berbew | 1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe
Size

327KB
MD5

7536e25d98d0a9ca17e3dae1fb395f40
SHA1

3e4a95705b0ca3e614b6c6240af7429a74b00596
SHA256

1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21
SHA512

a5e6f4cbc80c76ff6fb72f7d140b9ec7a5e351a3a6cf099302bf7eb57703cca623d07b4b2ac4f3afe3f1852d8b06f6bf2cf73b6046045bffb9d0f3751ffa5fdb
SSDEEP

3072:K+/rOloeivFzcxX8BqG/CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEESLjb5m0t4ri:K+DKVivFzcto/hj0+r+Mds9BY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapppn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggkqgaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqpfmlce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqbcbkab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqbcbkab.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2216	Nfjola32.exe
744	Nnafno32.exe
4556	Nncccnol.exe
5024	Nqbpojnp.exe
1076	Nnfpinmi.exe
3448	Njmqnobn.exe
1464	Nceefd32.exe
4676	Ojomcopk.exe
4704	Omnjojpo.exe
3716	Oaifpi32.exe
2320	Ocgbld32.exe
1504	Oanokhdb.exe
1824	Oclkgccf.exe
4972	Omdppiif.exe
2712	Omgmeigd.exe
4700	Ohlqcagj.exe
2300	Pjkmomfn.exe
760	Pmiikh32.exe
1568	Pmlfqh32.exe
4092	Pjpfjl32.exe
1516	Paiogf32.exe
2104	Palklf32.exe
4128	Pmblagmf.exe
4992	Qfmmplad.exe
1144	Ahmjjoig.exe
4340	Aphnnafb.exe
4512	Adfgdpmi.exe
112	Aggpfkjj.exe
2364	Aopemh32.exe
2316	Bgkiaj32.exe
3688	Bacjdbch.exe
3988	Baegibae.exe
2484	Bnlhncgi.exe
404	Boldhf32.exe
3132	Cggimh32.exe
2844	Cnaaib32.exe
4932	Cdkifmjq.exe
4276	Coqncejg.exe
3596	Cdmfllhn.exe
3212	Ckgohf32.exe
4960	Cpdgqmnb.exe
5008	Chkobkod.exe
2068	Cnhgjaml.exe
4884	Chnlgjlb.exe
3312	Cnjdpaki.exe
4924	Dhphmj32.exe
1620	Dnmaea32.exe
4868	Dpkmal32.exe
4600	Dgeenfog.exe
3384	Dakikoom.exe
3428	Dkcndeen.exe
1124	Dqpfmlce.exe
1624	Doagjc32.exe
3580	Dqbcbkab.exe
3752	Dhikci32.exe
852	Ebaplnie.exe
2012	Egohdegl.exe
4980	Enhpao32.exe
3928	Ehndnh32.exe
2356	Eklajcmc.exe
3632	Ehpadhll.exe
1832	Ebifmm32.exe
4524	Edgbii32.exe
5004	Enpfan32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhhmleng.dll	Omdppiif.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Fqeioiam.exe	Fbbicl32.exe
File created	C:\Windows\SysWOW64\Ngckdnpn.dll	Gicgpelg.exe
File opened for modification	C:\Windows\SysWOW64\Ihdldn32.exe	Iiopca32.exe
File created	C:\Windows\SysWOW64\Hlhmjl32.dll	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Ehpadhll.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Onogcg32.dll	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Ehblpall.dll	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Enpfan32.exe	Edgbii32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Dakikoom.exe	Dgeenfog.exe
File opened for modification	C:\Windows\SysWOW64\Hnibokbd.exe	Gaebef32.exe
File created	C:\Windows\SysWOW64\Hnnljj32.exe	Hiacacpg.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Kiphjo32.exe
File created	C:\Windows\SysWOW64\Hlqeenhm.dll	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Edgbii32.exe	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Kcoccc32.exe	Klekfinp.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Oiikeffm.dll	Dkcndeen.exe
File created	C:\Windows\SysWOW64\Ichelm32.dll	Klekfinp.exe
File created	C:\Windows\SysWOW64\Ofegni32.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Nncccnol.exe	Nnafno32.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Ghfedh32.dll	Fqeioiam.exe
File opened for modification	C:\Windows\SysWOW64\Hicpgc32.exe	Halhfe32.exe
File created	C:\Windows\SysWOW64\Flinad32.dll	Jlbejloe.exe
File opened for modification	C:\Windows\SysWOW64\Ljdkll32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Fgjhpcmo.exe	Fqppci32.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Cmmdfp32.dll	Doagjc32.exe
File created	C:\Windows\SysWOW64\Fbdehlip.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Hahokfag.exe	Hnibokbd.exe
File opened for modification	C:\Windows\SysWOW64\Hahokfag.exe	Hnibokbd.exe
File opened for modification	C:\Windows\SysWOW64\Halhfe32.exe	Hnnljj32.exe
File created	C:\Windows\SysWOW64\Lakfeodm.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Njedbjej.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Piocecgj.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Ahfmjddg.dll	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Mlofcf32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Ppgomnai.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Kmkdjo32.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Bacjdbch.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Hahokfag.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Iafkld32.exe
File opened for modification	C:\Windows\SysWOW64\Kadpdp32.exe	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Ndjaei32.dll	Dakikoom.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Pmhbqbae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7284	7200	WerFault.exe	288

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmqnobn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jahqiaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqbcbkab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hldiinke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafdcbge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjnnbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mokfja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgbld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebifmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakfeodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblmgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbbicl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggkqgaol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblajhje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piocecgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqpfmlce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edionhpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbgncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klekfinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomcopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halhfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kheekkjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcoccc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nncccnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foapaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllhpkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakmna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oblhcj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Foapaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kheekkjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieppioao.dll"	Egohdegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onogcg32.dll"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khlklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcdlpbd.dll"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll"	Kplmliko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll"	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaqmkhl.dll"	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbccge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkhpfbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbcjhfb.dll"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll"	Halhfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2216	2548	1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe	89
PID 2548 wrote to memory of 2216	2548	1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe	89
PID 2548 wrote to memory of 2216	2548	1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe	89
PID 2216 wrote to memory of 744	2216	Nfjola32.exe	90
PID 2216 wrote to memory of 744	2216	Nfjola32.exe	90
PID 2216 wrote to memory of 744	2216	Nfjola32.exe	90
PID 744 wrote to memory of 4556	744	Nnafno32.exe	91
PID 744 wrote to memory of 4556	744	Nnafno32.exe	91
PID 744 wrote to memory of 4556	744	Nnafno32.exe	91
PID 4556 wrote to memory of 5024	4556	Nncccnol.exe	92
PID 4556 wrote to memory of 5024	4556	Nncccnol.exe	92
PID 4556 wrote to memory of 5024	4556	Nncccnol.exe	92
PID 5024 wrote to memory of 1076	5024	Nqbpojnp.exe	93
PID 5024 wrote to memory of 1076	5024	Nqbpojnp.exe	93
PID 5024 wrote to memory of 1076	5024	Nqbpojnp.exe	93
PID 1076 wrote to memory of 3448	1076	Nnfpinmi.exe	94
PID 1076 wrote to memory of 3448	1076	Nnfpinmi.exe	94
PID 1076 wrote to memory of 3448	1076	Nnfpinmi.exe	94
PID 3448 wrote to memory of 1464	3448	Njmqnobn.exe	95
PID 3448 wrote to memory of 1464	3448	Njmqnobn.exe	95
PID 3448 wrote to memory of 1464	3448	Njmqnobn.exe	95
PID 1464 wrote to memory of 4676	1464	Nceefd32.exe	96
PID 1464 wrote to memory of 4676	1464	Nceefd32.exe	96
PID 1464 wrote to memory of 4676	1464	Nceefd32.exe	96
PID 4676 wrote to memory of 4704	4676	Ojomcopk.exe	97
PID 4676 wrote to memory of 4704	4676	Ojomcopk.exe	97
PID 4676 wrote to memory of 4704	4676	Ojomcopk.exe	97
PID 4704 wrote to memory of 3716	4704	Omnjojpo.exe	98
PID 4704 wrote to memory of 3716	4704	Omnjojpo.exe	98
PID 4704 wrote to memory of 3716	4704	Omnjojpo.exe	98
PID 3716 wrote to memory of 2320	3716	Oaifpi32.exe	99
PID 3716 wrote to memory of 2320	3716	Oaifpi32.exe	99
PID 3716 wrote to memory of 2320	3716	Oaifpi32.exe	99
PID 2320 wrote to memory of 1504	2320	Ocgbld32.exe	100
PID 2320 wrote to memory of 1504	2320	Ocgbld32.exe	100
PID 2320 wrote to memory of 1504	2320	Ocgbld32.exe	100
PID 1504 wrote to memory of 1824	1504	Oanokhdb.exe	101
PID 1504 wrote to memory of 1824	1504	Oanokhdb.exe	101
PID 1504 wrote to memory of 1824	1504	Oanokhdb.exe	101
PID 1824 wrote to memory of 4972	1824	Oclkgccf.exe	102
PID 1824 wrote to memory of 4972	1824	Oclkgccf.exe	102
PID 1824 wrote to memory of 4972	1824	Oclkgccf.exe	102
PID 4972 wrote to memory of 2712	4972	Omdppiif.exe	103
PID 4972 wrote to memory of 2712	4972	Omdppiif.exe	103
PID 4972 wrote to memory of 2712	4972	Omdppiif.exe	103
PID 2712 wrote to memory of 4700	2712	Omgmeigd.exe	104
PID 2712 wrote to memory of 4700	2712	Omgmeigd.exe	104
PID 2712 wrote to memory of 4700	2712	Omgmeigd.exe	104
PID 4700 wrote to memory of 2300	4700	Ohlqcagj.exe	105
PID 4700 wrote to memory of 2300	4700	Ohlqcagj.exe	105
PID 4700 wrote to memory of 2300	4700	Ohlqcagj.exe	105
PID 2300 wrote to memory of 760	2300	Pjkmomfn.exe	106
PID 2300 wrote to memory of 760	2300	Pjkmomfn.exe	106
PID 2300 wrote to memory of 760	2300	Pjkmomfn.exe	106
PID 760 wrote to memory of 1568	760	Pmiikh32.exe	107
PID 760 wrote to memory of 1568	760	Pmiikh32.exe	107
PID 760 wrote to memory of 1568	760	Pmiikh32.exe	107
PID 1568 wrote to memory of 4092	1568	Pmlfqh32.exe	108
PID 1568 wrote to memory of 4092	1568	Pmlfqh32.exe	108
PID 1568 wrote to memory of 4092	1568	Pmlfqh32.exe	108
PID 4092 wrote to memory of 1516	4092	Pjpfjl32.exe	109
PID 4092 wrote to memory of 1516	4092	Pjpfjl32.exe	109
PID 4092 wrote to memory of 1516	4092	Pjpfjl32.exe	109
PID 1516 wrote to memory of 2104	1516	Paiogf32.exe	110

C:\Users\Admin\AppData\Local\Temp\1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe
"C:\Users\Admin\AppData\Local\Temp\1d662427411f9cb2ff493e46e897ef10f5e1f6cb7655f30cdd7efbfa447d2d21N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\Nfjola32.exe
  C:\Windows\system32\Nfjola32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Nnafno32.exe
    C:\Windows\system32\Nnafno32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\Nncccnol.exe
      C:\Windows\system32\Nncccnol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        23⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        25⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        26⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        32⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        34⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        42⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        48⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        56⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        59⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        62⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        65⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        69⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        71⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        72⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        76⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        77⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        79⤵
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        80⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        83⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        86⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        92⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        93⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        95⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        97⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        101⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        104⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        105⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        108⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        109⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        110⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        111⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        124⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        129⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        132⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        136⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        137⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        140⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        141⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        142⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        143⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        146⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        149⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        150⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        154⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        156⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        157⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        160⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        165⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        166⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6180
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        171⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        172⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        173⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        176⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7116
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        178⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        179⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        181⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        183⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        184⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        185⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        186⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        187⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        188⤵
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        189⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        190⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        191⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6812
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        193⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        195⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7200 -s 424
        196⤵
        Program crash
        
        PID:7284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7200 -ip 7200
1⤵
PID:7260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
327KB

MD5
63e7e349f348ae7c9722f410a488f17b

SHA1
b3e055792a7ffdc8b122be0d4698ffe72275bceb

SHA256
e70984d3254247ff62464df9e20cad1dc248c8317d5a61d68986a909f3f2e814

SHA512
6bef2d8383152f37e1413b14bd553834089dcd23f1d621431eda5139f4d9323a579e83f3cc24c71cf826cc160fc7628d632cae1137b395d706605ad9d52b94b6

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
327KB

MD5
99833173abc78385a4c082420dd0ec92

SHA1
f53efce73d8dfc68ab85c160bcd7aac9a74fc47d

SHA256
a32f28528f5507e7e4ce726b185b16f823206d17eb5edd6a5b0eeb363f3fcdd3

SHA512
dbea2a5ce4de38632dfb738144e3c87876e0653a8389095ddac5c55a67af869d588a7deeb1e7782f45c9a9f249429bc2a99a7ce896f828ba3e14dd9f1bfb2faf

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
327KB

MD5
02ab545d92777ac4d6c670ced81ee044

SHA1
294560cadb9d47cbfd983116f03612195f8296a4

SHA256
1f00741710976735f67a56016add59da64700d2b9c49f2ac0e6aac8fcdaa5a6e

SHA512
93be0e274eae85d33cfea2c1aa28b7cf45bb1b6df5a437ac12a08a59cacc688d347e3922a8dd30d32dc2419934c2b76559091df6c98778a5858f9990e15e9ea4

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
327KB

MD5
9ed65f5af6e7b3994388a9aaeea1db64

SHA1
cc4b03d0d9c1e5cb1cd89b877c3aed2181bfa4f4

SHA256
05b748e0b0e3fa19dd44ef825d86e8cc1efb3a7c8669f6561906770538c5880d

SHA512
22c6b75e586d5354c053df4bfad341531e79e8429cc2b64c0331125ffadeadfb38edb7dd6836d49959ebc2666ad8740c59f8d58221b906176423f0fbc630d5e2

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
327KB

MD5
02ae834a7cafd50c2ea019e73b872b3e

SHA1
36a71c15cdd33f631f4a85cc24a691228014d2fd

SHA256
9a2b5f8d582455946103907877b35e4c730df13c4f2724e3c58b862c1586fce6

SHA512
8e4e1c9aea8671cc7259e69ab5797ec6b94487e35c83dd71a0fa46e57a5287439e991432481fe00038c8a697395479c4900df0900bb33ff65ec694ec3d923669

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
327KB

MD5
cd102593f938cb1448a296df940518cd

SHA1
54b307b7ba42450ada3d2436991022c3588775fd

SHA256
ea7c16b0e40dfe41da470ef35adfaabd06ff42ffe89f81e7f92cc002931c9200

SHA512
0a8e5c2874a9e4e7c499938656ea28d57824a7dd164ecfb0bdb828dd0a583ebd793dabb098fdebd26426493cd3a8afb62c003234c54b93ab673f3ee4c07736d8

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
327KB

MD5
32457f07e6c9c2ba35982aed23af26b6

SHA1
34a32f4de288017f2fbb9d10ab4a5c6da4de94ae

SHA256
fd3a02629b27b86795d5b2c438b08fb52ca99ccce58c6295ccd45ba5fe637cda

SHA512
9675ff88009dbe9617371aa4783451c5e12a23fe3872d2d1b58268ddc7f872a73d5d99f249079467767d6af1e1a42c82996ddac283ed737d7418288b84ec0551

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
327KB

MD5
fe046c0241d49fd98efbb25b5cd1e894

SHA1
c4f5d9a46d09fcc54ccadd013b553c8eaf6a947a

SHA256
743c29dd76e978d2bc854038cafa472712d16f7dae5c8d4d6903e12feb6d43a7

SHA512
c644e61c4e317dc7263917cac5153ce40f3874f332c879bc1402d61ba0ed982e482a4539ce80d51c115113a7a0dc767f5e50e078404c9ab61dd7d2e4a772c00c

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
327KB

MD5
db48d63356e730981bb1281554a265a2

SHA1
2beaf576c1b71c178b79019f60dea8f094e56a71

SHA256
1f7191d4270f602d7eb458aa6f0c0d1996239932957b9a04d2b2791a017bf2ea

SHA512
d2c8459f134aa0c742d679dbe89045df1524c0c70584ae17986b2c2b902c5e501ef182b7b352e9345cbe2c12cad64777dc72c32bdf9324e90915bce78293a7d0

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
327KB

MD5
a610577a706a95fb0e4aa8f52ab9aa6b

SHA1
1edc555e039b33484c9dc1e0bd3c78c880341bdc

SHA256
b0c0828904740acece0469e2f8d65b1433eb71fb1f0c49062eed69ef5625342b

SHA512
be89b811983245359672470afa1905d278a77ec2694b10e0c4792ec9dbad393a70b041d51899f7d0cffe2d152f8e5905d72cb3eb79475d9601f44263d2e7ef97

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
327KB

MD5
2b4e5b38ef4044bf32182eaa7feaf011

SHA1
e092576e5018d13916d2b67c5630611d703312d1

SHA256
35397ceb7fe6a3280deaf23552b77c27cbeea3065c3971d003594c18e3edcdd0

SHA512
a3e9f894b46c3a63cd887428a4b7b02f54b673e654622c25b17ffe986c6211e9c114d68a3e74f2d23305d3c533110bc00e4c369e95ea96eb434d7382fcfb9f73

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
327KB

MD5
8ccb27423c1fc9fda4cc32b401ef0647

SHA1
ee10406db64df659658a24b96a36a63b951d156a

SHA256
bd6c3784e5b04cc43b5bb642367856ee23120a793422b2f4ee0b839d797a16da

SHA512
983adc80ee6d5dd62e3e707e566aeaf248ef93cae593d14792e6fb1fcfc3b61c70bbfaec83f81b28f2b1f10ea78226de335b0204b16757a74f92d5c87983a182

Download Submit
C:\Windows\SysWOW64\Dqpfmlce.exe

Filesize
327KB

MD5
7e8ba40fcb69c40b5cdb0192cb255969

SHA1
855f7948d8baee58eef83d8d2b6d0305274ad06f

SHA256
be417e75747ed9fb9e092599651d156943c6033a7b3d355e4bab9fe3724de727

SHA512
e73ecad0ce1e8e74b38f915a7789bbe28396b813ae5b327284fa00164d1e0d498b48828ff61d0df31e6723e0902f889b3584c7f54719ee192db87dfee945e907

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
327KB

MD5
36075bece03501f0b374fe005154c170

SHA1
b186d14f74fc5478e0f951abf2eaa8aaa1a53e87

SHA256
ea188dda45df1792c8e71d6d1ece3035f0efea19cdf35d4fab55ffd756837176

SHA512
79eb4bf80144bfa90fb0161bb6796f3db0f5d365bf4b93377ff49acadbed32779c674a1a47efcf90f96bffe79183be16f35a5b1378426c2ec67a1a13767b1865

Download Submit
C:\Windows\SysWOW64\Ehndnh32.exe

Filesize
327KB

MD5
de09fea173f61ad41942046a7df844db

SHA1
fe322fdd971022541f58b8672ebcca9dbdc77e42

SHA256
7dbb4b22c49a15210feb4367ae2e85a1bb886ce328819cc5103f49d2e722542b

SHA512
2d0feb751cc57f1e11fc101a3c8d11e9ef6280478e3a166cf8471631aa28bcf9594bd4d9f137e0b0356aa871ae475305b1a28bd929217d4fae0f8cbb271e382e

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
327KB

MD5
f250f159f1d7c3c591213ec5a59ba37d

SHA1
ac44e8fe0fdec61e62d8c84edcbe6362a3d4a80c

SHA256
c51d4e4705e68e8ee356abe50095d5735be619ce1534f0e3a208c9c45a69d63b

SHA512
5327369d6d6e964505380607e63efe052a6a4fd89fe4f76ba15c2671fb48e893d748ddf01a30d1f81b41c367ed4a9d9e8342d084024d5b41a5a558c4da88b826

Download Submit
C:\Windows\SysWOW64\Feenjgfq.exe

Filesize
327KB

MD5
7ec95d2c7a2aef4ab5354b2636635e7a

SHA1
a977279235e401e38945ac0a84e9ada6efb3786a

SHA256
980c9a08b6f50eaa38bf2dcde85a6ec2693d2992861525393d0ef39737c45091

SHA512
6f857dbac5029c132d4d61a1e0ff96e46041ae1c31af211873dab5a6f9dc32f8ec7f1a48a085427487cd8b67bef1b9cb03353e627fb41440eb2299be54497c55

Download Submit
C:\Windows\SysWOW64\Fgjhpcmo.exe

Filesize
327KB

MD5
02fdeb4a0d7c25323be7698aab7e6271

SHA1
869ce5a35732bbb730d95790eadd86026a9ccc52

SHA256
f4a9a658e38b350fb43616e2cf4721f5c341fc96e08f23cbf3d180f75f05c877

SHA512
1224fe80b83bec0477de3d8b81b6a97f14ff5161b2bdfbda18de202134372e6527b7e9f3ad3fa54210e169b3d59d6c2ff383f439a5c9d33462a394c3202204ac

Download Submit
C:\Windows\SysWOW64\Gejhef32.exe

Filesize
327KB

MD5
b8403d8b728f5b7158af9055fc326446

SHA1
cc43d0e74f8ab15ef76275cdb1a0aaa6ad6a79ed

SHA256
64a08de5ca877c8d8d2550e592038084489db557f77f30cc3813bb80dcbf1d89

SHA512
5c52c7a3e7b20902a2a2e97b5bf9563c1e5b76ec121fb262d289674760de3f5304b8fad28477c0a2b8abc0ed4db832c1acb23f4bcb8e36cfb749e6347ad058a3

Download Submit
C:\Windows\SysWOW64\Gpdennml.exe

Filesize
327KB

MD5
db9a399b3eadc3e4bef9dd4806b6b832

SHA1
d16bd5e4eab9c31085567a3ac130de03a94c6050

SHA256
5300655b63ff61bc80f4fc05d0ccb24f0ad15eb29fa71789f437abaeeaa8b38b

SHA512
1a578129114a49c607a89f6cb5569c9dacb94796e2a5f2b15f993301140b1bd88ce25a31d4367c4d7cc7f80bdb8821d8342b4d0970f5f3731e7b9d4170a26547

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
327KB

MD5
c839d2a14522c4513c621a7719e31450

SHA1
a7f9b73c09d3b5681172971a1c6ada3771d3a245

SHA256
17dbe98a60ceaa8015fe4d96f546047e70eceb904d94abc4fc34b5fa2d83835d

SHA512
d30f3b162dc5a18e66b402ff6777a93f68aafd6ac141232db86791e6758ab382615064e1f3a51062d750a661458265cb6f54fc64bf7073f930e54c33dd58cf17

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
327KB

MD5
f843afbb9b60862bbe0848a7b987a720

SHA1
d247469bfcbd6550cfd6beef42bfde24997ffb4d

SHA256
669357f53e2dbd9b07150d14908d866f7d84a8af2c271a811718f5611260673d

SHA512
84fb85fa17efa1a3889dc5213e451d67fd77ea9a4673d0bf631a38d3b2b0cd29d7a3da8bca0ca4df308e4477337b7b9e4e50ffb745be42519477d50e93d02828

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
327KB

MD5
fbf17c3b77861108f4a9db7ceec37985

SHA1
ea45e247a96a4e38f1c459494a54bca2af55826f

SHA256
959f0a15e0a350a197db75a472a3eb5868f6b135c22963a09aa3943a2d2e98fc

SHA512
411244d4c2a1e4adb72c576e3a31eed53f568974f77e43aa6b73725fb0845d47debbfa65a4fdc3c3ba563556f3c28f305d0e9062fa41367c04f932aac312c7a3

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
327KB

MD5
02461e81fd4ee4c87e6ddc4f2975227e

SHA1
be006118c74bf3aabe8e77fcb08792f420a898cc

SHA256
2bf172e0e839bd7b9f12db2a13f68de858526f6fa83d062192db2ba32505847a

SHA512
e0431870111f0c388f7b2e84104eb2386d8d851f03ba0054f01d6db20f529c77d5b7012c0b6f11b884f8a2dca7e800f061978d04075fc4c77fa5cdb4f958ece8

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
327KB

MD5
4e3dc4c84145131dd36de453030e283c

SHA1
f7d549804364bc8d29a62230a9119a59f6cef8f6

SHA256
36b83aa1267abec33c952e993de56bbc306469894ff5397698c292b8decbdec5

SHA512
22ce401e2dba82968804de4c34aee381c4c53ee51c1a1bbae77491b936fa353c26db303cc28c748b58f385095fdf8d9d590d6701f7dec240112ee20ee3ad2374

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
327KB

MD5
a3db8e85c28f30bffa898791faa83c64

SHA1
a8875865aa05bbb17022a4d467ae05e19677e69b

SHA256
28dfdf822e8ea8c6095e1f5347f975dcf35e88b062b3a94c9f917f039039ee09

SHA512
46acb05968efbeb24c87adc7ae912652a7aacb68666972961ff93a82eeddfadd4a6ebc343470f39549ed6b5bd449e8a81bf9a5e88807fecbff9979918cc08205

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
327KB

MD5
300d5fb21cae3aa54c92dfbe08ccb832

SHA1
fb36c880ee2e8bbc334e395acbad53c70e95c9b7

SHA256
15843e19aae5f202bb273824fbee2bf44182450ee4f137cd249c7bda6a7f8d86

SHA512
6e7c84da38ccbcf9a013a7e7d21345838954ec41f75e8cd9c239a138130a96bcc9684d2f68e5269d8c611240736dc46a9234ff6efde24a65f9dc39fbee8a841a

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
327KB

MD5
d0b540cf8107b059e9715fd9df9ddf1f

SHA1
0d4d99be49d50b5821cf63e3e86e85a61a1d3772

SHA256
e2c9a2d34922c9afc1c6a0a66ecf94fa95a7d9c8f43c99d0f282dd55837a13b9

SHA512
8efefe008cb222bec3c93c5d63984046789ed6980c8621baabe2f1ebcd3f2a102f8f034560f342b619ca791298f63836371876cc2d41aa83df8638788917f7f7

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
327KB

MD5
150867abb68c74b57f356136ed2cad14

SHA1
da57cddb1f422066f6286ffb5aa2c0f2e359b251

SHA256
045a1de98a928045f59b3f502ea0a4971ebed5901d9ca9659b03331b4376a5e0

SHA512
c6408a72e0901653cf0b2585af79b8be67466d468ea4d053b1ac1d2789b63543677f5715d90e83d3d5b52f4b0e6fb7497dddb56c37c5e8ae8fe530a44ff041ea

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
327KB

MD5
ae74d27a629668ecf1940c27dcf0a509

SHA1
98ad1f22e76e53ef47ce9dd4a3c344eef4afd9af

SHA256
a61301741274280ab4b7a99758099660363d326e7a80d3a5cfe727fdfef9e567

SHA512
8a738db45bb45acb8c774a9888643e5315b0aa8200eb954e92fc516957f4d9f50d18b6805c8867a9e0eb943d38b4ce71fa07d8b36b52b42576538bbf2903f8e7

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
327KB

MD5
2995f744751ee1cdab6560a8c339c396

SHA1
0a4a26d05ac70ddfa4b71ea6d6b2b61154af80c0

SHA256
ecf18b12fa27af93be8d032f553e9b9a88783331f9e20a996a69a7ae430b9c0d

SHA512
0c4e57327d8e4d2655f42fec996965dbd7bbd0e27e28ba2ff8a08f21aeced35947ee540ff612d8e6dd93bf83c78a3f857ad83d984d6ab69d92536d4961361083

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
327KB

MD5
62331d2a03812db9d35283514b3f4235

SHA1
64787d57831a98f8a34c54c2cc632d937667b36a

SHA256
553e33bc394d31f32d8e139cd5a2b0e71f142a1fd7337dc9acfbaab2b6e7561a

SHA512
6052d51906d77f00354fb0b974ce9d30ccaa1dcea733d68bb7efb4a2d2c956b4ab3ad38f42b5e645438abaa8e7d0f2b3ea1c9b2a659c25c8a34bd245b9fe23d2

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
327KB

MD5
c3e9befef18d8e4ec5f2d629cfe87a67

SHA1
1f06195e9ca035b932477bdea2dafe50d96cbe97

SHA256
2ab1084719e08e95d267fc4cc174abf7499fb285b5fe19a96356422832e0596d

SHA512
c8442ba39df7c34ce49bc01efbd7ac6b47a267222113e33f46c8515e3c38f09099f1f6fe58d2f3ab705e1bacdfc2e4088fd829661409d6ea44e0d3faa380748c

Download Submit
C:\Windows\SysWOW64\Mljmhflh.exe

Filesize
327KB

MD5
d1b5c595b10af18e5da8b9b2e4fe9254

SHA1
d2ac517089bcabb8d02eeb63677e00bfc331c624

SHA256
0d8f03ec9c037074e77a7c00cf69f954ade75a66f45c344917f5b1f7c1da2412

SHA512
56a245c333f45459a74fddcb91927f0cf058d80d8dd7a681c298f7301e8f91cd63438600f7e01cf061cdcdb7c86bd1498822638b5e6852d359d640e272d988b8

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
327KB

MD5
e4687c3460ba8f99acde1339e3c32b2a

SHA1
fef02faea09dd5ea1275fe84ff34b8923b9d24e5

SHA256
92a3f48f3ed56df9d7e6e5cb522582ea01ce84ccc4c69521ea4063942c51671e

SHA512
f48df07f91aeb1ce4edeef7fbabce798b32151060a2db87c75bbe58c82d60858a7b9d38cffaee2735ee5d5ca92f2cd4145af86f1c61730fc9ea162feb2e9b2d2

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
327KB

MD5
f3b058577b0254a6ccb5c14644a002fd

SHA1
ab011d042a6fb8df99253507cd554381cada6d34

SHA256
e8270ab779fc8ba7e4375b57a0d8453cb8e7b7f2ce17bbc484d4caf591d4c2c7

SHA512
0f4ef818dec5142bea4486c2e2464a37ae0d80b362e9ce807aa0b5fb7773e71376d810775a1b35c419b123cc583d30c4587336f8651638fc79c1d22196ae6269

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
327KB

MD5
c24edc5f33684fbd7c6aa4708f238699

SHA1
7e6952791869cd0f442deec1e3ad04148d835746

SHA256
acc3ad8a147955c944f775bf7a42a554d54d92522d7b218d4d9d786c13f03c13

SHA512
9fc7c501f012089d80f5e0137ea80ebc64100d5816a252b924f99322b1d6d4e2649a6e5c0773d3753d8c80308ff6650e501715f395fc599a838b8288e37c3dec

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
192KB

MD5
c515e636cab290a2ade4d43a8050b250

SHA1
e1e6d20222190f10fd3b30041015a2e8ee3e3030

SHA256
a4e7fc8b73eff55b1d0c3b2a0fd7538abf7c62e44d559ceead3be4d522430688

SHA512
ecd531c1da9dfb8c59248195421544d05719c302156bd2b87031883e5168341c23229969d11a9c21d42eb0a1a8afdd45afeb62aae0058ba66eaef393ee027392

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
327KB

MD5
029b72bf9d221a20a8333403cae04002

SHA1
cdaede8946b0facac91cded433c3a479962cbbe4

SHA256
b2ed63055543aac86a1449fea81edf4ef77e8f9152339960505a4c7ae5ab77cf

SHA512
b498937b8eb9abd9ab7003c1779d4e63c65099bad52f88652ca74137b81fa457308e67a734d870635b1958e4ee724b2ea2796dd2031e354d3cb67c7085ce09b8

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
327KB

MD5
def9bdddb72ccfe0d1e61377dde17564

SHA1
c5d263a085ea97b970f20a51fab85906ebd0614b

SHA256
6ea5f235a5c180a1ad49c1c1f1be500ce53396da14d75b94254dd96b70eac163

SHA512
2361a23cae98b0ba845a15a0cf90e63df25fc4486454f47b9ef7c6edbb0ea38f0bf4293d16aaef070d46f74513843094a2abbe268cf612fe02491f3fb9a6e436

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
327KB

MD5
9e67dc2f1a30e722bc2951807fc57c54

SHA1
34d93cd971f9bd3eff343a7e466ed0b39fb32b71

SHA256
4ac9adf5482e8856b6a856e6581ff612e69dd9f5d25200be1f69c7996a24082b

SHA512
66261c0544b6967071f29fa5ae7c0eb1eca2268136fa58dec6055ae0f537977fd9d8a16051ce3a5cc769405a7cf5024a3ca552ab09736841f4c093a960a68b6a

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
327KB

MD5
f0576b307b95324483b7e1e6773b85df

SHA1
6623b9fd8bf0749d7493d93255732037084fa749

SHA256
4e19a9e5a522c02235433252e732de4c50512757d6197417064c4d33a54276a4

SHA512
ff27a839c23d03cc31d1ef1bdc8052410f63f17c7b1999129f858d5f44d6052803e2696508cd59671a12ee2fdf3054dd2513c21534eda70881d4187501f00437

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
327KB

MD5
b8dd8b4e6ff05aa384c04d52cfce34a3

SHA1
4d77582eac1c4951a2475790f543c9317b0e8acf

SHA256
dbf5e60d675361a17052817f72469921ac9111f811224b8ae16a6ddce648a430

SHA512
7fb9c1cfc1a5f292412c51a1bf97ab953fc9e6f9355648b596216b72e6ab615fdb7e0971d3103103bf181d2d282251e9cd72dd0d0595784cada6d709432b12ac

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
327KB

MD5
06e11f78478e9deb7ca5a7d968f2924f

SHA1
df940b8a15cf5634e919b2b4df5a6ed105a920e9

SHA256
547e12565d708e63ead2273d0a2548f7426a3386c7e361884d8712822ebd64ab

SHA512
8d8b58ac1ecd71de93ff6b86f126fbd4d2fe6c6d06e35e31dd1b4b110e577d6af62d0e0a14d6ebc0064ee4c4c623ac1e6b89878281b01d75fea250fff9baa307

Download Submit
C:\Windows\SysWOW64\Nqfbpb32.exe

Filesize
327KB

MD5
451d67b758cd91f20fc539d455a44fb4

SHA1
c8639584f7394a20903686bc3ffd022997eeffaf

SHA256
e704c0da75d83c5dfa250812e61723854b496dcc22a64b58250a6598ac8d13e5

SHA512
aae370183afd1f0d6032788a3d31f33df34bb78184c661d470426e3d5863227646ab903a9b14538351ca2b657c4d0d5e19fbe8f08c6e220f2ac0e2401deaab80

Download Submit
C:\Windows\SysWOW64\Nqmojd32.exe

Filesize
327KB

MD5
0af0f77e7d964110705880bb619a545a

SHA1
0eb8374ed22ebb7b33ee62e2270d9e45dd2b3cd0

SHA256
fe02adaffc2934e5a2fbf9a699476eef8de6237e20aa0c8bbfab7921f939720f

SHA512
ede991845a31583aedc300968604074d9aacc631f56813b2303a5be04588499deb6baf5b12a871dd3aad4d3ff923942492ac27c1042f9086d699b2f257fa83bc

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
327KB

MD5
459125445ba6ae81280b767055f79a43

SHA1
f45efff0d9948030b9188687f89ef8c7aa4958b0

SHA256
b523b6f2cda7b410c6ef8f8438f81731c32091af828684098ab14e8e4b9f7990

SHA512
4b6632891ccd1acebae2715c1cfce1b8f8b7300a310f84b97997ee59b00463392ebab472d0795c6b859f9797883e118ce3c87eea21a9f8d3694de19ffbe250a7

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
327KB

MD5
a9758105909f43467cf9744404675612

SHA1
a9d470f0724f69b0ea11fb3fcbf3417dfd14f209

SHA256
943934122eab00d2bb370c80414f76442d8956336681ba994f019caaeb155d2f

SHA512
438d5d851d86f31868ce5b7b218fd4d0e3179fe24aca3329d5a5310403d21da3b0fbe6df9dba910c46d27ea492edfe677f0d1a7691c4865e203c95195337fd85

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
327KB

MD5
d3a2f0226debe324f8d74c27a4a852a7

SHA1
dcb308306e071a5e512fbdce6f8a9eaebda5f29f

SHA256
ecde0ee5f830046062658c9a2136f0db5045ade2cfc175076e36ad7d840ba229

SHA512
cd2b1b7a09deab145470cfa215eca5e6e99d28cde57770b6fbf75d5b31a02de4dcfbf60aa0053ad7652fe64c2bbaaaced40d906952ed010a6d54c5a6e176761c

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
327KB

MD5
ed6dae0cd212692f25fe37104c1f54fd

SHA1
da7a8a6e3fbcf142fae123fa6f10b77d54e973d5

SHA256
a33eed82c049c1c4bcff8aaf3bea34c32ed40e942bebb365a6e15760a52aae88

SHA512
b8d97728e7b2f2c33f0d3bae8dc6e5571272a83593e0b91fdd1f46e947952c887d2825eadb63009e066a1d40f7eeffc3dc6cf338336d5c19d5774c760bd05c05

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
327KB

MD5
e53015e9db37b6198e6a5e8359b489eb

SHA1
25248ff61557455ce256f253c6bb6ec018cb257a

SHA256
4b910a85d2c526ad8272d19ac578d83f89d56016dca44a69a57ab6ea80841818

SHA512
b49e5b526511182c69d5e251cbcc3ffb73d690a9019ce3c92b5631db756e050260aad01c55bcb14ce9aefabdb3b0025fbabf66359837f3ab2160cd6ce365c74e

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
327KB

MD5
e9fe0d0fed7e4257814f8ef945634524

SHA1
0a81a31890af6cf0a267642d522763810f03a0ff

SHA256
ad727c7925fbb0972bac2b3b729914993c2d5c49cb4e06ad0206ea413d17a8bf

SHA512
4966abfdc453c09abffde786075bfba8c3428cad78a57c94289c3f7b79943371911a9e8e79cd25e3ae4f089e5d5d4fb5cf18a63bc235f53b25ebf050fb8e3ba0

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
327KB

MD5
d0d3aa1d0ce1e63d8ff733b0f1d4f695

SHA1
08189cd88d4de1b05e9bc18dbbb8b4b88c6f51a7

SHA256
43c733e991b54c408c7289d7fc18103fc579a9abc17920c7fed3bd91734cd69b

SHA512
10e8c330f01b2b30445d8ff60c553400163baeddbfe5d83b73db72b45faa537c61ce68d849caf85e738a02ddc68c7133a8490f0ff8d076cfc58e096fcbc3c0d1

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
327KB

MD5
34a6ee3135c09952e7d513f2af4c9551

SHA1
d1cd0c114eaae1c107f8b396ebc277bc8a52d27d

SHA256
128702d1755cc6c64b6557c3cec3166cd9254df871fc34ab081d817a76b7e986

SHA512
89a145a6bff127589c5fa6f0376d0de62ec3cee7e28397d70dfcd7999f3b44867e085600acad85b4c6fd3006cc5869a02282631534a3daa2cbcbf5cf9e2ecb28

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
327KB

MD5
c20a943db2fa8478ee6021126dbe6b91

SHA1
08f2df0616a1dfe0610577714689131ebec4c1ea

SHA256
f7ca5bb198e80aba4b657e4031d092e424f426177a48c35e8d8d49f867bd3836

SHA512
425dad0b9a3121538bd1f3fa5a0340b4657445f8fc96c8166d7d7f8bff01141a66b65093dfced494fd3110e10d2cc2e2682767c96593a032722c724d43adb708

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
327KB

MD5
1429481003b41ba9a64ba85546d2e1c2

SHA1
762520eeadf90bf88fa6e35106f86a147b09820f

SHA256
9f7c77df6e1fe59f4cced2346a862d88d0938ac07f2d039a3fdaf751e1c9f21a

SHA512
b77dd1fe16574c3673d54143708060e4ca630a3453302807cdde1ca04d46b30d4fe3d34504f228b5509d9e848ffe818874cb562fad372df88e2f082e352e1d45

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
327KB

MD5
9b6a9854ed1b72a06cda0d3436b3059e

SHA1
54bc9e827d156709f2b5c2040504fb79f6202224

SHA256
cfd0acc45d50aec5aa17d1201a8216372cc09ffc7e35aaf0537c14fdac69537a

SHA512
5db7d114dba34b4167e60202610e36a6fb9e6ee82276109e48aadc8e07e2bc72f02435906a78114b9e95cab5c4e19e59a573dadadb61f9a80bb02acffe2938a8

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
327KB

MD5
463d5e6d64a0150a1ff6e72c7acb0e02

SHA1
932c3d4db66b84505cc0f883d36461e155bed6c9

SHA256
54c2c39e0996173bf4ed22edca83d98ed7234b21af0b3a6ef601b570990f4a7f

SHA512
a7572c2570c68063f36afb33956b364d543ff172f85aed79e6ce6dd85e29c403f77d73800eef8771d17fad216450bb270dcfe6652170854038d06ba83c625115

Download Submit
C:\Windows\SysWOW64\Oppceehj.dll

Filesize
7KB

MD5
90d96e800c46e9e8c6b06fd82c65cc19

SHA1
eef819cde1937806c06257728b1c1af75c166432

SHA256
46b4244e7f5382d74c39c2899ab54ded65074855fc188fb7da564b01dca16ff9

SHA512
bfd8c481837209f80588a7474921f522797a1111ec531749ab1e7f471e22e230c837d06c4f7c2f1d49eb5000f11c75425e84ba6e6ab84d5b900167a3b68f513e

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
327KB

MD5
d87614ea9d255817f48019d7231cda21

SHA1
8ae7b3c245e103bc96ecd4f7c29e3b8827a70847

SHA256
977362f06bbc26d0cf529d6accfc95a9a15d08592d8b33f6d9bce79954f53c0d

SHA512
ea0ab5b7510536daf0390055ad8cf12b591de34b7516c3761c6571d10359b3a7b2de618bcbc20a8c30fbbc3d2ad638fef0a224d9db55e35b822363f1f0cac863

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
327KB

MD5
bb80f3d553687aa58731ee457a648db8

SHA1
8cf92431cce467210d26e9b7801153535cc2e8b2

SHA256
e9af709326bfadb0a277d616a1e46cd33c586852c59802a99ff78147d2af7ca7

SHA512
7c218c22caf07503c726a5c55aeb5e59b08138e60be2b11050a4925a6e7523206718650ad5c5a42f1b9b37f354d8e5a5cd4bc52c63a1d696d422aa06ae145b48

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
327KB

MD5
a031b61725c1cad5a2d8f6584f79d13f

SHA1
209420679b64e28bf4e38cb0025561453276e3ef

SHA256
81db783fc1e97b55711041cc2eefe3ee0ff765bc55038a9c86755727490308d5

SHA512
48c333a72f94f0d470c845aa3d9d34bf3e5395317af29ad8c37024d82e78f26e9c45d5cbb2e392038f804700e0d190262e288c4ccff4b0a3f68e9c956b643c16

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
327KB

MD5
8eabb5e3b57dde6fb831f3a9ceaf5379

SHA1
899b0a044b896d50599f512e9aa6289f5705fd1f

SHA256
2fb872e67fc0c1ab66426283bfa63feb62142f52cf97188d0200361c0d1b08e5

SHA512
401468229cbba9e045a6a4d48dadf6a0ccada500e2e3e8b1a6ec73576960d0a14895e002ad3c53ce9985ea08620808a3d6eab7604872db0b5baacbcb295415f6

Download Submit
C:\Windows\SysWOW64\Piapkbeg.exe

Filesize
327KB

MD5
ce66766717a47b17880a37f7b0a19083

SHA1
88bceb70519c9124e9c675c981f022364da4f570

SHA256
0661472d038a181453027ebb76ea53455f99ecf18cd0a1b1a291b57cbb25fd4c

SHA512
d0d440e349ef25e3a513e45440c3af95655fcf854b6130ad5f7808a4ba81867fca7e9e457b3894173b81470631dbef56597054820b46e8301b14212e1bc1a5e6

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
327KB

MD5
01bca97b03f80ac0486060eef38a9a3c

SHA1
bbb278d56423757176cd11ba074ebade7d67476b

SHA256
29b58bad79528d8478315cc812220313679ac65743512e14546373e603c8aba2

SHA512
09e3056cbc9d6e450b5b3bce8103f1d05b60602c546bdfe4a316f81a63984f83b2fa7811dde1833ec713114608f527c717d969b38324c3f4fb9ef3457d5fa134

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
327KB

MD5
cd2a71b6e17a09bb7649b7264eeed239

SHA1
1a026ecf1384af5ba23e1cef66ea877891dde59a

SHA256
8773e52da1b667f9f84d266cd27ef7e549ea3580787d1af03f79c3b98ea5708e

SHA512
d46b112199547054659d55c67d36ca1127c78b6271937a0789335dc5e7d12b8d5512bdcb741bb3e9982a01c17f2b653f57bf14cefa119ffd97471a11a2a474da

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
327KB

MD5
77e7f24eeeeeb1ba74dc94964dbebec9

SHA1
68432a7a26a7571078bce398b3158277761e3456

SHA256
f254792c2c505610e51acedd97e2d69e9196ceecd1976407c067a754371af158

SHA512
b4c056ff9fc5debc0a15fb12729a78e83ee750fd5ece11faa5c43d4f525cfa5646f8f12f732a0147cb4cfe2be2860041908c9a3e80bbcf8868b719d61ae54cc9

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
327KB

MD5
25dc092cc495c37d31452d59655a5196

SHA1
b1434604b91542abf4c5a7b241132f7ba478968c

SHA256
651a2356bd1e30af04aefdf0395a14bd98c820c61192930ca3b0636863674554

SHA512
4a0f61cdfdf6178a3cb06c8e48b831b15006e8e973338a3fe44c4ea0288da5a981648a06f52de9aecd7920e33dab3f8635e1fc0d6b631269a3a02c1df41e1128

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
327KB

MD5
f9e2095d37f10ca49053df3ea37af151

SHA1
ed27061f197d29e76a5e285658378b63cf2bedb7

SHA256
83ed017d77dea9a54eacc7ccf396115928502a810f5719a1b727c9a174bb2ed4

SHA512
14727e059fb798c20329dac8ea4f49f954d490c85ae01190684b28b057f576fd5611c9761ad683aec1f0b6ba5241491c3d50aa1b9914b79a2b64158070e32a98

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
327KB

MD5
4b368fdcd9ac4fab1fba5548784292e3

SHA1
e1b4978e88ddec50564cb596f5ade516e87c32d5

SHA256
49fb3ec62b576aa9b1adbc74b7d8741939779b60d460a8284252fc7f2822cb45

SHA512
68aef642e91db250243b19b4f1891bf883c25f0d8d30b55a274c7f536cf56d04855dedbfafeb8a2aa1e9c40fdfb286cc0095d1445a34f8c9a620ff6fdb85c269

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
327KB

MD5
1f1a3fff7ef7ce6d21ba7df03e3ea956

SHA1
16ad2be2624547abbcdf5c78fd045b3079b5b7b5

SHA256
03ed4565323980d397159f4dfd694ad7c816c2fb4b69735daa7322f935a8e30c

SHA512
b5036c23528cceaf8c030e4d89c9e6b31cb6bdac9f422061375deb1b0769fd0ab92fc506c62bae4cac10a35e3049d85528f252d0f6bc0a2277116734f796f4e7

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
327KB

MD5
8fda8a843aac37f188ab0bb810e54477

SHA1
cf40c9f1f210efae0376152baee04d41ec5899e3

SHA256
f1daaf67d7dcbb91cbe7a2c3f8cc84dbc6d3b42c028eca525b57b0e9bb7cac78

SHA512
af7a4252f2d832455c6099ffd9db3d2f213dae544700f3c6accecaff73ce0953187fc68124c786cb954bf2ad9b1b0f6077a9ee802c54556ddb7b475974445da6

Download Submit
memory/112-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/216-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5348-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5512-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6812-1365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6828-1417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6928-1415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7052-1412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7200-1360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads