berbew | 3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe
Size

320KB
MD5

6b32af74dc2b7be71c0cdfc476c6a5dd
SHA1

05afec9afca6158d7f4f76983d5b448582f3b44b
SHA256

3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf
SHA512

86665404450e74407258f56a0f4989caaf37c2348a506bcd66fb5a5d807e9e9b16667c9ac5291d68d586d55ccf2695386b3179b810b22e185efac35d4d18eae2
SSDEEP

6144:8eJLhbiw5kC4kf3/fc/UmKyIxLDXXoq9FJZCUmKyIxLq:8OLhb/53M32XXf9Do3R

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbjena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbnmke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklfgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbpchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aednci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmfbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoknihb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokgdkeh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbjoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doaneiop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iomoenej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmaffnce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpfqcln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbkqfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lopmii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljklo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qoelkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bddcenpi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4556	Pmaffnce.exe
2172	Plbfdekd.exe
4832	Pmcclm32.exe
764	Qmepam32.exe
4264	Qlgpod32.exe
4004	Qoelkp32.exe
620	Qeodhjmo.exe
5044	Anmfbl32.exe
748	Aednci32.exe
2500	Ahbjoe32.exe
760	Alpbecod.exe
4376	Albpkc32.exe
4704	Aekddhcb.exe
808	Bochmn32.exe
3456	Blgifbil.exe
4608	Bdbnjdfg.exe
4996	Bklfgo32.exe
1912	Bhpfqcln.exe
1176	Bhbcfbjk.exe
384	Bkaobnio.exe
4416	Bnoknihb.exe
4456	Bheplb32.exe
1692	Ckeimm32.exe
1664	Cfkmkf32.exe
2220	Cocacl32.exe
3904	Clgbmp32.exe
3652	Cfpffeaj.exe
1428	Cohkokgj.exe
3132	Dokgdkeh.exe
2840	Dmohno32.exe
4396	Dbkqfe32.exe
4348	Dbnmke32.exe
2864	Doaneiop.exe
4576	Dflfac32.exe
2720	Dngjff32.exe
4388	Emhkdmlg.exe
4784	Ebdcld32.exe
3764	Eoideh32.exe
3108	Eokqkh32.exe
2728	Eicedn32.exe
4756	Eejeiocj.exe
1576	Emanjldl.exe
1948	Felbnn32.exe
2372	Fbpchb32.exe
2588	Fpdcag32.exe
1552	Fealin32.exe
2208	Fpgpgfmh.exe
2188	Fiodpl32.exe
3884	Ffceip32.exe
884	Fiaael32.exe
4328	Fbjena32.exe
1760	Glbjggof.exe
1244	Gfhndpol.exe
2888	Gppcmeem.exe
1844	Gemkelcd.exe
4208	Gflhoo32.exe
2900	Gbchdp32.exe
2560	Gpgind32.exe
1160	Hlnjbedi.exe
864	Holfoqcm.exe
5068	Hmmfmhll.exe
4696	Hlpfhe32.exe
3140	Hbjoeojc.exe
5104	Hoaojp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fealin32.exe	Fpdcag32.exe
File created	C:\Windows\SysWOW64\Ilnbicff.exe	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Dhhmleng.dll	Ondljl32.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qlgpod32.exe	Qmepam32.exe
File created	C:\Windows\SysWOW64\Mdijliok.dll	Blgifbil.exe
File opened for modification	C:\Windows\SysWOW64\Hbjoeojc.exe	Hlpfhe32.exe
File created	C:\Windows\SysWOW64\Jleiba32.dll	Jniood32.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Njhgbp32.exe	Npbceggm.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Fmggcl32.dll	Jedccfqg.exe
File opened for modification	C:\Windows\SysWOW64\Lopmii32.exe	Lmaamn32.exe
File created	C:\Windows\SysWOW64\Bhhiemoj.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Ebggoi32.dll	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Eejeiocj.exe	Eicedn32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Jongga32.dll	Fbjena32.exe
File created	C:\Windows\SysWOW64\Gflhoo32.exe	Gemkelcd.exe
File created	C:\Windows\SysWOW64\Ljcpchlo.dll	Igfclkdj.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Plbfdekd.exe	Pmaffnce.exe
File created	C:\Windows\SysWOW64\Ekoglqie.dll	Kflide32.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Glbjggof.exe	Fbjena32.exe
File opened for modification	C:\Windows\SysWOW64\Aednci32.exe	Anmfbl32.exe
File created	C:\Windows\SysWOW64\Fpekmi32.dll	Iomoenej.exe
File opened for modification	C:\Windows\SysWOW64\Bmeandma.exe	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Dflfac32.exe	Doaneiop.exe
File created	C:\Windows\SysWOW64\Jhkbjd32.dll	Emhkdmlg.exe
File created	C:\Windows\SysWOW64\Fiaael32.exe	Ffceip32.exe
File opened for modification	C:\Windows\SysWOW64\Igfclkdj.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Kjjbjd32.exe	Kgkfnh32.exe
File opened for modification	C:\Windows\SysWOW64\Mnegbp32.exe	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Bochmn32.exe	Aekddhcb.exe
File opened for modification	C:\Windows\SysWOW64\Johnamkm.exe	Jilfifme.exe
File created	C:\Windows\SysWOW64\Qbdadm32.dll	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Emanjldl.exe	Eejeiocj.exe
File opened for modification	C:\Windows\SysWOW64\Fiodpl32.exe	Fpgpgfmh.exe
File created	C:\Windows\SysWOW64\Ndmdae32.dll	Hlpfhe32.exe
File opened for modification	C:\Windows\SysWOW64\Hoaojp32.exe	Hbjoeojc.exe
File opened for modification	C:\Windows\SysWOW64\Imgicgca.exe	Hoeieolb.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Akblfj32.exe
File opened for modification	C:\Windows\SysWOW64\Jilfifme.exe	Jlgepanl.exe
File opened for modification	C:\Windows\SysWOW64\Kpanan32.exe	Kflide32.exe
File created	C:\Windows\SysWOW64\Lljklo32.exe	Kjlopc32.exe
File created	C:\Windows\SysWOW64\Minqeaad.dll	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Lfjfecno.exe	Lopmii32.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Opeiadfg.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Bochmn32.exe	Aekddhcb.exe
File created	C:\Windows\SysWOW64\Ekamnhne.dll	Kjjbjd32.exe
File created	C:\Windows\SysWOW64\Dokgdkeh.exe	Cohkokgj.exe
File created	C:\Windows\SysWOW64\Ekfjcc32.dll	Imgicgca.exe
File opened for modification	C:\Windows\SysWOW64\Lmaamn32.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pdhkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Gflhoo32.exe	Gemkelcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6384	7128	WerFault.exe	294

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Holfoqcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Illfdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlgepanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmaffnce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnegbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocacl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bochmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dngjff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpchb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghpbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keimof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifomll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpffeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocjoadei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aednci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgnbdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomqcjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoknihb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fiaael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eokqkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbchdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgiiiidd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npbceggm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkqfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmohno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgmeigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbjoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpjnjii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmaamn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgpod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpdcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpaekqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpgind32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bochmn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckeimm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpffeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll"	3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgbikfp.dll"	Bhpfqcln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpdcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjcpfb.dll"	Fiaael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kflide32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdlfi32.dll"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emanjldl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeodhjmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clgbmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjfln32.dll"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alpbecod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljgf32.dll"	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fiaael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkaobnio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gemkelcd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 4556	692	3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe	83
PID 692 wrote to memory of 4556	692	3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe	83
PID 692 wrote to memory of 4556	692	3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe	83
PID 4556 wrote to memory of 2172	4556	Pmaffnce.exe	84
PID 4556 wrote to memory of 2172	4556	Pmaffnce.exe	84
PID 4556 wrote to memory of 2172	4556	Pmaffnce.exe	84
PID 2172 wrote to memory of 4832	2172	Plbfdekd.exe	85
PID 2172 wrote to memory of 4832	2172	Plbfdekd.exe	85
PID 2172 wrote to memory of 4832	2172	Plbfdekd.exe	85
PID 4832 wrote to memory of 764	4832	Pmcclm32.exe	88
PID 4832 wrote to memory of 764	4832	Pmcclm32.exe	88
PID 4832 wrote to memory of 764	4832	Pmcclm32.exe	88
PID 764 wrote to memory of 4264	764	Qmepam32.exe	90
PID 764 wrote to memory of 4264	764	Qmepam32.exe	90
PID 764 wrote to memory of 4264	764	Qmepam32.exe	90
PID 4264 wrote to memory of 4004	4264	Qlgpod32.exe	91
PID 4264 wrote to memory of 4004	4264	Qlgpod32.exe	91
PID 4264 wrote to memory of 4004	4264	Qlgpod32.exe	91
PID 4004 wrote to memory of 620	4004	Qoelkp32.exe	92
PID 4004 wrote to memory of 620	4004	Qoelkp32.exe	92
PID 4004 wrote to memory of 620	4004	Qoelkp32.exe	92
PID 620 wrote to memory of 5044	620	Qeodhjmo.exe	93
PID 620 wrote to memory of 5044	620	Qeodhjmo.exe	93
PID 620 wrote to memory of 5044	620	Qeodhjmo.exe	93
PID 5044 wrote to memory of 748	5044	Anmfbl32.exe	94
PID 5044 wrote to memory of 748	5044	Anmfbl32.exe	94
PID 5044 wrote to memory of 748	5044	Anmfbl32.exe	94
PID 748 wrote to memory of 2500	748	Aednci32.exe	95
PID 748 wrote to memory of 2500	748	Aednci32.exe	95
PID 748 wrote to memory of 2500	748	Aednci32.exe	95
PID 2500 wrote to memory of 760	2500	Ahbjoe32.exe	96
PID 2500 wrote to memory of 760	2500	Ahbjoe32.exe	96
PID 2500 wrote to memory of 760	2500	Ahbjoe32.exe	96
PID 760 wrote to memory of 4376	760	Alpbecod.exe	97
PID 760 wrote to memory of 4376	760	Alpbecod.exe	97
PID 760 wrote to memory of 4376	760	Alpbecod.exe	97
PID 4376 wrote to memory of 4704	4376	Albpkc32.exe	98
PID 4376 wrote to memory of 4704	4376	Albpkc32.exe	98
PID 4376 wrote to memory of 4704	4376	Albpkc32.exe	98
PID 4704 wrote to memory of 808	4704	Aekddhcb.exe	99
PID 4704 wrote to memory of 808	4704	Aekddhcb.exe	99
PID 4704 wrote to memory of 808	4704	Aekddhcb.exe	99
PID 808 wrote to memory of 3456	808	Bochmn32.exe	100
PID 808 wrote to memory of 3456	808	Bochmn32.exe	100
PID 808 wrote to memory of 3456	808	Bochmn32.exe	100
PID 3456 wrote to memory of 4608	3456	Blgifbil.exe	101
PID 3456 wrote to memory of 4608	3456	Blgifbil.exe	101
PID 3456 wrote to memory of 4608	3456	Blgifbil.exe	101
PID 4608 wrote to memory of 4996	4608	Bdbnjdfg.exe	102
PID 4608 wrote to memory of 4996	4608	Bdbnjdfg.exe	102
PID 4608 wrote to memory of 4996	4608	Bdbnjdfg.exe	102
PID 4996 wrote to memory of 1912	4996	Bklfgo32.exe	103
PID 4996 wrote to memory of 1912	4996	Bklfgo32.exe	103
PID 4996 wrote to memory of 1912	4996	Bklfgo32.exe	103
PID 1912 wrote to memory of 1176	1912	Bhpfqcln.exe	104
PID 1912 wrote to memory of 1176	1912	Bhpfqcln.exe	104
PID 1912 wrote to memory of 1176	1912	Bhpfqcln.exe	104
PID 1176 wrote to memory of 384	1176	Bhbcfbjk.exe	105
PID 1176 wrote to memory of 384	1176	Bhbcfbjk.exe	105
PID 1176 wrote to memory of 384	1176	Bhbcfbjk.exe	105
PID 384 wrote to memory of 4416	384	Bkaobnio.exe	106
PID 384 wrote to memory of 4416	384	Bkaobnio.exe	106
PID 384 wrote to memory of 4416	384	Bkaobnio.exe	106
PID 4416 wrote to memory of 4456	4416	Bnoknihb.exe	107

C:\Users\Admin\AppData\Local\Temp\3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe
"C:\Users\Admin\AppData\Local\Temp\3e0e40c8e61a1dd6e726912e3e7616a69a01555fe4b076a9e15f3b1705f08faf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\Pmaffnce.exe
  C:\Windows\system32\Pmaffnce.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\Plbfdekd.exe
    C:\Windows\system32\Plbfdekd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Pmcclm32.exe
      C:\Windows\system32\Pmcclm32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Aednci32.exe
        
        C:\Windows\system32\Aednci32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Bhpfqcln.exe
        
        C:\Windows\system32\Bhpfqcln.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        23⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        35⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        38⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        39⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        47⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        53⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        54⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        57⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        60⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        65⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        66⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        67⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        68⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        70⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        74⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        77⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        78⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        81⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        83⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4372
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        88⤵
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        90⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        93⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        95⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        98⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4956
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:508
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        101⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        102⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        105⤵
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        108⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        109⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        110⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        111⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        112⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        115⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        120⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        124⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        125⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        129⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        133⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        134⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        135⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        137⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        139⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        140⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        143⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        144⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        145⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        146⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        147⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        152⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        155⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        157⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        158⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        160⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        163⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        164⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        167⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        168⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        169⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        173⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        175⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        176⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        184⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        186⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        187⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6852
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        189⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        191⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        193⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:7116
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6312
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        200⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        201⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        203⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6800
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        206⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        207⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        208⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        209⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        210⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 224
        211⤵
        Program crash
        
        PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7128 -ip 7128
1⤵
PID:6236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
320KB

MD5
78473afe3f3caf3c44cd43e8331d900e

SHA1
a34bbf22d3b3a4906b7c0c019d499d9eafcf39d3

SHA256
500ad2a01f017ce4013c9b1435cab32fb48241f82e2bc28977569e4782f00954

SHA512
0ad89bb3cbeec0a0dc83900f0445bf30e12b9d0904f9b319a1f8bae5312de9f103dbe3748f99dae08f53edc94de6c09e75b4c100f91dabead33f62e3f50285f5

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
320KB

MD5
04ff603c2e81c2f1b28807dc56191313

SHA1
38dbd1e9bfc8802fa51a494e06f1d30fbaec1ee8

SHA256
6cb9069bce0a36ce9cb3768f83a40927b8797b95838fc3137d8d04c9567b3c10

SHA512
44c8d08c5e18454913cfac6b58577b94047798aed00d8283b30e9d80eed9c5ba924aede8b091397617e6f72ac9d429baf4c30106d0257a89834eddff488545b1

Download Submit
C:\Windows\SysWOW64\Aednci32.exe

Filesize
320KB

MD5
f5938b8c3293fc195a84fd1af9593f74

SHA1
465b502d670f8e5a5ca9359c21ad9502d9c8de74

SHA256
9c6433d3b41ea94bd17454958eb4a1338e54c6efd943359f6bb4299d31fdcde5

SHA512
0f57a62d5cecd6d3785f26c9fd4585f08611ae9e2a5e952af214fc503d4fd29072947142ba78072f1d943c0d453531f78b4d87b28f8aa146ccadaee6615c6f6b

Download Submit
C:\Windows\SysWOW64\Aekddhcb.exe

Filesize
320KB

MD5
cff9a88f95db1278c24fd889233e1978

SHA1
b57188b48e1fadaa791d2fe02014cdbf21deb742

SHA256
105c0f7b63f604a0bd3b28fa83cc635636f5df4171944d3f1df3456071334600

SHA512
e33eaabc544c1928e246621a82edb1c4a31ad610691e87baa0b90657cd409e9ee10df447f3ff6ac797a3281d50aa3436f8fb0f585fac13a48247c6f9d49fd75d

Download Submit
C:\Windows\SysWOW64\Ahbjoe32.exe

Filesize
320KB

MD5
bafab6f37a532b58c1b93aeda4c271bf

SHA1
ace8041b4c53559baa12ff5efb1582bd831efc37

SHA256
0a904d5b4de21eef664c2168def8464c6a4c100e6462ac8518097b8fcb06d373

SHA512
e644c99287bf9a7d6cface8d967463f4079f5d7408abf95e7b5e5a30ef1261d8bfa1e64b8f2a6d86d4ad96f8095fea9bea495a1069f75f75ee52094c19652efc

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
320KB

MD5
296060bf9d3c657474103ef1afd628d4

SHA1
09f774b78818a35534539b0c819ae7bbc288e039

SHA256
7cab3dd120a7b1004d8e7b90b755aa69a616ad1413f4681ba068bfb719ac29b5

SHA512
9dbc99296a9010513416a4a3b0fd44b5515c84e16c15abc0ee7d0198a37d41ec934f1d0aea4eccc12fbd9d3cfd8c1d1d6e10f9d4c2adf82357840cd4da573ebd

Download Submit
C:\Windows\SysWOW64\Albpkc32.exe

Filesize
320KB

MD5
ac431a846ee7dd89aa7cf1a471fbfc77

SHA1
f557039173a66cc3d167173face1aa7c2154da3e

SHA256
560d1e9b9afa01f599bf86a2a3cae07459c8aabf83ec33641b63a455f9adc9f2

SHA512
274b2728b05c2e5f5291f81beb76895fc178de1a4f0f1fefc8ff1eaeb20b6320f01b5a2f1cf065c1badd9617ed4a221206f53b1b96322cd67d2c16305ffd0daf

Download Submit
C:\Windows\SysWOW64\Alpbecod.exe

Filesize
320KB

MD5
d3d81e5ab6ac10ca398d1e21b4b3cce6

SHA1
70a3e0dcfb13c7ba06efd3d49b56c8c374436830

SHA256
b60ad639cdf32a05b116eee457c290472f460d38a87a2378be86d360dad35627

SHA512
e38476b022f142c25f92f03d7226391d278991e095fc338d0c13e37769ffeb106974acece91971bd3e06611c39b7b90bc9e91ab6159026843be64ae3e219ca74

Download Submit
C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
320KB

MD5
f277a271e500a740ca0544a91156b8ba

SHA1
7012cf8fcc01ef601c1089b46498d56a2d71724c

SHA256
1ac75a9ea6166c3bcab38d02dcc9a9abc0448aba31555118d0a2814c8627e432

SHA512
c32e27e5198cb80390a465e93f12dbc10c3da3b72ff148643329cc0df3d03aafa84d71daeb2252c97fb774411b6d8be11440a716dce54cfb9c09e3fc1583f0bb

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
320KB

MD5
ad2c8339a9e76d2b66aa2eaf6b711c3b

SHA1
15159b158954f5622da048234e0d7f683e3d5254

SHA256
cc551d8f275abe00e3e4989a0d5754a9a4e7c1e606ce00635afeb8a5513ae742

SHA512
9297e767f7d4b0d5488071d399b1add81c23b952189f95509931d7de0f39a5448366ac2b69980a83081cf1dfd6e238851f91e4cd99ed5fc3f8ae34c32aa062af

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
320KB

MD5
f8662bbfb2012f6cfc4e3882f18e68ef

SHA1
e4796dba7e64f9ec47269ff8cce704a96d299b13

SHA256
12e9ac994a15efba380d778a56ebda15a015b4b8e64c42c8c9e88ba9185213c8

SHA512
a12195a14ce40f906f4157f1a3e0c2043e0553dd9467da86b90ca0bfc3a7ee7e19238ab865d25c24e1eb9c705c757c86fad23aca95ba7f679a4c08c36f57da8d

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
320KB

MD5
c59b9bb4b8c467c0784fffcbf5557189

SHA1
4f1f8330853b086a9823f35a6261a83e1cc2e035

SHA256
8711666fedf6e789765a6332c7c0bddb26235a8445e7715fd751616727fd9929

SHA512
f0dc003652cdda083030c16266de119382e442dc329afb573daaa74e0fddad2817c2087a740cd8dd16bb8bd85650064e6e278769ad2b852b268338bc205cad3e

Download Submit
C:\Windows\SysWOW64\Bhbcfbjk.exe

Filesize
320KB

MD5
2627dd54e5e536eda7e56284d5d8c034

SHA1
5e8b1da7d33e0b8d14f9424e14242bdea53dd2cf

SHA256
b26a7c7df302b61baaeba0bbd8dce2b815eb49d382f641b4cbb92278d3cbe23f

SHA512
5fb4a6fe5fa74e37d6959b37e33c6753a80430d3a7e814ee557f4c61fe8c97b5f04621fc0827c64209d11d8402035b035841305e014099f858e4e155fd135527

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
320KB

MD5
a10cbaf974fd35942874082ed38928ba

SHA1
b51f64d8aa0cc620cfd39ef9ec8ba56b898c4dc6

SHA256
9519f171b89dc94410506356b10adbfb1fac754957b78afb74062b87cceebead

SHA512
c6f3985be703d712951e69ed6ce2bfeff1333884fb1580a27d325e0e3404b13f60d689ff25d210678ab7b5cf1dc031ca25a55b7484e605cd20f38b390e4c1db5

Download Submit
C:\Windows\SysWOW64\Bhpfqcln.exe

Filesize
320KB

MD5
02ba8da4927f184d2187ecd52eb24a31

SHA1
aa1334b90cb0367c5c9eacc9be67ce104582c5bb

SHA256
4ef1dd056deaa31605ba36414bda5aeafc908a08a295615968a408588972c3d9

SHA512
60ed80e19c361faaf448a5506465114e572c76224d4e10018f85a936f317f3f40162837880a3dc8ca558cfed15b4cc96ab70b5a6b8a7cc0699566d93b2398e01

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
320KB

MD5
a8aed6ec78b6dd9e6873634a1085647c

SHA1
a54ce53afcdd9797cb33162db31ab06a2804a3cf

SHA256
1fb4c3017c9b56810fa912310a47ab62446d50b3d4c89242c5e05fbaec2ce901

SHA512
aa763495fe88179bd5fafcd94bb1c77b74a5527b4d1d147297c65edb622c74bc5f989d7eb732331de40816605d9dfa2d4961959c1c29ceaca9cc0e6c7a830015

Download Submit
C:\Windows\SysWOW64\Bklfgo32.exe

Filesize
320KB

MD5
490f614cb752ca703beb29e13c9f9d81

SHA1
5ed5d758e65af061206cf54cc55dba208ac26a84

SHA256
110f4d74dfa3b53eb9677c523a2c94e0c53f2b59c03d6fc2e16d715970a66642

SHA512
ea6573ceaab7ee69753a8be254932c794e7dd5aa3c08549b2131e25face8a8eb46743f2967b1d280ecbc58d7c1e59bb303f3b37c5e8b80480ee28c11d27041c1

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
320KB

MD5
dc93db063747e445bf277dd05d9d9b74

SHA1
cd2f81a3a0018abddca1b3aaa513a2a4353974c6

SHA256
3c8cb037d63673d7100fc375f9d25cb2ede699af8a6c7c41e1353e5e93caaf30

SHA512
1f0e7396c57dd3111577cdc3275afc2d1ace1f0474a21bc3c42ec5122bb8851cce49d5abc89cdfac85f9d797ceaf8163408bc87429b9884beef01a33d3175b96

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
320KB

MD5
eea84d60329b3d72f134b02ff48416a9

SHA1
1e5384e6d68ee59a5e47135a18a44a165750adc8

SHA256
807e0e54a307e3d6a0440de8ffccd9e14178fe83773d37e8122fed9cd5c538a4

SHA512
029009e9dc5cb58de7ad035a6d6e57dc2b0e0b53ee2ad91e7d790a2ffe929ddd56fdcb71ff46d900726eb07b780dc7b19a1e96c2e284232f236b7f46d98585e5

Download Submit
C:\Windows\SysWOW64\Bnoknihb.exe

Filesize
320KB

MD5
87acf70e256453c37970551720f274d1

SHA1
66312d6871a089437d4bac65ba8cd48e2d79f670

SHA256
d3381c67f4b2df90d74e6e3276af159de6632d251b8352fab1b8908baf222b85

SHA512
fc40952843873e6e642f6aec0c04f0dbba606e6187aeb6f8230c0f8eeadab435d9cc18ce0fa5ceb6c7d4e4d798475bf297819db719a64fadd1742697318f2fe8

Download Submit
C:\Windows\SysWOW64\Bochmn32.exe

Filesize
320KB

MD5
deeba57732da923b06398bd7940efc7c

SHA1
e047d9d5fd685439b4c95945562c47229cdd2b9d

SHA256
b87a043ab9545d8c7d714de6ecf7e8f53ca550ac79891164c9a851aa1000e250

SHA512
f5f63a5e7341f8f429bcbf66f7b8c0d7a9846b943a340991f2596844c1ced9a7d080e4a72274a4591c55d0e6d4ead7ec37d5ea4ac2cd0e0929dd56e352d99107

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
320KB

MD5
aec1d11466a005f1df9149de3ea73cc3

SHA1
f3643a780641fdad5aa3f45aee38f0d059ea1969

SHA256
8b53029a75f54edbecebeafe82670a47cf80f5641420a6190337a46c5dc0cc5d

SHA512
d28202cc8d8072a6ec22173419d50a627b20da9c75221e00ab646cb51a6357df9669f4ebe07ce6ce4028d61f3f479b697889320b64766cd13ab31b11681fd34f

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
320KB

MD5
9821b96b1f7f7981f3c4c0ac00757936

SHA1
0e539e72142dce1a508564003a60d40cdcbf54ea

SHA256
37b958c7fbb3f9ff286d549734d60d96b6eae5ae30994e87ed2fe4e58108643a

SHA512
2de79909abd9b85ffa95da94b41a25e96ddc2a1594d83bd67b91e8e5d18487de10bd70e8aea36039c553e26c9c437cf50408e01f91e9b60accaf9481ad541974

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
320KB

MD5
e21e02c8a65af4306c64df825474bb99

SHA1
49c714640eb06bb02f48628b0c7964977df852b8

SHA256
b4282047b15dfae766e027841e46a721c23717911d5bede0cb18f6df0e8e61a9

SHA512
ea322dd4c7cfe6299627112e29be23b564125779707e76e741c8b262746367628e231b1cc92187fbe2b4dcc77a48360e050a38f6b06862bf395322fc63afcffd

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
320KB

MD5
ba3a557a6b07ac2848f2fc3b30757481

SHA1
95a11bb539b6ee6fff7f4c81bab532d21beef438

SHA256
ba13805851904d8678b6aac9df69f9f800add25b3b54769ba0a084fc26e45371

SHA512
eccd083d4000d23cdc0cb8f6956031ac67f9a7013ed5e36e0e535ad419565575aa0b9c6b47a650dd30cfa60d3cc4bd6cccfa46f97347f4fdf5dad5a1a93138ab

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
320KB

MD5
ee0dc442d4c0989fda7ff289525d77aa

SHA1
982a76717089334e270fcecbcb1ec7dddd605c18

SHA256
fb16e88d79226c8558230f219d34784071dda97a7a3f808e21a8af835af16238

SHA512
9bbed259500851babf4c588565e1a5518521d1235d81a1a47f6d6798f5fdf0e51beb057e75060b18c86d10941a2b55ebfdd2cb349a9816ee617971fc8baf4949

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
320KB

MD5
82f9a29efb015695d7b6ee5a0761cb2e

SHA1
dc37635e19dd88b34e6c47bf45e7a3d292e9b06a

SHA256
58541d1b8dbdc594be2dc2543f2e9d1affb53a5f7dec6cce71c5eb91f4ee723f

SHA512
3799f7572cc6ce4c1b825ec1a576588ff2e329468bb6c45a2e78d046cb3bb8a8e2da3fc78f8b6b525050d8d407378cd77b4f3c0cb4c4358816ee32ef7f4e6ddf

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
320KB

MD5
3be022c4663df0f1b74a8507ac50c3d8

SHA1
d9c04d0b6cf17d498d00876e1b5b4e720fde54e9

SHA256
68d6d7e9acf42862f6f4ae34b56289ac560c9564c91080c3306a0fb1483ce5c4

SHA512
b4c1300b5097808b2171d5a66831b652722c75a1b4ce73a25410057fceb8ba914efc65a78fd8e80a5f1e4ebbc9998b9d0e92a5aedc2500566caccbc254b31b9c

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
320KB

MD5
3235c83a6afefb6eaafba8b5bbdbfa0c

SHA1
c58b7bc17de809025d71c13e4939f1e3f259f0a5

SHA256
a4a3336a67f4f41eb9b6fccb1035659b830aec063885f16a00219ff08aacd68a

SHA512
37a0b2ba597568ce58e748b19eec5039260f78e5f4581cd34d944dee4c41241c1ae539d809ceef188b9ce3a2b2c846e90640e85b0f4e6d5761b0221e48674919

Download Submit
C:\Windows\SysWOW64\Cocacl32.exe

Filesize
320KB

MD5
a0ad4af518104677889381c02232cb53

SHA1
69a4462d8c8dbfaf83d5776528e77dc85de7b21e

SHA256
22a5abd6cec077506827f8becf498e2afefb80b34240b333f32b35e4b98b5e23

SHA512
3c64729104b41938fb97c7941f3ddc6d97d42f33ab191290de81aab41d0b9ebd5b5928b876a114efb608b5c8b9d8704a93b856a262b6abc17e8314e50fc3647d

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
320KB

MD5
cafaf5740409203abc1870c7febcf896

SHA1
9ba97895d28cefd49994d8a0fba120fa763ed79f

SHA256
fed6b51dd920eb3e1aa1e0c71ba72f93497753a1b5b54dee83011037174dc226

SHA512
ae91cbaa5e148b6dedcf55eff0182634d77b06eec24142cadd53eaf88a96e77179dfc76852da529cacbf0cddfc99bebe3ad2fa3393aceee7ce628dda159c3673

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
320KB

MD5
0da6dd63eaf1d34d439ac2ac54339382

SHA1
641adb41e08f607cf43a8086b11131bf7690c091

SHA256
7aa908f9ddcadadf9e1141777771cd8e8277540efb3ba17824d0283efcdb1d7c

SHA512
c523799096a47adf8745764fbb359b9e278840b8ff2c8b06e4b6df2c00d339144e7940695bcea5da66fb0ba339cf606ea2933cbf2303dd5907b289fb37cce4eb

Download Submit
C:\Windows\SysWOW64\Dbkqfe32.exe

Filesize
320KB

MD5
407691fcf84b5367e4c87243f67dd8b1

SHA1
22722d4041b4ef0535e701f47d071e74fd9ab9d8

SHA256
a7d58641a067406d591425ca9f3a2ce991f6d5ce9b862837e5445877044e795c

SHA512
40159314ae5aafdf1900b9493b0fea08dfe2fad9feb3719fa8c9e11080deca1b5d1773a8e9424dab722cfbd3229f9673c3a539b9f7441ea67da755a528637fc2

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
320KB

MD5
382c7224125cb8def47a93ad83698be0

SHA1
d8453d7057a97d2c52802b1a3443d569be891a8f

SHA256
6387091f4135292b1674073b5c9fdbc263dedfb10bd5d442445c1216171bd782

SHA512
82c29264b4728a133fa54cb8a381d02b278ea722b05e96fab103821c25f0e530090d3050e1198cc2e3d160e942da51aa79a891184531861afe45fbf5cb4b4308

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
320KB

MD5
14530384f3d20ec19bc23cf28d1a7257

SHA1
c4fafa096af83ee6a03a10d01987842ef0beb507

SHA256
9cfcf94b1d45e7688e5e564c4f8f95df5f9b714f8fe685e6788f424baec48410

SHA512
b99f32ebbc4e3fe8c45ac9bfbca919d4f878add6400a320bd59db4b0bd753371a010771455d827c6c56279db137718dd105f5fbf0fdb220e396aee10e9873552

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
320KB

MD5
bbc9336319eb9d27d4f6160aa34d9197

SHA1
e614bfe5e2efb3b534fe8e6e5cd7db377f58002c

SHA256
181d617edcb08bac35e087b07f1380d96e6cbb953fa475a20cb0d0e6080760d0

SHA512
89c7372f3e051f09b4f1f60fc75f495d4b2c1398a9093b32aa2780147508142d4a13c352b93cbb905a129817ec6b7dd506498b1543d39ae9e060a752fc29c0a1

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
128KB

MD5
9a642f990e2ace259fef1301a0f59a1d

SHA1
c62f08fad58282218cd25d0cfdd56be5f0d3a8e4

SHA256
550674633d037c07e9193df88ef7dab65ca009eea082ae55fbafdb5ecd9d5b44

SHA512
13402597ed72f51cee1b8f90c0823797a05cffc1063b8400e57e4b5e3e562a91977bb53d8c78e5a3ddabd9b2c109dda305a7c07e238c24d63e58ce6016d69590

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
320KB

MD5
740edc9a98b3663965e5948fc84292d0

SHA1
1c8b70b1719a6572431b4fa64948a445a470eff0

SHA256
7767e4b3c1b31a2e0316f4985bde1f0bb258e7be5aa5af8fb9f85fcefdec8226

SHA512
c193aa9a3590a1eae339a0e0252a1327d0549993d6725873d5ad77a0f7e81d4a222804b49f58995d2b83bb60ebfbbce170c84bb67d83befc63ad62eb129dadfc

Download Submit
C:\Windows\SysWOW64\Eicedn32.exe

Filesize
320KB

MD5
38a37b51a9d166ec22b594d16515759e

SHA1
03da62b0503e16652899bec9aed6af1c1bb85e7a

SHA256
1573a2670885375fa558ce2d54509b473ba1fbcfa41beb59648681b9bef6e274

SHA512
26870bea41a869cd1a29687ed065ff84ad709bed0c9ef7d5b0ab76078d2720588eb849ee6c9b0ff4522dcd6d9c0b25723f53029c4eff0490ca3ae69b5569e125

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe

Filesize
320KB

MD5
791abc19fb56c6adc997573738dae452

SHA1
db573da7442eb30177b6690ba1c602f028c40627

SHA256
a67b178429d98e7aa47cac81f0828ab9d9c39d50ecc89a72199491694ac5f922

SHA512
aee5f56828f3d35531b722d1649d7c18cf05ac2824da2416229934068e41cbc7480286a78a965518a5a8e2412cc81bd6153d3c8ca13ab602a6f8781d09d039ef

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
320KB

MD5
2721d761130b6160c2d73a81f7be978d

SHA1
7ffe5072e7ae225de9817f3892ba68f7c0a39078

SHA256
550a27319120e8bc58cd1a6ddbf705fe8dc0dc1095800fb9550aa033d19aa769

SHA512
51aa63b70f4a5361245cf4c25b76b8e179e14cb4be913982aa44799dbe0d0d83ea6f8978393116e9c8bd817532860815e77589b0085c455be6759771bebe20c5

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
320KB

MD5
661e0dca472ebd8cee8368831da11a7e

SHA1
8d37a7d12037e6ada31bff259aae7757336a00e5

SHA256
d00adc6e774f3e9d896f4e4c6be4b8ee1ddcfe47569b3249e6d80fc4d428834b

SHA512
3791d785987e614508fdb7562baef6f3a1f80ca6cf426f72b8462322106d0a7d537a5a86ffb8a9632fc8e315941b4e3e577fa6e43e495dce47e9f168157c1540

Download Submit
C:\Windows\SysWOW64\Hmbphg32.exe

Filesize
320KB

MD5
8de7f764ac148c56672125bf6644ac74

SHA1
281cb314342e70c3f6373940cee7a10991916db7

SHA256
2ade3a1cb9c94f3fe19e8556235b4c20300c59a90177861184e67364d9ba33c4

SHA512
bdcafa13009a09db90ec121c4329023cbb9b66d7a2b7bab55bfb9996922839c00b0c58c67cfb744670380f267f44f986fa00ff0b5a60676680a8b00623ddac0f

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
320KB

MD5
420f0269045520918fec2c20c51c3e39

SHA1
38c41e4a37db041c5607d29bdff0908264279993

SHA256
51ac84554593e0611ef54d7677f1ef6fb458e2f692b000a0db66ccc6675e0edf

SHA512
8f2c129f82527936da33119f03b768a6fc8fd3fc2a69f059d39943818d8b5340bedb029cd414661913e6e4110d948d64982eb466ece70f449f1debe1a5556ffe

Download Submit
C:\Windows\SysWOW64\Igfclkdj.exe

Filesize
320KB

MD5
e2c3da9a2c90fd2180cb3ebdebe81707

SHA1
ea1ac24cf9f054892ef4e08577d86e32af65567e

SHA256
a789a63ec5ec46c5b0afb2ef6a71481d0a7d9605caf6cd38a2312f3b1b6cbf07

SHA512
04400f1f9e0506f0a2173ba32b1d9f8139c3cf339a2b715358562fa6b53803ef849fdbe1f1b371a8f6eb4607004d508bdbde0b0202b46ab2c4c5b2a0e81808ba

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
320KB

MD5
6e33ea01536552c99171fb21318b0547

SHA1
ec32974a193597a5134ac6d5b600daa663685794

SHA256
b0582f4b929c2b3aa0102f493e6597c5b2ee495b8024a6799add8c66b6afb957

SHA512
5deaecf4c8c756621d5563a550e570e966f1d2b97477d392c0beeed6ea9a17d5bd89f86b00eec93671dc339cd1c2d85b87896fb5bc064c90b87730df39ddb1a4

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
320KB

MD5
5bb8469126e286408c683e58dbf657c6

SHA1
ca109b652882d90450b81ba76536505c548b496e

SHA256
ba3072adc95c14fca5f14dd4095fac84f337a50aefd1d36927b03ae6e7fa6cab

SHA512
b3013996e4597613fe0ffc0f602e1ed876360e0ed17c726e1d571e58412a6a97cb129e855a822e20d7fb909bfc007effab62166590d0006b9d46373f2da61351

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
320KB

MD5
57d6d773c96c0c4679b9f43ebbdba158

SHA1
7b99da800da80240988bdcf13f0456c0b2a0c96c

SHA256
7b47cda461f3748b269ca213042a7542eaf3f5883808962d7523c725d00f37df

SHA512
fb340ca46e2a9ea9a4472d59a21a7ccfdc0de78ab2ea6a5c8321abf70db4d85c7135f7b365d715282074cd30d8da3228c2b3c9a11bcbccf934a4c1a882ace8cb

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
320KB

MD5
46154614b5f38088b098396ba086af2e

SHA1
5d4cf5a005935a66e71ea53f2579db1e8920c286

SHA256
892e2eefccdb09e37b258bdd2dfc4f0d8bfd53ad5e525f5d401a4520cf33fc8b

SHA512
1d24f04c086abd501c891f97fd8a628c64a3fe5ed901760720304af16063a19d63499cf81dcb04344481acef698dd9821f3c8c7cf2cab8fe540273e4bee434b4

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
320KB

MD5
e3c3f794381c2da1632bfe2427eb8f5f

SHA1
787fe26b4e4fa692037f098aeda88e9c962746a5

SHA256
fc38120145a25ea5011c815f0f99c1c9f639f9457073252a7e695224188660f8

SHA512
9db9c07c362182ba538b36184776143e468af0340efd72c4d95b06049cf842d1b8b60837e4002fa885f0d3ff77f031bf9b79dd7302c57733f58c7e526e56fe88

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe

Filesize
320KB

MD5
f364c6d2efed7fc1d5218b6f5651ace6

SHA1
b1f62bcd24e1e73acb2cbd2137530538c60d2d9e

SHA256
7a49cb15eef0b9763cb3b913fbe94ecfe2c0e770c4dbbdc9f1d52029b895a273

SHA512
ad7746a74d0c8e79f9aa3f5ceacd5c5b536968412e53ae80ce536bcf5f6b28cfbe294c9bc1d20dc205ddbc5b0296f3e82eebb36846f96edd3500fa948b89130e

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
320KB

MD5
590c17bc7cf0bb9868a1c9e0c32e9c5e

SHA1
5436da95f536889b5d6e872fb9d60d2fa4c03942

SHA256
dda9208e8177a3119f707692a06ed0fccf456009c27470b96fb1d9a372318139

SHA512
15e64fbbec56b55173b7ba963f3971475f1a16d9afa4cc53cc33303b95d87d28bde141bd237c37b053749b5324497762bb499288b7d83222a129e8c1417da32d

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
320KB

MD5
18d9aecb7d74640d75c4efe0a7765fa1

SHA1
b5a99afad2ffa883b9eb471273e4f8093c5002f2

SHA256
b70191b9aa3b1a6cfbd113b2e621b01c8e989b4bdd085b5f3153eb76bbabd91f

SHA512
8c3f6491b70c05c1fa57b882c7bf377a27039c1c43f915815a98481c0e0b364e266acaa5f446d3ecd9bb7d7f9eb69236954fa8077e09453bebb9c5a56496d536

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
320KB

MD5
8d6f4cdf48ae27d94b8bd8875cfbd3bf

SHA1
8c037716d2ebe109707c089fd39e5d7b44cdc832

SHA256
1d7f442ec04659a3622b8e3ebfc0511f9adf3a5e4274a5c0eb587bb63520c5c3

SHA512
f76cbd67bc498171a5649cb741b2cbcfbda44f8e5701485908999ac2374360038c2b009ea2ab199cb77a6d5057a631e9ab9a91685ffda21e89887d4586d08120

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
320KB

MD5
21071407d29e88e39f95255f6ad811eb

SHA1
d7552351465dc5b1a3c67561fb26b57e2c670b17

SHA256
eb04d1b3ee2ea7d9f95675e34e1392b379f94d91464576761ec7d85f8617faf4

SHA512
d5876a0813ab12f57b7eb838058180a35eb484868f77b6ac1acef6a64374d143e454c553ec222989e1173b293dc957f57f7e5cb9cab44008856f656c549501e4

Download Submit
C:\Windows\SysWOW64\Lomqcjie.exe

Filesize
320KB

MD5
34801d541059d9ecb10d8c677d493a2a

SHA1
6dbb21e862f3cd0fcf6af5e796b655dfb4d8b360

SHA256
a125e851e91b4e0656b60e8b57033935d1d8d03248fe0b3e755db549ef9b689f

SHA512
032c47e6c3becc03ed52067b9e9d0ff8c31d1e08aab0f6c3af27fe7b4c8f41c5e0262d3d7d6b543a08524335c86556635ea746e1b8eb69c2a9453328fbac8cfa

Download Submit
C:\Windows\SysWOW64\Mcbpjg32.exe

Filesize
320KB

MD5
084b409eefce5a72fb264e6110e69f3c

SHA1
c7c370a14f199dd2c3337fdbd683927ee5f5d304

SHA256
bfad9037361a36061b64b1225027e654db1ff29246fd781f5d5f9c7dfca709e4

SHA512
3e13ff7c61f0916d93d6d7922ec80f14a8de52c79498fbb7e74b544f14ffe163c456a1c4ce4f5f686e1d90f97873a2edcfe5dc73e846b8ac74f4828fc743ed25

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
320KB

MD5
675adf78065642c2ef7dfe01c3b2d6e9

SHA1
545ae64057875137e9f4bd3dee5bda808ea22826

SHA256
d7d141a1ddfeee0719bc73408fa1f43f6b57684a5c5edc348275be94da572292

SHA512
c5dc894f98227653795a3d0a1a06d4404bce3f5db20c3092179a3d7ad9c561c21cb1d8075538ad973f25a06acb318d67a6c523d037a3ca9c5edca4efcfabc106

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
320KB

MD5
340cdf8e9807fced9d5db19be3ea7a9e

SHA1
dbf0a8c08437659e5c75adafd38e9d9008a66f2f

SHA256
f074e4748e38010ac576b6d9c404554b068f63e3fbcc6f2c9d3392205e821c56

SHA512
6e1aa3191fdde3b8d8fe7dd75a9a054c77abf3a9adf7fff57fd15f44960a62ea6963356748fa0eaafd175652f8b9e3ce68557d373c18786757dae5e3d4cf0a55

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
320KB

MD5
8a02b65cced7f76756db457de4afdebe

SHA1
788152e672027f7c6675c6867a0c86319865942f

SHA256
428dc82787c2d863122482ee16f135164efd82b43dfd25e73940fcb55c6d50c1

SHA512
39924bec7ad0355c4e907ed9f83ad76d6b2e1ad8f0bb94b70222a8954c2879ffee2f3e5b27acdc49e10ce724b9790303b7166aee02d5b89f29088a96c4a1c64c

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
320KB

MD5
6315d64ffae62f8d6fd5b670b0d45662

SHA1
39ca2f6e8b402d30bd5edf7e1aef1aab274d220f

SHA256
951ec84bdcd2cf40873ceac4d05f35dbba970ec3af03da0936788c0e43b2068c

SHA512
25101a0fa4f8854bc300c9d762e2ea084e9ebb3866d45b39a487cc6af2159681fa70a56ceb22a13335786581f297cf2b0fe1a4973c7f4eac69e14b008347646e

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
320KB

MD5
f466190b7a3356557b0a80a79579b50b

SHA1
d824aeac6115c586ff1d4bf144fa28910b8ad23b

SHA256
188f5a0dbbac5d195720bdde0797437a87a3e1824772c66295628b024ca2d331

SHA512
93ce4a25a8d97ece7242239b9179738ba1db0c20206ad6bbcb6ef8fb1fcd9ba2494dae115ca8b3c1f67cfe8a5ae06ff9684e9c74d1da8e60ce5fdca55f83f634

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
320KB

MD5
ab5e474e18b4272bf84643f492730140

SHA1
91956ee7390d296280e6a82b8e8cc0a36871b45a

SHA256
064517fc41d17d293cf7c1ebb87c19daf05713b33f7830cbd2392f06701c81df

SHA512
dc7ff974b9a7175c52b9dc93040f2db50fac50890b81e5e9402c910ac01231f1c14e5103099c2a3442183b7f72b952234bd9329d598dc550d8f3ed26257991c4

Download Submit
C:\Windows\SysWOW64\Ockkandf.dll

Filesize
7KB

MD5
5434d94fcc9c852d72c1ca335cceabd5

SHA1
d105848935f02d8fdb29c04326d0a95ee6d17646

SHA256
b2ec01fda879c7d58d6c6c6509c53738dd2dc2167ad9514069b98ddd5e44d4c4

SHA512
f0501e9ede9557127a9ab4c9af1d48122200bcfc7e7022a2634e2009488b6cdb9f43d4259e9736f7319f75f980925db66a2adc79403a8558a4faeb9d362cfa19

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
320KB

MD5
5433d4dd6d45f659abd9ed6ffbf10205

SHA1
d476c185edafdff1f2e6821cbe1a568fb94f8760

SHA256
b9576e18f4721b9b1aab7e14d3a19ab38f0506a57e97297e1c1be66769ae4a57

SHA512
eba791186e1391fe9dfa7565a79518b606505b4367a90ed065e1fed183d406c1dd49deb8a3b6fa9373d17bd8dfa5942030d2e82ec5b3bfc7b131edb80ebd37fa

Download Submit
C:\Windows\SysWOW64\Plbfdekd.exe

Filesize
320KB

MD5
fcded29075894bf0615a99b2fc68c6ad

SHA1
d08f2f4b175cf63fa6107332b73c53dd42d88af4

SHA256
5bde7dc7b25a4307ce05d94026f5a3bc16470fc4fd352c14291166f0f4c75934

SHA512
fcf0c9e6675b5990f4a089d554c7fee4c4404f452be67a67bc0d2553ff76d7f680e1939a2ce0f8cee235296de1716bb6ca381ee273caacecd32d72b52951bc6c

Download Submit
C:\Windows\SysWOW64\Pmaffnce.exe

Filesize
320KB

MD5
6d7dd6a8c7c6f375aa6bdde8e086258a

SHA1
839d7dda13eef562893e59b3d0b5d88bde81fc0e

SHA256
5a864b12c5035719f98f4ee189308df59bebb602b5d5b1e7e2829cb1a3dbc1ff

SHA512
bd4978ec4ed0b9277978ec38db5a67a88495dc324deca73a008c63e78286f6920fd23e326ab13200a5a4604e72d38d5ef22f083f3d0dd1e76eea2bc3df002bca

Download Submit
C:\Windows\SysWOW64\Pmcclm32.exe

Filesize
320KB

MD5
f7d60f5dfdc71151844b44dc7aa87b97

SHA1
a3d30d29ea037a2a805952633f81459b49554384

SHA256
8738ec6d0d7de11dcc320b1dd9af52c163fc549ccacf1d02948601765eb0cf55

SHA512
c9ef3c4e494a2d1aaa96c196673082f95e175b280db0f6be6ec9034f51e4704d509096ff44676ffa8f3b12c6ab426b1bc0469734ffd83b51233c1a75e1b48c44

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
320KB

MD5
0b142ba6da21eb48ff3c086137ec493f

SHA1
49c7f93afe5f96c94ce0eea77464864c284294cb

SHA256
e2083e1742090c70fc23eb107de628b8765dab563f87fad52a0026c65a050502

SHA512
a6c4714f1c1361c6530da160371e5b39253bd5a3fbd595b6bef902b15a86b579c5938b28f2a5c914ba160a5650e020aa81854e528b9d3df457e9d167de83ae3f

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
320KB

MD5
bd697ea743648968ba91e7b22a945897

SHA1
013da11a6f1e321e4ede6230ec952dd357a9613a

SHA256
82e0e5b10f15eb2957a20e0583b3770571a1ee6ca4164b354679408e25ff909d

SHA512
e075cc7259f079b4882a2612d51a07646aa03af20461fab194b6bf8f14dc3f621ddbdfa064832f7750da0e650de0176eafc78bded3073aefc38ffdbf474ab70c

Download Submit
C:\Windows\SysWOW64\Qeodhjmo.exe

Filesize
320KB

MD5
04d05b95181ef42832f050cc19c2b205

SHA1
c02f40aefc32aee0bb01a5d3ab9a53639e389065

SHA256
77179dbad8305291298a5c16f1dd6c7224d4451d45ea748a7ea691fbfdb5284a

SHA512
8c044e56df1cc3e168d5af2592fa6238b050be8f65681e6fd05e0df658308a8b6dbf43f222c4e6eca47ad63ed075f4732740d2c5ee279708f88809a27d767fae

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
320KB

MD5
9b239df55d0399de44833b95029ab203

SHA1
ff61fe36caf70e15e98c214e5b752eff0430def7

SHA256
1d90f726e045d3051842cbe4e3e0febfd3a7dc9d04422b9a69221b9a32d8bfed

SHA512
95b918d6bf0c2bc03637ad98f78fdbeb567e151654bffb491ef9f0ac9ca9d8c122f922ea4c73c5bfe03e288306279daa0486eaea5011e749276d5ca8760b5593

Download Submit
C:\Windows\SysWOW64\Qlgpod32.exe

Filesize
320KB

MD5
2ae26b6ced998caf33309b89a42983ed

SHA1
84dc0fdf9b51d89dd98d13a704bbddbbbfe1d0c0

SHA256
86d7151273c27e8852bc7b361f85de45b8451085530978751bb6e18c3672be9b

SHA512
a35b1635e37063b276054a5754f03d7ff20ce9c4741fd2b68ef4e98e56ba5f94e6be0dd89744b1ec2c89a0333e36b68fbc8352ea39b41fc2781e87d78135b368

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
320KB

MD5
e27966e0476cbad666c3560a4490f762

SHA1
34fdd1989a88d779bf664e9cee409392c0a63b4d

SHA256
a43c6191f4f799cb9d3ac943292e1ad67e6d8baacfbed28ae150924f0bae5d9e

SHA512
f0a06795c32cb36c5d6ec63a52c206e4f76bf359afd4e3243b1564313a99699699d0aa59c6003027e3d589e46341ee4ad90baaa87a9c4bed1085c162e4d824cf

Download Submit
C:\Windows\SysWOW64\Qmepam32.exe

Filesize
320KB

MD5
caada84e359eb219dd368eb199cf2407

SHA1
7bf2ee464783757bde84ff5ff74ad99518d4f837

SHA256
89464b96f62e78e6a3bbc6a6ea52eb13513bfdf0de308504518d9cb2360d2ff6

SHA512
05a807e03b8ae8c0f5b24886b857c1eca269b2e33ee5661d6e016b26185f981b097403ab52bdde4d015cb020839fcbc919070dbe9ec89664d93cba78f2166030

Download Submit
C:\Windows\SysWOW64\Qoelkp32.exe

Filesize
320KB

MD5
b6c3d64204500ba15576acbda76e6caa

SHA1
8d94c852ec2a4c29e8b62f164d123009b369c9fe

SHA256
94cfbe87df6edc05641265bb636643ec102aa1d0cfc8160c756a8538ab8eb39f

SHA512
b9aaa6de0be34204ee616a7238742ff890750855c1466992632ad7ebb655ae0f2f52ed0a07f11995e84e2d4b9c0465fcac805ab79d1b88b9da8901ead636a517

Download Submit
memory/384-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/528-583-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-592-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/748-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/764-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/764-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/808-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/864-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1016-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1160-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1176-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-576-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1244-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1428-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1664-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1844-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1948-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1992-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2016-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2188-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2392-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2444-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2500-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2864-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2888-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2900-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3132-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3316-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3456-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3764-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3884-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4004-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4004-50-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4208-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-578-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4328-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4348-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4380-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4456-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4696-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4756-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-599-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads