berbew | 85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546

Analysis

max time kernel
103s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe
Size

163KB
MD5

b8a54b2ae669719b7aff03f917ce3af0
SHA1

27ec2d1fe523d63c4c85014cfd94dffe77c13f48
SHA256

85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546
SHA512

53daa0f279fafc20cd0e4bdb6c54dc6c30252890ba5535ba497a3999ec46b1bb76e396d7de8c01ee7738508e363c9ba9f3740c0c77df817c7f700616a6861302
SSDEEP

1536:PyxjXd9lamy+O6nlnxTn0lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:GXcR+tnx70ltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goglcahb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpejlmcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcanll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljhefhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhngolpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiieicml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiioonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfkbde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecellgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchppmij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qachgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbeejp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olicnfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkhapk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncofplba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnmfclj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdccbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgpod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hplicjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onnmdcjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecellgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pocpfphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akglloai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoknihb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgpgfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnfpcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpiecd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hloqml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkkmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bheplb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgipd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 64 IoCs

pid	Process
3900	Pakllc32.exe
1668	Pifnhpmi.exe
2856	Qhngolpo.exe
4060	Akoqpg32.exe
2680	Dflmlj32.exe
1272	Dbcmakpl.exe
4576	Elpkep32.exe
1480	Epndknin.exe
3024	Eiieicml.exe
640	Fpejlmcf.exe
632	Fdccbl32.exe
4880	Fjohde32.exe
5096	Gfkbde32.exe
876	Gikkfqmf.exe
2252	Hloqml32.exe
3656	Hibafp32.exe
752	Hplicjok.exe
232	Hlegnjbm.exe
4524	Ingpmmgm.exe
4400	Iinqbn32.exe
1568	Inlihl32.exe
5092	Inqbclob.exe
3908	Jgkdbacp.exe
4000	Jgnqgqan.exe
4356	Jddnfd32.exe
4696	Jdfjld32.exe
3992	Kmdlffhj.exe
3880	Knchpiom.exe
4384	Kcbnnpka.exe
988	Lklbdm32.exe
1472	Ljclki32.exe
4836	Lmdemd32.exe
2116	Ljhefhha.exe
1904	Mkhapk32.exe
3008	Mmkkmc32.exe
3412	Mjokgg32.exe
2152	Mchppmij.exe
3776	Megljppl.exe
4424	Meiioonj.exe
116	Ncofplba.exe
1624	Nabfjpak.exe
2536	Nnfgcd32.exe
2344	Nhokljge.exe
688	Nlmdbh32.exe
1572	Onnmdcjm.exe
528	Ojdnid32.exe
440	Odoogi32.exe
2812	Olicnfco.exe
2716	Pecellgl.exe
2024	Pefabkej.exe
4120	Ponfka32.exe
4600	Pkegpb32.exe
2248	Pdmkhgho.exe
884	Pocpfphe.exe
1536	Qlgpod32.exe
3540	Qachgk32.exe
1216	Qlimed32.exe
464	Amjillkj.exe
3972	Aahbbkaq.exe
4436	Alnfpcag.exe
1952	Adikdfna.exe
4924	Akccap32.exe
2968	Aehgnied.exe
2316	Ahgcjddh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Emhkdmlg.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Qlgpod32.exe	Pocpfphe.exe
File created	C:\Windows\SysWOW64\Ekpped32.dll	Qlimed32.exe
File opened for modification	C:\Windows\SysWOW64\Cofnik32.exe	Cfnjpfcl.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Knchpiom.exe	Kmdlffhj.exe
File opened for modification	C:\Windows\SysWOW64\Pocpfphe.exe	Pdmkhgho.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Ckmonl32.exe	Cofnik32.exe
File opened for modification	C:\Windows\SysWOW64\Odoogi32.exe	Ojdnid32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoknihb.exe	Bhbcfbjk.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Njhgbp32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Gkbofaoj.dll	Dbcmakpl.exe
File opened for modification	C:\Windows\SysWOW64\Jcanll32.exe	Jgkmgk32.exe
File created	C:\Windows\SysWOW64\Njgigo32.dll	Jlolpq32.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Ioolkncg.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Jcanll32.exe	Jgkmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mchppmij.exe	Mjokgg32.exe
File created	C:\Windows\SysWOW64\Ponfka32.exe	Pefabkej.exe
File created	C:\Windows\SysWOW64\Ckjinf32.dll	Gejopl32.exe
File opened for modification	C:\Windows\SysWOW64\Goglcahb.exe	Glipgf32.exe
File created	C:\Windows\SysWOW64\Akkeajoj.dll	Mnjqmpgg.exe
File created	C:\Windows\SysWOW64\Nabfjpak.exe	Ncofplba.exe
File created	C:\Windows\SysWOW64\Nhokljge.exe	Nnfgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kpcjgnhb.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Lfeljd32.exe	Lnjgfb32.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Mgbefe32.exe	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Njhgbp32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Dnjfibml.dll	Akglloai.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Kjgeedch.exe
File created	C:\Windows\SysWOW64\Gkjdipap.dll	Lfeljd32.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Aggpfkjj.exe
File created	C:\Windows\SysWOW64\Jgkdbacp.exe	Inqbclob.exe
File created	C:\Windows\SysWOW64\Fihnomjp.exe	Ebnfbcbc.exe
File created	C:\Windows\SysWOW64\Jlolpq32.exe	Jokkgl32.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Bkgeainn.exe
File opened for modification	C:\Windows\SysWOW64\Hipmfjee.exe	Gbeejp32.exe
File created	C:\Windows\SysWOW64\Hoobdp32.exe	Hlpfhe32.exe
File created	C:\Windows\SysWOW64\Koodbl32.exe	Kjblje32.exe
File created	C:\Windows\SysWOW64\Dmlkhofd.exe	Ckmonl32.exe
File created	C:\Windows\SysWOW64\Akcaoeoo.dll	Emjgim32.exe
File created	C:\Windows\SysWOW64\Ohofdmkm.dll	Ebnfbcbc.exe
File opened for modification	C:\Windows\SysWOW64\Modgdicm.exe	Lflbkcll.exe
File opened for modification	C:\Windows\SysWOW64\Gikkfqmf.exe	Gfkbde32.exe
File created	C:\Windows\SysWOW64\Akglloai.exe	Ahgcjddh.exe
File opened for modification	C:\Windows\SysWOW64\Kjgeedch.exe	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Kbgbpn32.dll	Mmkkmc32.exe
File created	C:\Windows\SysWOW64\Ccmbmpbk.dll	Nlmdbh32.exe
File created	C:\Windows\SysWOW64\Gmiadfmi.dll	Fligqhga.exe
File created	C:\Windows\SysWOW64\Ckbaokim.dll	Hipmfjee.exe
File opened for modification	C:\Windows\SysWOW64\Lqojclne.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Aobbbd32.dll	Ingpmmgm.exe
File created	C:\Windows\SysWOW64\Glmoga32.dll	Kmdlffhj.exe
File created	C:\Windows\SysWOW64\Dgmchiim.dll	Gblbca32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8112	7984	WerFault.exe	302

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gflhoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bepmoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndnpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gikkfqmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koodbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifnhpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goglcahb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggnadib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ingpmmgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ponfka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knqepc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lflbkcll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adikdfna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiioonj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiieicml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgcjddh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modgdicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbcfbjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fihnomjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmmboed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chglab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnjpfcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emjgim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblbca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhngolpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdemd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfgcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjblje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfgipd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bheplb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megljppl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadleilm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pefabkej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgpod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdnid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjokgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpdegjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dflmlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjillkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fligqhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcidmkpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmdaljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhapk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmkhgho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimhjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbnoiqdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcanll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiipmhmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jokkgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljclki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdnmfclj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofnik32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll"	Cfnjpfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcbhah32.dll"	Ckmonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll"	Gflhoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qachgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akglloai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjjif32.dll"	Bepmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modgdicm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inqbclob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll"	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpiecd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll"	Cocacl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoknihb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolece32.dll"	Fnlmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gflhoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akpoaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dflmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgpgfmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpcjgnhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinqbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgnqgqan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlephen.dll"	Chglab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgngnj32.dll"	Jddnfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmoga32.dll"	Kmdlffhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll"	Ljhefhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpamfo32.dll"	Ahgcjddh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkod32.dll"	Eiieicml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdpecjm.dll"	Iinqbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdemd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhbcfbjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidalg32.dll"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll"	Hiipmhmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockbnedp.dll"	Pakllc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gikkfqmf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 3900	4268	85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe	87
PID 4268 wrote to memory of 3900	4268	85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe	87
PID 4268 wrote to memory of 3900	4268	85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe	87
PID 3900 wrote to memory of 1668	3900	Pakllc32.exe	88
PID 3900 wrote to memory of 1668	3900	Pakllc32.exe	88
PID 3900 wrote to memory of 1668	3900	Pakllc32.exe	88
PID 1668 wrote to memory of 2856	1668	Pifnhpmi.exe	89
PID 1668 wrote to memory of 2856	1668	Pifnhpmi.exe	89
PID 1668 wrote to memory of 2856	1668	Pifnhpmi.exe	89
PID 2856 wrote to memory of 4060	2856	Qhngolpo.exe	90
PID 2856 wrote to memory of 4060	2856	Qhngolpo.exe	90
PID 2856 wrote to memory of 4060	2856	Qhngolpo.exe	90
PID 4060 wrote to memory of 2680	4060	Akoqpg32.exe	91
PID 4060 wrote to memory of 2680	4060	Akoqpg32.exe	91
PID 4060 wrote to memory of 2680	4060	Akoqpg32.exe	91
PID 2680 wrote to memory of 1272	2680	Dflmlj32.exe	92
PID 2680 wrote to memory of 1272	2680	Dflmlj32.exe	92
PID 2680 wrote to memory of 1272	2680	Dflmlj32.exe	92
PID 1272 wrote to memory of 4576	1272	Dbcmakpl.exe	93
PID 1272 wrote to memory of 4576	1272	Dbcmakpl.exe	93
PID 1272 wrote to memory of 4576	1272	Dbcmakpl.exe	93
PID 4576 wrote to memory of 1480	4576	Elpkep32.exe	94
PID 4576 wrote to memory of 1480	4576	Elpkep32.exe	94
PID 4576 wrote to memory of 1480	4576	Elpkep32.exe	94
PID 1480 wrote to memory of 3024	1480	Epndknin.exe	95
PID 1480 wrote to memory of 3024	1480	Epndknin.exe	95
PID 1480 wrote to memory of 3024	1480	Epndknin.exe	95
PID 3024 wrote to memory of 640	3024	Eiieicml.exe	96
PID 3024 wrote to memory of 640	3024	Eiieicml.exe	96
PID 3024 wrote to memory of 640	3024	Eiieicml.exe	96
PID 640 wrote to memory of 632	640	Fpejlmcf.exe	97
PID 640 wrote to memory of 632	640	Fpejlmcf.exe	97
PID 640 wrote to memory of 632	640	Fpejlmcf.exe	97
PID 632 wrote to memory of 4880	632	Fdccbl32.exe	98
PID 632 wrote to memory of 4880	632	Fdccbl32.exe	98
PID 632 wrote to memory of 4880	632	Fdccbl32.exe	98
PID 4880 wrote to memory of 5096	4880	Fjohde32.exe	99
PID 4880 wrote to memory of 5096	4880	Fjohde32.exe	99
PID 4880 wrote to memory of 5096	4880	Fjohde32.exe	99
PID 5096 wrote to memory of 876	5096	Gfkbde32.exe	100
PID 5096 wrote to memory of 876	5096	Gfkbde32.exe	100
PID 5096 wrote to memory of 876	5096	Gfkbde32.exe	100
PID 876 wrote to memory of 2252	876	Gikkfqmf.exe	101
PID 876 wrote to memory of 2252	876	Gikkfqmf.exe	101
PID 876 wrote to memory of 2252	876	Gikkfqmf.exe	101
PID 2252 wrote to memory of 3656	2252	Hloqml32.exe	102
PID 2252 wrote to memory of 3656	2252	Hloqml32.exe	102
PID 2252 wrote to memory of 3656	2252	Hloqml32.exe	102
PID 3656 wrote to memory of 752	3656	Hibafp32.exe	103
PID 3656 wrote to memory of 752	3656	Hibafp32.exe	103
PID 3656 wrote to memory of 752	3656	Hibafp32.exe	103
PID 752 wrote to memory of 232	752	Hplicjok.exe	104
PID 752 wrote to memory of 232	752	Hplicjok.exe	104
PID 752 wrote to memory of 232	752	Hplicjok.exe	104
PID 232 wrote to memory of 4524	232	Hlegnjbm.exe	105
PID 232 wrote to memory of 4524	232	Hlegnjbm.exe	105
PID 232 wrote to memory of 4524	232	Hlegnjbm.exe	105
PID 4524 wrote to memory of 4400	4524	Ingpmmgm.exe	106
PID 4524 wrote to memory of 4400	4524	Ingpmmgm.exe	106
PID 4524 wrote to memory of 4400	4524	Ingpmmgm.exe	106
PID 4400 wrote to memory of 1568	4400	Iinqbn32.exe	107
PID 4400 wrote to memory of 1568	4400	Iinqbn32.exe	107
PID 4400 wrote to memory of 1568	4400	Iinqbn32.exe	107
PID 1568 wrote to memory of 5092	1568	Inlihl32.exe	108

C:\Users\Admin\AppData\Local\Temp\85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe
"C:\Users\Admin\AppData\Local\Temp\85ad54638b6e9bbcf815200c15ad5be89297d25839592ada0b1601d0100b3546N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\SysWOW64\Pakllc32.exe
  C:\Windows\system32\Pakllc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\Pifnhpmi.exe
    C:\Windows\system32\Pifnhpmi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Qhngolpo.exe
      C:\Windows\system32\Qhngolpo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Akoqpg32.exe
        
        C:\Windows\system32\Akoqpg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\SysWOW64\Dflmlj32.exe
        
        C:\Windows\system32\Dflmlj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Dbcmakpl.exe
        
        C:\Windows\system32\Dbcmakpl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Elpkep32.exe
        
        C:\Windows\system32\Elpkep32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Eiieicml.exe
        
        C:\Windows\system32\Eiieicml.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Fdccbl32.exe
        
        C:\Windows\system32\Fdccbl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Hloqml32.exe
        
        C:\Windows\system32\Hloqml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Inlihl32.exe
        
        C:\Windows\system32\Inlihl32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        24⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Jddnfd32.exe
        
        C:\Windows\system32\Jddnfd32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        27⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Knchpiom.exe
        
        C:\Windows\system32\Knchpiom.exe
        29⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        30⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        31⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Ljclki32.exe
        
        C:\Windows\system32\Ljclki32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        42⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        44⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Odoogi32.exe
        
        C:\Windows\system32\Odoogi32.exe
        48⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Pefabkej.exe
        
        C:\Windows\system32\Pefabkej.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        53⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Qachgk32.exe
        
        C:\Windows\system32\Qachgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Amjillkj.exe
        
        C:\Windows\system32\Amjillkj.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        60⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        63⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        64⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Ahgcjddh.exe
        
        C:\Windows\system32\Ahgcjddh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Bhkmec32.exe
        
        C:\Windows\system32\Bhkmec32.exe
        67⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        69⤵
        
        PID:608
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        75⤵
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        79⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        80⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        81⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        83⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        85⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        87⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        89⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        90⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        91⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        94⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        98⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        102⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        107⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        109⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        111⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        112⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        114⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        115⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        116⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        118⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        125⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        131⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        136⤵
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        137⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        141⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        142⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        143⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        146⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6852
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6900
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        156⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        158⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        160⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        161⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        162⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        163⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        164⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        167⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        168⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        169⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        173⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        177⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        178⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        179⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        180⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        181⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        182⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        183⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        184⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        185⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        186⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        187⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        188⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        189⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7172
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:7300
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7340
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        195⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7380
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7420
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        197⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7500
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        199⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7592
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        201⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        202⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        203⤵
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        205⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        206⤵
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        207⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        208⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7944
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        210⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7984 -s 408
        211⤵
        Program crash
        
        PID:8112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7984 -ip 7984
1⤵
PID:8048

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:7116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aehgnied.exe

Filesize
163KB

MD5
103d57bc45111949e0732542fcf70e4b

SHA1
1e482b484ce41ba77e3b20e419ef565cb168f596

SHA256
77fd9041c65ee7d28871101a2f301b60ddb904d8b49bafdbfab6d8673347a832

SHA512
fff070707a17a335801e29c09f1cf8ddfdb560f2ce83ce42bae4a57a0a8a0802f67b0ef2411dc6072e52ba2b0913d5ba5309d5542a39c894c32ccdf726c0cd2e

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
163KB

MD5
43ae144cc5e4bcb3e1a076e718baf584

SHA1
9ada2c04f3f3c3c495ba44d83d3c31056255336d

SHA256
f294ed18d1fadbeee7835f3c1b64d3f783a620fa01a6839b6c4c62cc3b8020dd

SHA512
589019e72262549b62f4378d4b697d6c6b6b9938aaf320dd38a540334c30707fb2546267fad46c96883df846b9cf95029c5f26f4be313693eab7a2905c009e70

Download Submit
C:\Windows\SysWOW64\Akoqpg32.exe

Filesize
163KB

MD5
88167bc567db8c42f6b9887f8f07ea9a

SHA1
0b04b90af76084637bd7dc58a233bc8dcc9823d0

SHA256
16cc33aaaca4bfc34278b94e61d9b53d6fd32e5d643560a754e567f1fec586c2

SHA512
1bfb4b08d11c31ee50053591c34d13bdc41e44413718b13ed0097825bc559a851f831c8009c3504c075ed35a9142a08e1a4c59eda837f30f0a6e5d5c983f9882

Download Submit
C:\Windows\SysWOW64\Bdojjo32.exe

Filesize
163KB

MD5
c3ca5b81424418fdd870e2801d45ff3d

SHA1
66f2e9f0154962a17269d47a6043410bbdc8492b

SHA256
d485416d06ec509f907c6691160efe48f8eabb2cd882b145a8550caaee12d145

SHA512
45f89acb7cb6a9ba009d238f66eb5281e6de1dca636eb4cc5a89eeaa795cc057d1b9d288678b545627168be02e962711648405c6483c0295f56f2411c819d4cb

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
163KB

MD5
e40dde86d5a373edb2289344e7d9d9cd

SHA1
7d74221fa1114de1da791d62b2de689ab60e2f53

SHA256
663a48bfb8db46d3be8e32f8003321904d8725eccdc7048da8146a8c2d278d3d

SHA512
0417ed0f373a5aabe52ad55090212ae1c54d0b59294926186b219452642e591364045aed32cd8ef9683d0612ae8ae1081eee229b8210f076b596d66b303b8367

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
163KB

MD5
c48edfa47e3cf9f201153b73c85b2529

SHA1
f8cebbb42e26e3c93563a56bc83194a2ae9a8516

SHA256
0d23bf81e0a7fdaaeea2fe8b3e037b455e1cee63a3611e62146a9b45af006004

SHA512
63ebfaff406b3af778722435eeaa4b31a689b7c8a4dc17f46664ca29abe2bd555fb0d693c62dcd99eb0a1d81a70a0ab7ffc3f7be043e7ac1020397c3e60855e7

Download Submit
C:\Windows\SysWOW64\Cdnmfclj.exe

Filesize
163KB

MD5
897ccdd35c801eded5abeeb8f58611a3

SHA1
fab6eb68cc73dfe7b42e6425a78bd470f47427c0

SHA256
86e60fdfe9de58dec085131f7f375b7950706c510824e48cb3b2ec503527773e

SHA512
04f3ef3487ba71cc6f0bc2241416ecd87d8e9a158fca3d79a0c66595a4e81bd60371ca52c5a5d311b17db11cf04a94de8f1e9605994ddfd895e2b5ca83fe130d

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
163KB

MD5
df1adb8f179039e32decf4be8d776c12

SHA1
90ee1221fac742f55a5fb9c30fa3bc42b6eab0ac

SHA256
2c10b5ff1c30b8e0470cd57754452820f5d2f9f0a2e0961052ae1dbdcd3f1c62

SHA512
d3e2eb2b82b5346264cfbb9be7f9f4b1b33ed5f1831f6afd71546a94166e7aadab5f987db10d8d4f97310216e1bf7d2db302cdc2d371f392faa4435e650fb7ea

Download Submit
C:\Windows\SysWOW64\Dbcmakpl.exe

Filesize
163KB

MD5
f6a28405cda45bfc5050bdbeb7155655

SHA1
c444ca2b76b653a114351ea6446bedb78c80fa5a

SHA256
4c64ebf92e0a0a8d83a0f6c56ce9321985388a629b3747d8382ac8f2832b788b

SHA512
f2881bee31b911d72e22f058045d14859f3737e5e0b783543ee3835ed315d8294fc9a12c2b0710a6f0cf3d32a61acd4d4f9344e44ed52d15a5b87870911a9aaf

Download Submit
C:\Windows\SysWOW64\Dflmlj32.exe

Filesize
163KB

MD5
0c195956be75b63261024738ef9eb32b

SHA1
6f846b832189f04991f518f21d997aae0e825904

SHA256
821ebcec830a88cf7aa9755bbeb3a6d9d6009130ef513189de1c920bb6841adb

SHA512
374f6a96d02f8c56c70e950d788d0aa0df0fefb524d3cab0d1c921d2b70708f1a50ceda47560898d01b5c9c44bb747517e52a62c8ca2c2fdec2f2b301cb4e824

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
163KB

MD5
3cbbcb6476c2b8f1d63dd5b4b10b0e14

SHA1
43ed0ef933f71477604b2c88ef5e6429ec3524b2

SHA256
eb951533b649d6dd76e91c5c5bc0fe3ba8b08ec92ade006851c47a2c2d1da790

SHA512
3e828bee81ac7a03807e736765d6176eb6de9fd607bf5f4506d91104e054b6899e3ce0a2ef14264f4e2ed03fbea5fd13ebfda3269b29d0f78fdf72710729cfd2

Download Submit
C:\Windows\SysWOW64\Eiieicml.exe

Filesize
163KB

MD5
c5f58a22178d8c7b9075a997ffb79997

SHA1
6e17bada433ae8fa9924fc9079d3e20ec79bfd6a

SHA256
45b21b5696676a692b4517f0f50b9e70a8ca59dd612999d8364229275032f3fb

SHA512
9c4bbe04f40f820f170c6ebae7d511e3aacfec62d66a93a258e263e823086a92ebd3f5750d2779ae50afe16cc9fb18b1f8eb88735b42634e43934de8f24a29f3

Download Submit
C:\Windows\SysWOW64\Elpkep32.exe

Filesize
163KB

MD5
9cd12fe409da27dc36ffcca6b13a649a

SHA1
9e925368c14d8d4027f15dc51e6fcd68c12c3dab

SHA256
ae8d97e3fc8c690a9ff237d0260de3125429bd7a476778d7c109624f41c4dfcd

SHA512
4b2721c2b874b02c659b9e2c0f28fc0181069778fb763d8150b6af6e21e57b209fae8a32c539015de7aad2b3fa6d0d0a13a6c42517208a1f8fbbb2220f44fb1e

Download Submit
C:\Windows\SysWOW64\Epndknin.exe

Filesize
163KB

MD5
9c2970c63a6620df0ff87a774d6c1816

SHA1
9dc6fa210b307a3f80e64f7e39b6b83296584974

SHA256
32f1765e6fe1d620e4e3d20a3a0c9718b26d55035f9222a992709277de922c56

SHA512
3d408c9ad8fe7a4fc9d727cf66aded8f82a3838d3fe5fe81ad1a65d2aa5352ad7912c238ae1bbced817da6db42548c08d97713955feb379d691a9abc2824f2dd

Download Submit
C:\Windows\SysWOW64\Fdccbl32.exe

Filesize
163KB

MD5
351a6f2a0a8c2f451997fa97fcdafd54

SHA1
f03470b46b28640dd35787c7ed45a0f2c22462da

SHA256
31dd75d91c192a6491308a08d9493bd5ea0096cd9b87fa04f256a4a834c86717

SHA512
c0c3cc155f50ad7548aa478aa444f740c0d6495c88d3700f7b25e2f03ec27b8ea33305d758bbfb566a1f94eba0113403f0d1d73ee8168053ddc857bae4536ccb

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
163KB

MD5
14ca0fc973f999746ef0233fb013ad28

SHA1
ecf4b986b3e50f4dc836f0aa5ba57a1aa4b7d3eb

SHA256
7848581642d881a6e7dd62097c155d8a70371aad955672cc6b1f42f2ffe060b9

SHA512
fd2a52e904a9805ff2715eeda4db32af4ac30176bacecb23e3ff1059714a7769d7caf3b863a3afa28590d178da43135df3df6deab52d249eb53a3c2d6e3a9467

Download Submit
C:\Windows\SysWOW64\Fjohde32.exe

Filesize
163KB

MD5
f7dcfa82c4a30ac3844f1d30fd5e285d

SHA1
5769e2b4a132521c4a8acf03f06a526af2bebe3f

SHA256
75eb15a0765eb87706814243d74a5391d13df81a972cd42fbc1951c893c698b4

SHA512
276587c6bd48bc250080e29361c4736dc0e4c15fff82962e06cf5fb1cf6f77bb6fa2244fa388d86f94cefdfb005db0caf97a9039a90cd871ac2ef0ae37f2f4c7

Download Submit
C:\Windows\SysWOW64\Fligqhga.exe

Filesize
163KB

MD5
a10e55924c4a4387e506c076f3547d6a

SHA1
82dc60ed990a3dbf64498aff40e8c101d0bbe3c7

SHA256
08d77a6e60ce7e982001e9e0833e47dc07d974d7f3708e14359fa54b5c75ce03

SHA512
dff38c27e503372240715f725577a205bd0d8e5f621045c65490d2f1bb9b903cf920122c4084a63ffb5559dddc3bbe9c8233cbc6b1d1c2955d2686d5d06b817b

Download Submit
C:\Windows\SysWOW64\Fnlmhc32.exe

Filesize
163KB

MD5
b15dc2aaa5b375eb700e613e318cfedd

SHA1
bf044fd4c6b15261585a5dfa00b17f12363d9ce0

SHA256
afd2afa8bebd0239c18ed5438001308f83445f353ade6ee3ff097fad2d91832c

SHA512
41b7ea40093fad9707bddc2fab7529796e490c19c69fe60c446767d0bcfd834a5a3a8d626d25cdd90b701f9996cc259b00d1e45b68ad27fb1cadea70f36be8c2

Download Submit
C:\Windows\SysWOW64\Fpejlmcf.exe

Filesize
163KB

MD5
557bc2aeb31d24363b7a595ffabcda2e

SHA1
a7c84484232f420a0ddd62afa4c116fe70e22aaa

SHA256
b09f3f96c29fc15a7a519c990232418a59c4cd96ba53bed825b74c5a06d0952f

SHA512
e55c446ad3131aa4d4c4319444269275785834a0abeea13a30839f09c193b6aee64e42ef501ce9b22c3bb6c4f793955a9ae0ef505fa7ce1d4f90c243b34477ec

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
163KB

MD5
a62cfa7d7b9aa456babf5eece0912683

SHA1
8c40a121abb45f8dc4f3b31f442f97ff1caa1e7b

SHA256
61c5ceb1b2a0b8cf3062869e2521d3a3657d3be2e8489e3e249e2bc9d6f6ab0c

SHA512
57f7aab1c2ae1d66dc664bd32903cc78f81391beba0f339d36251d89e5d7c305a8f02c816ae4bee61ce29ab64e5e1d0a9fdcc646fcecc4816fe92c11601ead6b

Download Submit
C:\Windows\SysWOW64\Gblbca32.exe

Filesize
163KB

MD5
76cdac498585a0b7ac8b73052d75f3a8

SHA1
f8e5b1c328ab9cf935b47e7eab00224653fe3657

SHA256
6d60fd17fb07bac7ece0608e63ddda25daf6fe2005576db5177808aa0f0fb2d6

SHA512
582adf9c05eb3dee5dee8bb9f4afb4d744a2b9e69a20365981f00c76bc75031c3b5ba0e7877177881d2fdd13014966aeda7dbef0532081e2ca1a94dcf96b7991

Download Submit
C:\Windows\SysWOW64\Gfkbde32.exe

Filesize
163KB

MD5
d68bc7849d389face783b20bd60ef71b

SHA1
55601065462bc3d2e8a12ad8db43bf0260c352da

SHA256
10bdd27be20848d833b62194a47589975d3b4113cc5069d9f1dee420e6998ce5

SHA512
06e6c908d8c717370cd53c72f2d8cb75f4b7b443dcdbf44a3a9da2f5b74e4127ad693d8270511173a8ece4c64c7f36d15a5d07ac45902c88652a7be46dc11613

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
163KB

MD5
ca8a2f347cad4051ff8e517df780e517

SHA1
7c17d179bc5eab4f454be41b030b392461c618e8

SHA256
a59100e08b0188af6c7d053d66d662e07b76c8bdc5faf71546ee7772ee77a976

SHA512
3f815e3b7181b40d4abdfc25a47fb9cf87ecb508b7955c42596fe61877e6a8239992973067b5f74227888292b4cd2b3d389ebfa60ff5f27d0b375a2b6b2f9b92

Download Submit
C:\Windows\SysWOW64\Gikkfqmf.exe

Filesize
163KB

MD5
bb7511e3da7064685674d02385daeb02

SHA1
436c59d2bafda20c801c3506bf97fd5b0478da89

SHA256
4c7ca1f7efbc34b82b216d1aa98d79eeba74de04ba7fddb96f17955ae5f80f51

SHA512
8b4ad6d9f6da2f316b73906a86e6af656a8ff46d833acfe82dfc12a46bbbc1c64c43874d65df8d5686010e284bc7b668220f760f16ec2d8de2c4596e625b516c

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
163KB

MD5
b93782d1005c55608d4a3bea0ba3390d

SHA1
e89fcef7b0b2bd7bab68f0e81fff56b131227ede

SHA256
7c6c86a01ebec4ba7bd8697152e41f5481a5a35030de5f7bc98f3414f89d81ef

SHA512
9714299152290f45828fb835193cd59830125a1fe669ef2532f2118fd9fc311119e4f246e68889e4850aa542a50c3c679eb3a10538476843b99efba3c48aa3d9

Download Submit
C:\Windows\SysWOW64\Hibafp32.exe

Filesize
163KB

MD5
2281cba480f097d6582d3163ffece3b8

SHA1
554851d8bb9ba9bc5ebd707793b595cb6c6c1688

SHA256
ce0119c25016c57a22a6983dbc1686a3a2d3e3adb69a861f258a434a866d0088

SHA512
048c9aa6ae0d1ff56d2bae6332a62a5a57e8f83e1e226191f97cff2ca2a816b70eab80ef16953ebfc89809f224b62c4b2ef78237ffb91db6c0282dc644f1f797

Download Submit
C:\Windows\SysWOW64\Hlegnjbm.exe

Filesize
163KB

MD5
6d8d3420b3c5c74eac9e8d3d662e7243

SHA1
4415b99ff2f2db721be766bb546f89bd088af9a5

SHA256
9df17de47ecef7289af883b9eeced65cfbd0604bec03e4a38a1e4f1779eefada

SHA512
fa91ed4cc05e2797c39016e05113b8e95c42503f8e094b0bf28d4f4e0e6f11e50ac3edfda0a9ca02b8a625551eab8571ad33f10dcb8324499b01bcca7fd2bdfe

Download Submit
C:\Windows\SysWOW64\Hloqml32.exe

Filesize
163KB

MD5
a2f37227d47a5267df7176a395d0b607

SHA1
2ef6fa1711c6022f325e6944234bc36ec9fa27d1

SHA256
80ca7b398f761eccdaef19741cd8a00110eb7d58314169deef661a651ce36a82

SHA512
b2427c7353a19e2f62bdd9f0cfeb8d27b6084b07c38a0e2014a61d370aafa7e2fc2260ac2890b156c3c960906ff2c2f3b526b87abfdfc16fab5baa83af5c833e

Download Submit
C:\Windows\SysWOW64\Hpiecd32.exe

Filesize
163KB

MD5
f5c12ef4ab49aeb79514903f5c7f59ce

SHA1
d3d016ab994f754cc39af8e67795ea5374e6d1d9

SHA256
0e5431f9df59e9e81cf768560cbad9ddd5b2d3ed5d7b0328a0fd0f8840cbb3cf

SHA512
3e94a21559e616d8ec53c8fc23ec7777815aa8a872aca3053dadd97b34867ceed51b24a24035c9d506ab813d53537378ea4f0470c7395be82525e0a566fec9b3

Download Submit
C:\Windows\SysWOW64\Hplicjok.exe

Filesize
163KB

MD5
285297ef8927f7a7eb072b77b550be8a

SHA1
c78876b13a8f6000c6c87c08f95f5e9f1a70ccd8

SHA256
4df7eb003675d3241d703956cfb414453885a42da7b462f2af12df861d8b2c34

SHA512
2d72f7dcebdf0ef36cae77bd5d0abd080434bd569a4cdc3806c2ef213575cf3e1e076c25e2e9fa8385d6fbb97b1eb74ad50aeb64f575abe97de54daa9609453e

Download Submit
C:\Windows\SysWOW64\Iinqbn32.exe

Filesize
163KB

MD5
f9198516e159e798e38838a95472fc8e

SHA1
d893c2610e41e3391aacf5997cd7277307ba148e

SHA256
a10144d4c2092d04732e5454762d67147f884b22d7f8844f3d68e1693ee5c157

SHA512
76fd02859f68445143cdf373aaf429985f25094f38510271acc7ba75663a29f1397b5b9eaf832c93a414dd608e5346c3fe292abd4531cc4b941b04659ce570a1

Download Submit
C:\Windows\SysWOW64\Ingpmmgm.exe

Filesize
163KB

MD5
92fa23bd2a7a66fc83090fa090247c3d

SHA1
ce8e78255ad312def74c3af1a79b94c947a9d8f2

SHA256
0c2f69a2c5bb79fe9350b549b718de88c60ce43595dcb9c7cd65ea061b8ba689

SHA512
9c014f0707cf128fbfbf13de9d542fa4b88aa528c3388f5c27fc62ceaa5574c29ae7d631402ab8e76d4efad1c703b41bf8b0cc6809c22242fdf73bf7b477c073

Download Submit
C:\Windows\SysWOW64\Inlihl32.exe

Filesize
163KB

MD5
1b8e32bdde00975f7e4d518c728e88a5

SHA1
5e49cfc66976de7c46e4ab4022f3aca6c721bd4c

SHA256
580072654e99bfd1f00eb96f0b61c4499c3e0c3bd5ef207c7fdc86f0fa9bdecb

SHA512
879b9fe194b5dbd2c88c551c6281b3a238646a7d245c18e6d950669149995fca11d9ec849e33e4267b6da2a7a3bf51947d4af40a5c3d0851914eb3ec7674eaaf

Download Submit
C:\Windows\SysWOW64\Inqbclob.exe

Filesize
163KB

MD5
388bb99e65f772589eb89967ed602b3d

SHA1
3d9bceee2639c9c3fcd9ed7a39776f75079aa770

SHA256
0346f53508624ab8ed3350bb06c8aab9f12c9279732cacfd89226dcbf1a393da

SHA512
774b1957a28b63f52e68c71803fd1711c33adc2eec0aaf053129a0d6aa34f8dfff365214508632dfcb3334a596c589d2bc1c685cb03312453d35973d22dfb86c

Download Submit
C:\Windows\SysWOW64\Jddnfd32.exe

Filesize
163KB

MD5
86d9805e94e3576c3b5b97cf1cc5d948

SHA1
526dbcfd8b816b4a9e7dda5a127ebd81e6624bed

SHA256
b41e9db10d4086154d970450eba2f768872b7ad3db74a979c3714f6190de9976

SHA512
27f59576b91d0619b28fbc8013346e12e75a8a42e19780885815c591387410529a745e796c187b6db4a847e44ce1a92a944a78c849dccf2cf8b10039f25c54a7

Download Submit
C:\Windows\SysWOW64\Jdfjld32.exe

Filesize
163KB

MD5
06edc730b9ca3e33351cfd798dbc4250

SHA1
e50363f2805996b05d03f3d8c9bfd6f4648d86e5

SHA256
89a0307e0e339940bb4f3f6e3f7f0c8250cc08117810ba1758d668aec5ebc623

SHA512
cfddf5e894a1fa68028cf5c561a651a6a576098a382bcda92cb684b557a4c03de21c448998420c70aa5824de9e2cda4050bec5db14c84179dd7923005cee5550

Download Submit
C:\Windows\SysWOW64\Jgkdbacp.exe

Filesize
163KB

MD5
5910e00ad1dff50dd7af08a94755a4e0

SHA1
91993e06b74a5c185ad8d26485eb886cbf430126

SHA256
f336d070dd997bf44b24cb75c596e6eb6f88a850488f794001b47783807f0dd0

SHA512
fd4bf34d0600cd456717edf70084c11426c875055250782a757c49dd025473e87015e7e4100fe3cfae8e74d341345248b10254a0cd700bfbee8c6649a22ee8ca

Download Submit
C:\Windows\SysWOW64\Jgnqgqan.exe

Filesize
163KB

MD5
a3f483960ca9ee5c4a1bde969871b4c1

SHA1
99a575b56f3bf1ae2ecedd5ae983b5fa8ac5d653

SHA256
697f543801d164a503bf4148b6ebf4c247017524a3b2f13d3f888d0f2fb470a0

SHA512
e87dfee36a3f369d4965b81e573b5730dfe5fac96bf3b992da2ea6a903c92455e1a3bcb73a1ec71efc49fa844777829ea1bc76ea1099d2956992ef273aa9d13b

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
163KB

MD5
540a397d653c612b6c5f6f3e17b5b6cb

SHA1
652661d096ba3c5eec962993243ff91762700793

SHA256
29d4362842f3a4e04d65897371b7bd1ed95e490d4db3fa49b248ad2d7c116943

SHA512
c59732cf135d4bc49fc767c95b7b520ca1f8189ee6ec9c65e7c031233e7722df904553e9a26f9f84222c4a9ba4ed63303f04234cfed38960f424aaf00668aac5

Download Submit
C:\Windows\SysWOW64\Kcbnnpka.exe

Filesize
163KB

MD5
d0d95fbf6043245b429e34a63d43dc5c

SHA1
da8346cc5f2d54ab90882b4f3122efa1dbeb9457

SHA256
b984d2c0c4b20c1c5d4c5b7a4d5c39a417d523fb29d38e5ddfedf734165f0f9b

SHA512
a60c77145d982bf60f6380bb22619f52af2fbba593d12b2c9ed7504b8d786cf85109afc155d20c7bf11d9720b6f42faf303a6e3d5edc2c7fa4e5b4b081f7c963

Download Submit
C:\Windows\SysWOW64\Kgflcifg.exe

Filesize
163KB

MD5
c57213421dbe9bb61b072250a663a543

SHA1
c8e0196c69fe5d2326c5bb15ddfa8ede9b4cc889

SHA256
ed5cafe1a4f2bf84fb3638c8a9a2ffca25351c08020e8997977e2d60fa7a7344

SHA512
28b191e47c76073659e80d6e961036209c0ef7986bb570d9eb9a37789b2a94c4c356df6274c9c5b558529ef773e5df57a4db2804ce078a1771d93cfe612b2e49

Download Submit
C:\Windows\SysWOW64\Kmdlffhj.exe

Filesize
163KB

MD5
c422435ff928e173e1da18cfcc08f46e

SHA1
099ad4906ce43c9f1068133509a6f9beef822925

SHA256
d912469bc4e1661f0433a0e58ec576b5c44892a3c33b9cc2b2415bbc23b03b61

SHA512
29032c2adf0d44da9dd99002622812b90d0d67005462eb6a7de66dd6327dc349abcddf8c2da51adb7de504e1ad0d31194ca8d3ae15cc145e5712327dd5e69bf2

Download Submit
C:\Windows\SysWOW64\Knchpiom.exe

Filesize
163KB

MD5
d79f8ec2dab1609327280c7a7c3ee0e9

SHA1
732ad339f1c091eb8a856b18f02b4c3df50226ed

SHA256
6ef87dbca446454ace27ae7497e182f1ced761f95330df163e6e8b5a6ee9cf56

SHA512
417e4c6e2aa7f24d423f4cfce580503d1cd81dfcf748bfbf93caa2810046da811beefed6c21363fa731e033a1f259d96e07b9e901da35ec8abbf27faf55ba75f

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
163KB

MD5
2388af5674839c869df486de5deb6c72

SHA1
48209a1f1ef57fc474ac1bc8768a22ed3a5ff16a

SHA256
b53876c99d2bce3cf6bc8c7d19da2923e38397e9a1333d2a181bedfb59996464

SHA512
2ef1ebe02935d8697b51e81fcd51ba6ca2690796d6924ab5c75efdd262a06e719c37852190f0d99a73459f84ed8a5e8dda8ce135401a400e5556fadadc9ea3b5

Download Submit
C:\Windows\SysWOW64\Ljclki32.exe

Filesize
163KB

MD5
934bf56d2d9e9635f9fb05ea33b36df2

SHA1
8e697dc1896694088a00bc88662aeaccf2f1ee98

SHA256
5537d1810473d3e69c55a7c35005d3b12376668b1aa0661231808872d367c0cc

SHA512
3ae069f630122156ae16e798fc60290cce238e4cc0880cf663a91937ec1a851d76a75254cf288530bb7e13545248e8b443562618d786037efed475a8a42f7217

Download Submit
C:\Windows\SysWOW64\Lklbdm32.exe

Filesize
163KB

MD5
0b81faa1c7103d94644c8b58b0ceb17c

SHA1
32cb9e80e14dd4bc9a68ed8db8b61b6763a44ed0

SHA256
078e760131b467c8533273611a8987e77e27630e32f83e3681b3ddbf307557d4

SHA512
d15df63dbcc1916a43894579a85523fb38c8a696862b61bf95e7ead1314b7bd0fcb1d0b0b8e9d90979b2d8e4a8a886040754a189129b7e5cc1cb347ef1eaf0c1

Download Submit
C:\Windows\SysWOW64\Lmdemd32.exe

Filesize
163KB

MD5
4451eef8412ca52d1bf8eeca4f0a5922

SHA1
58ca5cd50313addee911869083e9cc1da7a6a688

SHA256
45943c980430ec2950f022c080a7d0c8b07348c8263c4db1702b186cd3df9e64

SHA512
6c54ec36cbc3ac7361e0119ea6b45e6f5a6b9940d9ffae31cc4d4dfb6b063fb0453e18dc29013a79b8041ec25691c032c3503f305cb75178416ddba3c1635968

Download Submit
C:\Windows\SysWOW64\Mkhapk32.exe

Filesize
163KB

MD5
63d4cb1cee1e145f6b21e896a996d9a5

SHA1
bfaa5f172b67c5f8b4e411796ab5caa5c1c57854

SHA256
ece8c4990171d644d4a45113d9758eb359446fcc1e47d4dc3c0de6d5572a03b3

SHA512
743fbbaed4a467748600bf963c56148f650ac590723aea33e0532889c1d95b4693386d038550ced2dc257894644118df72f071442c171e4de6f7b2702e9d8c6d

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
163KB

MD5
21d498690431cc5b85d65738c9775cc3

SHA1
428a6685662b11e176951f8d19890b2af9b4dba4

SHA256
45d88d49e93d43bf8aa0d3d85e164bf8924c2b8a826c6502e3b756156bec71b4

SHA512
58d2c32f7eef5a91b6ac87150fdf323c51c64f367af98777cbe712290d6f51bbc3a546c57bc89a93ea453d0fc0082ceaec5282e00928eb1ae4cb204b47dbd055

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
163KB

MD5
539a43a2bc9e42ef56514bb7970cbdb6

SHA1
eeb7df1cbc4f2398193f2b864a6717f3d86f5f3b

SHA256
47d4491cf6b2722ca159c0c79da4308db939262256a38a719448c33e29d76359

SHA512
301a802b4c32ed5ee0900ecd3077de9131626f24cd5778899cd02fde5426d3ca098845ce9bec099d87554525582639d58d81dc8b7a735386043a379f3272f2e0

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
163KB

MD5
15468218cf88f60bf44f19de4d0805d2

SHA1
312752108c784b8f86a59a0ba8b9b981c9512b83

SHA256
065fc2338c7e46cc2a253c2a83fb7b8b71318e364113e9166a20994f99d91bdb

SHA512
0e8d30fa9ba4ecf6c09ea2e09c80145c2f174e5fef717cd79dee43cfa4084e9adcfe82ca6ba3e5cbeba454c84209bf62847fafd2c7e1e7646927b4d4925b7b1a

Download Submit
C:\Windows\SysWOW64\Onnmdcjm.exe

Filesize
163KB

MD5
ca3aa531c6a3d5daffe3e9d21eff98f7

SHA1
a77bea3155449689d4fdf5933bb37ad226172cdf

SHA256
18799797d524784553cacc0e4df0f610a5758a14b514be69b6ffd9ebdeb51244

SHA512
bb94bf8a32a3fad780df851377708b6e8dc332415c826ac8c639ccc4c74a2f9cc9d919d35453cc5c17529fed7851e2a97d1803808996bec72f724e044c0f685e

Download Submit
C:\Windows\SysWOW64\Pakllc32.exe

Filesize
163KB

MD5
9d4f5c943dd49f262ddd6f2c9e5bfb9d

SHA1
978a4ef09a8a086260426c89a01c5770420c133c

SHA256
f60dfda8c8050d7acd8e6ca834da35e6fa5e0527a926255a71680f44380af4c1

SHA512
afc39ab956f5cbd1b821d3c98572d1161524fb3b7dafb1895e6099392e0948bb481f7bf36dac0ae9cdd50aca4360937e326c934de0a17cf547a3676c85982cb1

Download Submit
C:\Windows\SysWOW64\Pifnhpmi.exe

Filesize
163KB

MD5
c3d6b53274290dab0b35f49f8b39fe4d

SHA1
64c341e0ce68bd8f0ff71e2e17294cad75bf8cd4

SHA256
1df08772299117ab13da7b0ed7c90d18f614d48f180eb50a8a3ce72b52aa281d

SHA512
c1a5f64ac81c8a8b539c5694138811665917e7a289461a33616453ec16accce837c186f6270cd4d1cc1178c046bf9c7734df3b474bcc2c1d7175aa799225df4e

Download Submit
C:\Windows\SysWOW64\Pkegpb32.exe

Filesize
163KB

MD5
d9702bbb4aebf139317c76b02a8e62ab

SHA1
fe6f58ee754b0b8a3d2dcf84fe7de78cc471b069

SHA256
1ad07f8fb00899852214d603d450f8c44111da7351218e961dbe37225a57efff

SHA512
160b585efab93384298968e807a62163894eef7c84c9467f587843ca5eb5a45f7a1f2b3878aeb0b63b39cf08e438b9d923c2e850ffdb8270466e36b24ac412b7

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
163KB

MD5
401d57a64c418d276a109f0edd2d0e1b

SHA1
a22b280553030877a3e8315b6217bf22eeb39e6f

SHA256
5536b692216da86c8d06c0c033a2e8b6101176e1799391d029286f05c4c8bf78

SHA512
f5fc85f543b3812529c5b1b9d1f496ee76b3fa5b5805d072e52d412ae22900c7179c26de9b4d37f9230244a631b9205be26e6661570f84180ea924635e1f77b4

Download Submit
C:\Windows\SysWOW64\Pocpfphe.exe

Filesize
163KB

MD5
8ae111b779eb342a73716a6ff27e6d5d

SHA1
7233b49a9544970497c8e5c47d22bec765ff150e

SHA256
a7af49a9103c4c4a6e138dcca681d0841f1f024ea2f4d47ef3b32a1250ba7da3

SHA512
044b498a0c13c1c8ed90c8d4c6246317a8606a65003f818569ce1f0dd8042f0990acffd41567c618549a3c0a50d7d107b5393345fc24041748a4ceffbf91b0b3

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
163KB

MD5
66ab8e4fe4486da6a20cf5571c6a9e63

SHA1
3de99e0bdcfeb18b7997691680fc8cd9d290b8c3

SHA256
34e237eda808cb201254989758d28b25251b55ccd47b54da96027ea829f3d1d7

SHA512
8909e8adefca9641b5db832448a0f053c4ca3df8e43ca7982d360e03d4e53735140692b49cc30da7d34b8acb864f28365b59b37ab21ddc161ac4220caae29139

Download Submit
C:\Windows\SysWOW64\Qhngolpo.exe

Filesize
163KB

MD5
09f75fcc3a3cc7fba6ee492b67588f13

SHA1
fbdad4484103d98757f8f30eff2b1699b223d49b

SHA256
f9ef58bb2a38807612c12fd7bdfc6ec227515824bae4d4c01b7d853815cb75a9

SHA512
84db7f900a2ad98c1c14eb5b52ee961eaa525a46a1125c2344f6cf65707dee34b8a04cde40d01605b629bb9dfb9726d70128583570a2aa02ec1095ccdb0209b0

Download Submit
C:\Windows\SysWOW64\Qlgpod32.exe

Filesize
163KB

MD5
0e9c041e1bba25546b8327c9aa7ad95f

SHA1
5257e2d1afff8679a501c8507ad04a5582a7de62

SHA256
7eb8932f66ae4aa87b99f324e35b23ef29eb080e75bf08217ee096c983b0fe2e

SHA512
f8e5ef48a461031bc6c32fb3e63ba86f2b3e6546a8e78b132b2d4828e5909bfa50da840c0da93bc9e80120e38b2763bb889dca003dae0024892c73ee5940c75d

Download Submit
memory/116-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/232-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/440-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/464-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/528-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/608-475-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/632-622-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/632-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/640-616-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/688-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/752-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/876-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/884-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/988-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1216-414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1428-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1468-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1480-600-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1480-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1536-396-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1568-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1572-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1712-469-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1904-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1952-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2248-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2252-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-326-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-468-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-608-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3300-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3412-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3540-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3776-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3880-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3900-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3900-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3908-189-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-422-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3992-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4060-559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4060-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4120-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4216-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4268-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4328-523-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4380-488-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4384-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4400-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4524-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4600-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-493-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4840-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-630-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-440-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5092-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5096-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5152-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5312-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5360-560-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5420-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5500-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5560-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5672-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5724-609-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5816-623-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5916-1674-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6216-1585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7500-1446-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7716-1455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7824-1451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads