a8f9601911f8121d080a8fa91dacd701ddc4c9c7bb9f56702eb31ee6b0f

SHA512
32e2cd5ad2e7f56f64ca99a7d4da377eb5bd19d4843c9602ab07fb570598ba66d58236698445f133d363c395c185bbaaf284cf51ecfc2483f2a99d895860f1ad

Download Submit
C:\Windows\SysWOW64\Mhoind32.exe

Filesize
64KB

MD5
c0e26546166e7572600262ac7d9ec637

SHA1
f27c3a2bbaea613f754d5f1b4e919bbac54f0370

SHA256
9d0ba81aef6ddf7387d993532262cac227043d81fa733042e175a6bf0f6ca3be

SHA512
0899a402241ffc30ba3fe9aced506eccb714dc01b385b1d74e2c1911b2df2646ed5e444b5fed243f304690a50f8876aeea1ac27349505a4d40a3670216f4b7ad

Download Submit
C:\Windows\SysWOW64\Minipm32.exe

Filesize
64KB

MD5
72cc5e9dea40e9db532b1134ceb116eb

SHA1
3d29b817cc62b70ba52783cc9d3c102ad653cd2b

SHA256
e5855d8545ac4ad8a4d6b5dd72376a88c97ac1af1a90f86841228518c03ac921

SHA512
cd350b25a973f77eb1c0358af2f8d8ed52d9a242f9fde377a59503faf6158fb4b3b11f27207bc981ea1e9974919afdf328c0ff2fd0f459d0cf3119886c51dfa5

Download Submit
C:\Windows\SysWOW64\Mjcljk32.exe

Filesize
64KB

MD5
a8106e28cdc5431ee87a0d5393580dc4

SHA1
a7dd75334e846bfda2e295454638814f05b2f6cb

SHA256
197ff85a9f09328d3759181c42072a273f6c226f9882078b691b3836454e82a8

SHA512
22e7a34d56712490ce8ada5241a6011fdd456420608ba099cde6e12325dd1523643040a7e6405ce6d305af17fa9ac9566375f876f577466f62b519706a6e1228

Download Submit
C:\Windows\SysWOW64\Mmghklif.exe

Filesize
64KB

MD5
65fc360f7e6249ab1674621fe6c5ec7a

SHA1
4739daed951494c500fafd830ccfe293712f3d3a

SHA256
273af8b9a9aec31446975bb53047f63013f60837838355bfb843c536153a3acb

SHA512
862a1c4af61c1c51b03581cc672bcdf24f4b37d80de5bc32b2f514b723754cf5bec322fb357defeeec86194a06aea3692fb5451be63efb319cff65dd73e0467e

Download Submit
C:\Windows\SysWOW64\Mmokpglb.exe

Filesize
64KB

MD5
0764ca16a3a820a3024938859eca13a4

SHA1
aeaaae8953749f82ecacc13a951559ff14b2dfef

SHA256
4cd1e7805384a7d59a0e1d65a65dbe3df3a36a0004212989fe611d4d6c9e213f

SHA512
9edfbeefd959dffed9d0cb1d7872d8c26e5f8fe1646449ac03b00eb06fb1c89f5c253779e54a9798c3fd85933b4da8850b73ffdfba838218ffe933a5e6e172d1

Download Submit
C:\Windows\SysWOW64\Mpchbhjl.exe

Filesize
64KB

MD5
88e5b36fb89e4df165c48e32699e6126

SHA1
e37aeb9b74a3b1b5b27e9552b7c6eaf62900a98f

SHA256
cd04e00538d094d9d365f45f5fbf85a5a025040775f17696e9c6068429e18b64

SHA512
d03bb4a6c3060c65e9f52605dfe7f7784d92688cb7cc42506ff891e54b371b0c9baa390da162df6c91265e7360adf177183e17fa041365797d2e84c22a3aaaae

Download Submit
C:\Windows\SysWOW64\Nalgbi32.exe

Filesize
64KB

MD5
84afee0db71c7ae3cc65b73463550090

SHA1
85efaa46714db6acb52d1317481adf930a7108f3

SHA256
16e10e3fadc440049877ba8f41aafc62139cfffef6c9c11f1eeff7eb91ceac50

SHA512
def46032160d51a81eb2c30617580e3ff7a8904b9912f351f08cd1a0af3569d7f2b3c73b40e347fec982bfa5ea8aa86c122afa32cb909318f8deee023460ef5c

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
64KB

MD5
680afb40bc7fca933c5817bb57252a4b

SHA1
0bd2176a1a8486ca2e7a84b865b709ec5004434a

SHA256
fe6ab5d95d75d121a5aad4700bcc3fe2a704fd850ef9108d5c52b35fd98d82ce

SHA512
19f268aa9cf73c6af7a8c5389beb5e01c3fdb7a311a07d79d5daa03973c9fffd6af22b1e4231e0f1b2e3cadf0263d2c39120627b348c6132c5e2b06e84b8071e

Download Submit
C:\Windows\SysWOW64\Nbefolao.exe

Filesize
64KB

MD5
c0bd26c3ffd305b0109777f38f101edb

SHA1
671102fd6a56479c24cf697823027c5320290431

SHA256
e631902e12c1cd5ad82b862b43c074019aab01ba0398b87dafdcaa1b969034b1

SHA512
1fba3159ce546e0989c98d33916d488c06b3a9acbb102dec0c78b25118cc7f68baaad1b7d8fe33a2777208139195b954226a5a676a1469ca249e5b7475a8fe9c

Download Submit
C:\Windows\SysWOW64\Ndhgie32.exe

Filesize
64KB

MD5
35be67acae3ccbabf5f1e64d64b68c2e

SHA1
94545164e86fac9de5daf66d833f50bbfeccfd6a

SHA256
a3733f5ebaa91c1708a03bff1d755d08b74f4a48c9cc2f5c2a7b53e0510f4160

SHA512
5d02217a777751e666bc2a702f7dca85eb1e43cf9fa38b5c6001967b9c1219d309d7352c4421b64d512497d90e13e3362aec6aa0931b195c5f9862361d45dc58

Download Submit
C:\Windows\SysWOW64\Nffljjfc.exe

Filesize
64KB

MD5
d5b8f0fcb501c73c95d30d4594e6ed15

SHA1
da3e5edce5bab84b773377b0ae4701824b8cf7c2

SHA256
9c8b6b944109f647817ddda91f47613a310c1698c99f9bd8610d3fbf09b57405

SHA512
3a68f12988c2110c812cd76e9f681eea30619e5d54d43fa3e253393f122aa7ed3fb7fa9b150811deaca5ed42c3b35ad1bdcb0e29fa744b81c11b085a972c947f

Download Submit
C:\Windows\SysWOW64\Ngklppei.exe

Filesize
64KB

MD5
2fdd5f823404d863000b04cbfc85802d

SHA1
2d0f5f895b9e70839096d00b749717ecb460399d

SHA256
49cc4af53406740d9b5a3cd5b7c2a34bf68c4ba11a9ba69330fc273d5d608810

SHA512
fbc1eafab55cb3bc4b5ca4018d70df1ba39a5bbf94b820f36864fe28b03e26284c6d29569a07e39f7ddee1aea9668f1f1039dbf555b9d33b577aa92b306854e1

Download Submit
C:\Windows\SysWOW64\Nhafcd32.exe

Filesize
64KB

MD5
a5f5eda5caba709ddecc9f9761db2a40

SHA1
b645b730e6ac5d99f7995b95abcd4fde9bc7aaf4

SHA256
16de855c678374719ab02c6bf451f14cad3ed004fbe030cb51a548781a80975b

SHA512
dc7e454ca83acff22d228d60dcadecc28cbb31f321ecee3759dab6607508d502600931d036de646965cf657638725c1b92060bd914721f78d7c8c46ae6fc1a32

Download Submit
C:\Windows\SysWOW64\Nhfoocaa.exe

Filesize
64KB

MD5
2d4e18c8ba2daf0e74b120c6e0b8593c

SHA1
a0ac6f234acacaad49b068a5e5311abaa9af917b

SHA256
d17476a776718ab9f164a532c336f15ee408092e906b764b2a287ed9f1bf3813

SHA512
29d0e8202211c3161c5fa5cc93453c995b6850001e53abb6cca5a50979317d0d63376106eb3f9d1821b7dc5f4f3e49fc4bdfaebf60338ba66bb7e9fbcab26662

Download Submit
C:\Windows\SysWOW64\Nibbklke.exe

Filesize
64KB

MD5
24260925b063abd9accf2d8edc600b0c

SHA1
7a0a8343cc017a96542700d77fa604e93e0c2b3c

SHA256
e05bd66acf71ea5d00aebb241d7da31b768d7c787ba52b94026fcda0484f1e29

SHA512
3908c352a208525369401b498a24b82dc0bcad232b59fa7baa62913217682125aa4d5fcd8bb5708bf4b2fe13909df8dd62f8b8336733c0c698f0127296e41a4c

Download Submit
C:\Windows\SysWOW64\Niglfl32.exe

Filesize
64KB

MD5
912dd9bf901a1c252bf72e18be79583c

SHA1
f7134a2cf544804a10890ad2aa3f68ce7dfa6432

SHA256
04a74a91365751b0fadf2ab175ef1758c241a5c7607185494e6a30210c7d4c91

SHA512
d5db3bfd94e8e4f428186e4d3f6bca498e2cbb1b2bbcf1bef080d2d2ed4038199615bbcb48b1be317accf2d54910777c41dff6cea6377400ad9e67520fe944b8

Download Submit
C:\Windows\SysWOW64\Nkboeobh.exe

Filesize
64KB

MD5
33575dfb99105f338673d35c7944f84c

SHA1
02b5d44e8ff794189c76fd9ffc2ccface0e02092

SHA256
84b960103aff2bb51b2ae829126ca593665d3486307beeb0159d60bb2c2aa205

SHA512
eac88d4ecb4f81aeb6f0b5d8d1af41f9e959ff2ab776ac4d0e766d5871c9060ebc304fc3192fb7d9ffb94cdc0a30a3a81d8fa0edbdd1571c337323c13847a63a

Download Submit
C:\Windows\SysWOW64\Nmlafk32.exe

Filesize
64KB

MD5
5ee60278efbd7c930fe0fec4e3214ec0

SHA1
0d2a8932eddd407ca38f641157914dade1ef3c41

SHA256
a0e8ab49c0b477b1ad52c696bbc70703e28e713f4babdffbb7ac8efb8ead2145

SHA512
3235c9bc8cbeda01820886b4f0e6c3d5f871cc123483754f32a59e1f59a8bc020b3bbc04e850aa3421436bf1138ad8ba32e4402e529b6a1551ddf127c3954c2f

Download Submit
C:\Windows\SysWOW64\Npadcfnl.exe

Filesize
64KB

MD5
6182fc48aec58d4223d24b3053ae72cc

SHA1
dac15f35287d850b5bf6cb0df31d3daffd165675

SHA256
3c4ee1b457867f9fac2039eab2087f3407c84fc438bc9583041f8fd4009ba4f6

SHA512
9d60022552e69c6c4e6e08e8c5ba6cbed46b8b47f62b07e3261786ab3760be185eb6f0409ed17e1e66be006d01e69287e149810383ab54688db9e1c46c3bcab0

Download Submit
C:\Windows\SysWOW64\Oaejhh32.exe

Filesize
64KB

MD5
be53b14b5c0a321a42d33f151adc8d92

SHA1
de3bca66bcf00305bad007076880bd90dd191c25

SHA256
496c886540ed53424080d6831a9c7daa19df535e7719e3bd3914714eae8906ef

SHA512
19a580703bf1e005e91eb908301799e98b2effb4c01a4a287b5518c9e9f456a339f13cc5d64fb0dd47748b3f35fb41726b06265a3b34cca18341d0340407a525

Download Submit
C:\Windows\SysWOW64\Oahgnh32.exe

Filesize
64KB

MD5
45b9ea9f515af7dea28d911d9860b001

SHA1
dd656d0e7a70d822606ce5fbaf04dd96315bc517

SHA256
081d432dec103a17d6b066f5263690cf11deec6d6064a09c1469052ab29c7385

SHA512
9615734fa70abfeefdff91239f557976066f6ddaefa45dbdd5de5cba899596cfb046b99b20bb350bff49964a300ec5da186dfd1c98a0d9bb7803f25607a4cfc8

Download Submit
C:\Windows\SysWOW64\Odaiodbp.exe

Filesize
64KB

MD5
8f16f071567dd3ccf77199e8df0dbe89

SHA1
ba9c604f5b9faf6a829dd23b4c97aa179168c834

SHA256
6eebe278c947e9051f1f8b901574cd7909927d469c0a5001af771b5a13c90e80

SHA512
6e513857c6f64e5eaa565b3784709470fd5f286a9ac020d564e2f46549771da7e1ed8b2943be7749761a4daee953abfb298bda538c18dc86d9ff41f2e60c94f5

Download Submit
C:\Windows\SysWOW64\Odcfdc32.exe

Filesize
64KB

MD5
829ab496b766df570e42de8b2c444dd7

SHA1
537e1a91819fc32385e00facb854c89a33376a3c

SHA256
2fb073e7e5dbdef9cb9486c531505f3317436d5f88a4017495cd46aa3f824ac8

SHA512
c8b5f095320c88710618060abfdd0bbc8dc1511a43e940e6a996b6535c1e8d8095489c8c308a46f4ddf65d124574e7bed026463634feb1445af532917fc8ead1

Download Submit
C:\Windows\SysWOW64\Ogbbqo32.exe

Filesize
64KB

MD5
5dea2e70a6fc8eeeb5af79977fb6a2cb

SHA1
bbc2135acdfc93b4204bc31a26d4781acc8bbaf1

SHA256
0885035d4ebfe2ca01bbbcb09dac640bbcff4c5a85011ca7b5fd52df74c93e36

SHA512
2466e3d00b7c4bb7f62ca1e722d5d2156ff9dca07670ca45df945152add3573438d441bdeefac9ca957feab8507167a15c4a0daa4d5c5ccfbfcdbcc711741b3a

Download Submit
C:\Windows\SysWOW64\Ohaokbfd.exe

Filesize
64KB

MD5
af868936ea2cabd3106cda2490f30a5a

SHA1
549061284beab6c3eb422c142872b26a8804755b

SHA256
a2188937c298a98b2283c2f1509736d321f91bba1122c0fbc018a995fd1b5bbe

SHA512
e02b224a02b9229cf0fc8fe449e95f5cbe0cce7d9fdc69585e89e64a9a7a84d2eff09887f7344ebcebda43877b5dc5ef4f2f7b1ac18c7732be698f439ff6da02

Download Submit
C:\Windows\SysWOW64\Ohdlpa32.exe

Filesize
64KB

MD5
576ba774eaddc2869ef05721d6258e36

SHA1
6b9163e936a3f0ab39003efdbf7a288fa3c368fb

SHA256
b670f095729143acad224c05f58651ca55991873eec0d93bde11d8bb67dd1e72

SHA512
a42e2109eed54d451837f024e7a64d35b83c91aa0b5a5031a4c59d742607e920d2ffbe59773f24f066975dc606830654dff2af3dbb47c68eadb3d5a6b87bc77d

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
64KB

MD5
06d7d70582276db8eca113a1973a80ff

SHA1
5fb08e8efd9dca017b01b72d9a50989fd4ecd9de

SHA256
e2aee3a6c7ab6db6a103133c92e5137159c4419b0097d8279065c179052267ea

SHA512
5db1ac90486dbfe826c5b843d7ea2aed34b1629ef9f75ad5edf93a3f70f41e95c8e9f8dfd2f2da2333fdfabdc2c32ec71a82f64db5ae02543e5ce8adda369ea4

Download Submit
C:\Windows\SysWOW64\Oinbgk32.exe

Filesize
64KB

MD5
264cae2a5c89c65725cadecfc253da11

SHA1
87ea0661c0a4309aa5213969658c1122ac90b0d5

SHA256
2adcaf1854801b66f9333cf81651ffadb1ff4797f4c40f8353cff85ea9e880dd

SHA512
e2953a229fbf09d153cd3d99cb6087e5c01e1a145c845d16c690cf427094d39a9c96e7fdcaf866ba8ec2824f02ec2678538f94ab123ef695ea946ed2e13552ae

Download Submit
C:\Windows\SysWOW64\Okiefn32.exe

Filesize
64KB

MD5
e9b89aee88afd344115f1c7e2fa378b9

SHA1
56a951a05818d1209dff480545ed53fe6aaec158

SHA256
fd9c429181239e0e85ff74db5120c75d18abfc5e78f643ea105b1f9e273b0bdf

SHA512
f971b1d0e2c38db61eefdee9d805b2778501bca3b96bd4a0919db1aa869bc70f9d51277563b31bb31d35fceb51cdac83874777c7c2a17ab7c6aeb0e288d1ebf4

Download Submit
C:\Windows\SysWOW64\Oknnanhj.exe

Filesize
64KB

MD5
49c8f1b6ebeeb33e70ee31f67b484ded

SHA1
908f968d8bc4a4e2956db1113c35fc2933c4eb30

SHA256
1ce9138a53644898da0a9cf902da09931abe00fa63621581362f2fbd7c80927a

SHA512
f47863a65165cc186e8b81d03dad98436c6d7e048dd7d96292433bf28ba28683c016dd6530616f9895e77896ccab5036919b64703c00825337d49b7fe093824e

Download Submit
C:\Windows\SysWOW64\Opfnne32.exe

Filesize
64KB

MD5
051b2d7e56803c8bd9bfe3cca4316ff2

SHA1
bc75154452ee3a4ef74e653fdb8d166b3e528e98

SHA256
843e55470a75914846ab4f5beca0fc3d57496b47b1dd0a1b516bf9177c7a3d2f

SHA512
2b1425a0fc3f16a98401ca58404e6a3c6048635b01bb9e2ebc4037033e61532ff1918f6e9bfe715afcccd16818d3d8d30d9583fae68c6010a18f995aa1751cd9

Download Submit
C:\Windows\SysWOW64\Pdklebje.exe

Filesize
64KB

MD5
56d4efa64d7376e709da02359c8b908f

SHA1
0c936415eeaa71fe9b6fc5655ab835c2be46106a

SHA256
70d6187abc634d678861df41c4aa4a5be8d63d3b46de028074859b6cbe88f6a3

SHA512
4315f2943d88a460846b28d633e202fc12ff17b99be23c07768bf9233a4c6331e83def6d92e74e9d0cfd517c32dd9c07d8aa39aa9fce20a003fb3488c499561a

Download Submit
C:\Windows\SysWOW64\Phiekaql.exe

Filesize
64KB

MD5
4282ea6ba8f990b9584462ac8da304b3

SHA1
480b94e5a8e715d25b24bb73dba79033469e298a

SHA256
832afca098acefa9c4a5e211eedbc3a0d08f2f11aaadccb2dceb216db8daba02

SHA512
0afbcb0fe6436a660745cb9ccce793ede6df75355dc3146b2d4685f188092c30b538d5b586dc8fb4d760b21226bdaf9e7677bbebbc5a1c4605567fa070ccd478

Download Submit
C:\Windows\SysWOW64\Pjgemi32.exe

Filesize
64KB

MD5
f81a1f7f15f380b9cfd832954b0b8175

SHA1
e849adbaf2c92a9364511aab2e03b2304e707a7e

SHA256
ea2a3cd1734ff12c8c8d3ec1eb87e8df9c382b65fa9872ca27ed59914a785a3c

SHA512
5af0cbdb61c9f87c70177f3125e037eefe692c36ad5eba8cbdb9772e2ee4de48eaca6b6e6bb1cc0e208bea3f30da7126153cf8c6761742aca896442f4952625f

Download Submit
C:\Windows\SysWOW64\Pknghk32.exe

Filesize
64KB

MD5
b05882c750069b099560ebec3a9c8dc1

SHA1
7170f5feb9ab872dd9d44d8e812a2b5c2e2fc978

SHA256
f8d6d65937e523ffe6fb166deea71970b0c373a9d3159718009d39d12c8af0d6

SHA512
cfea86003032b56d1c210bb7ccbfa13dafb27ff6e1f28c892daadb7f5c5ca93d0a415282b7e57c3f09bfcdd94024d3d898242812ba9a3eaab15156ba19faaf6b

Download Submit
memory/208-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/348-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/348-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/680-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1140-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2884-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5248-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads