berbew | 1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe
Size

94KB
MD5

81ce5fe1c21e5495926567c30c19597c
SHA1

104406b276bd0a66578f1396c58564d2baf91fde
SHA256

1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b
SHA512

1f99c3fa6b4e659d83aa4703526792687aaf3357f76290fcb6e7e52b42da019f34c945da84cba896af62d34a126a003c78300fe5da5357f543e10775ca070f5a
SSDEEP

1536:P7Vz2PqxsErZHJpjrE/4Tt4FmlaK/Gz6RQDqpRfRa9HprmRfRZ:jQ6scZppXtWUHk6eDu5wkpv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikbnacmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdjjckag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hecmijim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2432	Gdeqhl32.exe
2360	Gkoiefmj.exe
2080	Gdhmnlcj.exe
2980	Gkaejf32.exe
2628	Gcimkc32.exe
2680	Gdjjckag.exe
5048	Hopnqdan.exe
552	Hfifmnij.exe
4748	Hihbijhn.exe
876	Hobkfd32.exe
5068	Hflcbngh.exe
2064	Hmfkoh32.exe
4588	Hodgkc32.exe
2988	Heapdjlp.exe
764	Hecmijim.exe
1916	Hkmefd32.exe
2720	Hbgmcnhf.exe
3412	Iiaephpc.exe
1948	Ipknlb32.exe
1448	Ifefimom.exe
2132	Ikbnacmd.exe
4016	Iblfnn32.exe
3940	Iejcji32.exe
1436	Ildkgc32.exe
2372	Ibnccmbo.exe
1960	Iemppiab.exe
3648	Ilghlc32.exe
4600	Ibqpimpl.exe
1288	Iikhfg32.exe
4608	Ipdqba32.exe
4452	Ibcmom32.exe
3088	Jmhale32.exe
3964	Jcbihpel.exe
3000	Jfaedkdp.exe
3580	Jioaqfcc.exe
1956	Jpijnqkp.exe
620	Jbhfjljd.exe
1140	Jmmjgejj.exe
3988	Jlpkba32.exe
4852	Jcgbco32.exe
4840	Jfeopj32.exe
4520	Jehokgge.exe
2044	Jlbgha32.exe
968	Jcioiood.exe
5032	Jfhlejnh.exe
116	Jifhaenk.exe
1892	Jcllonma.exe
4368	Kmdqgd32.exe
1876	Kdnidn32.exe
4084	Kepelfam.exe
4752	Kdqejn32.exe
732	Kebbafoj.exe
1236	Kdcbom32.exe
2716	Klngdpdd.exe
3660	Kbhoqj32.exe
1388	Kibgmdcn.exe
3832	Kplpjn32.exe
2140	Kdgljmcd.exe
4092	Liddbc32.exe
3656	Lpnlpnih.exe
3728	Ldjhpl32.exe
3480	Lekehdgp.exe
2324	Llemdo32.exe
220	Lboeaifi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gdeqhl32.exe	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe
File created	C:\Windows\SysWOW64\Nngndc32.dll	Gkoiefmj.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Heapdjlp.exe	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Ifjigbdo.dll	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Jlpkba32.exe	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Docjlc32.dll	Iiaephpc.exe
File opened for modification	C:\Windows\SysWOW64\Iemppiab.exe	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dekclg32.dll	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hbbhclmi.dll	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Ibnccmbo.exe	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Hmenjlfh.dll	Hobkfd32.exe
File created	C:\Windows\SysWOW64\Iejcji32.exe	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hobkfd32.exe	Hihbijhn.exe
File created	C:\Windows\SysWOW64\Iemppiab.exe	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Ibcmom32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Odqjbebh.dll	Hihbijhn.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6332	7136	WerFault.exe	286

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdhmnlcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkaejf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflcbngh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmfkoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcimkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnaemnl.dll"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekclg32.dll"	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jcgbco32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2432	2588	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe	82
PID 2588 wrote to memory of 2432	2588	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe	82
PID 2588 wrote to memory of 2432	2588	1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe	82
PID 2432 wrote to memory of 2360	2432	Gdeqhl32.exe	83
PID 2432 wrote to memory of 2360	2432	Gdeqhl32.exe	83
PID 2432 wrote to memory of 2360	2432	Gdeqhl32.exe	83
PID 2360 wrote to memory of 2080	2360	Gkoiefmj.exe	84
PID 2360 wrote to memory of 2080	2360	Gkoiefmj.exe	84
PID 2360 wrote to memory of 2080	2360	Gkoiefmj.exe	84
PID 2080 wrote to memory of 2980	2080	Gdhmnlcj.exe	85
PID 2080 wrote to memory of 2980	2080	Gdhmnlcj.exe	85
PID 2080 wrote to memory of 2980	2080	Gdhmnlcj.exe	85
PID 2980 wrote to memory of 2628	2980	Gkaejf32.exe	86
PID 2980 wrote to memory of 2628	2980	Gkaejf32.exe	86
PID 2980 wrote to memory of 2628	2980	Gkaejf32.exe	86
PID 2628 wrote to memory of 2680	2628	Gcimkc32.exe	87
PID 2628 wrote to memory of 2680	2628	Gcimkc32.exe	87
PID 2628 wrote to memory of 2680	2628	Gcimkc32.exe	87
PID 2680 wrote to memory of 5048	2680	Gdjjckag.exe	88
PID 2680 wrote to memory of 5048	2680	Gdjjckag.exe	88
PID 2680 wrote to memory of 5048	2680	Gdjjckag.exe	88
PID 5048 wrote to memory of 552	5048	Hopnqdan.exe	89
PID 5048 wrote to memory of 552	5048	Hopnqdan.exe	89
PID 5048 wrote to memory of 552	5048	Hopnqdan.exe	89
PID 552 wrote to memory of 4748	552	Hfifmnij.exe	90
PID 552 wrote to memory of 4748	552	Hfifmnij.exe	90
PID 552 wrote to memory of 4748	552	Hfifmnij.exe	90
PID 4748 wrote to memory of 876	4748	Hihbijhn.exe	91
PID 4748 wrote to memory of 876	4748	Hihbijhn.exe	91
PID 4748 wrote to memory of 876	4748	Hihbijhn.exe	91
PID 876 wrote to memory of 5068	876	Hobkfd32.exe	92
PID 876 wrote to memory of 5068	876	Hobkfd32.exe	92
PID 876 wrote to memory of 5068	876	Hobkfd32.exe	92
PID 5068 wrote to memory of 2064	5068	Hflcbngh.exe	93
PID 5068 wrote to memory of 2064	5068	Hflcbngh.exe	93
PID 5068 wrote to memory of 2064	5068	Hflcbngh.exe	93
PID 2064 wrote to memory of 4588	2064	Hmfkoh32.exe	94
PID 2064 wrote to memory of 4588	2064	Hmfkoh32.exe	94
PID 2064 wrote to memory of 4588	2064	Hmfkoh32.exe	94
PID 4588 wrote to memory of 2988	4588	Hodgkc32.exe	95
PID 4588 wrote to memory of 2988	4588	Hodgkc32.exe	95
PID 4588 wrote to memory of 2988	4588	Hodgkc32.exe	95
PID 2988 wrote to memory of 764	2988	Heapdjlp.exe	96
PID 2988 wrote to memory of 764	2988	Heapdjlp.exe	96
PID 2988 wrote to memory of 764	2988	Heapdjlp.exe	96
PID 764 wrote to memory of 1916	764	Hecmijim.exe	97
PID 764 wrote to memory of 1916	764	Hecmijim.exe	97
PID 764 wrote to memory of 1916	764	Hecmijim.exe	97
PID 1916 wrote to memory of 2720	1916	Hkmefd32.exe	98
PID 1916 wrote to memory of 2720	1916	Hkmefd32.exe	98
PID 1916 wrote to memory of 2720	1916	Hkmefd32.exe	98
PID 2720 wrote to memory of 3412	2720	Hbgmcnhf.exe	99
PID 2720 wrote to memory of 3412	2720	Hbgmcnhf.exe	99
PID 2720 wrote to memory of 3412	2720	Hbgmcnhf.exe	99
PID 3412 wrote to memory of 1948	3412	Iiaephpc.exe	100
PID 3412 wrote to memory of 1948	3412	Iiaephpc.exe	100
PID 3412 wrote to memory of 1948	3412	Iiaephpc.exe	100
PID 1948 wrote to memory of 1448	1948	Ipknlb32.exe	101
PID 1948 wrote to memory of 1448	1948	Ipknlb32.exe	101
PID 1948 wrote to memory of 1448	1948	Ipknlb32.exe	101
PID 1448 wrote to memory of 2132	1448	Ifefimom.exe	102
PID 1448 wrote to memory of 2132	1448	Ifefimom.exe	102
PID 1448 wrote to memory of 2132	1448	Ifefimom.exe	102
PID 2132 wrote to memory of 4016	2132	Ikbnacmd.exe	103

C:\Users\Admin\AppData\Local\Temp\1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe
"C:\Users\Admin\AppData\Local\Temp\1f519e24eef5d9e30f1c983219eca7617a1fed67ed5b6bebeb51c6fece70741b.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Gdeqhl32.exe
  C:\Windows\system32\Gdeqhl32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\Gkoiefmj.exe
    C:\Windows\system32\Gkoiefmj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\Gdhmnlcj.exe
      C:\Windows\system32\Gdhmnlcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        34⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        37⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        38⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        39⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        41⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        43⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        44⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        46⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        47⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        50⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        59⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        62⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        64⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        66⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2712
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        74⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1664
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        80⤵
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        82⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        86⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        92⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3932
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:508
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        99⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        100⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2464
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        104⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        105⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3952
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        108⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        109⤵
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        110⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1848
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        117⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        123⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        125⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        127⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        129⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        131⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        137⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        139⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        143⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        147⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        148⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        149⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        150⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        151⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        159⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        162⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        164⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        167⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        168⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        169⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        170⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        171⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        173⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        174⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        179⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        180⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        182⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        185⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        186⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        187⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        188⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        191⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        193⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6544
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        195⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        196⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        198⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        199⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        200⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        202⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 408
        203⤵
        Program crash
        
        PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7136 -ip 7136
1⤵
PID:6256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
94KB

MD5
1a581a37e019f8bbca8777ff4e4ae26c

SHA1
5079c2b27f2098f1a3ab293c6c17545debbf79f2

SHA256
8545ed38be060ee1fb0fe83f646f8145568fbd281c12cb5c5d81ec93595bc75a

SHA512
5e95d5c454e823cb6d5d31af39c17002e430f472257cd5fceaa7158daed913c0165f074aeccc4612ad7f1d9b37afd29a130edec3d49f27cf52e70bcd29c47e00

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
94KB

MD5
136c76ba8e8817c735976d5deb5ae707

SHA1
e5b45edc93a1a1b4912b17b214f1c8d5f9543f60

SHA256
f8b8a1a7c89979118808c141abf3695727a00bf8d8cbfacc7553cc6bc35c6734

SHA512
865bd25b2d8fa3193597bc697b1ea7627870b2a580541f779e6ed2d22202c21a37568cf3f31eaa98992484c90ecf523d7c2aa1f832a44f692b04ee493a5d3738

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
94KB

MD5
4211ebd4b2e16bba9328d0b635b825a0

SHA1
8bf03c2633604e6df9b0129e84b33b2255cb76fc

SHA256
9e410c1e3f64145d3866cbe28f1944f6a167321a26b3cb3bcfb33729dae2120f

SHA512
471d8f65f37b6cd805f0d1c7ec54df779f759accfb095dbf189eabe45b71bd8b5c3fd4eadc093346ee52a4e0eeded09f9df62397676aa2969677d8161040dc37

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
94KB

MD5
e030bbb1203b6cade0e26f49a30e65cc

SHA1
3c518ca3d59a9975f4c6adadc548e3670c11a3b5

SHA256
4a67afb4d8ca78b40e8e043e9138cc0ed4d1987c64c5c643c601a266720e7b24

SHA512
27d2669e95dcd05caf8e77c567abd33f7e93b24654784b1809896a8240b8ae2b0dbea6d5a45ca06b8e3996773dd0548d5979d921897c2d2b1433a9bb934362dc

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
94KB

MD5
fcd95d1dbcc3d76b45cd8c0b4194c9a8

SHA1
9e2a0670d1f32ddb480c269f53ebde6e26e0f0ef

SHA256
b08f3b404d27c343518209a489a8ab5fe871e9ecf85694999ba6cb69872001df

SHA512
6fafef6c6beb7593540808e878dda323b70c40f7cc1a510d50cdb897e19c93547620578463c905e68c118e2921cb128addf8e7177d7ca1988c6e56c8802ce04d

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
94KB

MD5
14734884a5fc153a4bc35fc25323ed77

SHA1
356861e27e6b977a2022da71961ffc4419186208

SHA256
236d8e9e57c88e428736b62a0747fa5ed91a1a360e7ed9c85baa933e45dba58a

SHA512
de8dc891aa34b8f709c39344cb69c7a74bbe5d2642b493faac11361c2a3ededba9d3b99de9e949fed0e50287cc9899b764daf9bd0ef6d7eafee54e5e18af68c4

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
94KB

MD5
71ce93a4f0b1db3db902b9b7352728ac

SHA1
f9ed607f71529f1e263582da24311bd9d5fbab50

SHA256
338f581900352fead3b48c4b24b60319780ad25c01641e97b8dbb29dae07197c

SHA512
faf947f5417ed276128498fdd6ea8dd1b8e6a031513868cc540f40f3dd21aa9f43f175611f58f17f9f6db7838bd303530ee0950bc43740da849951691bd18f00

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
94KB

MD5
2ab3d5ad4e2403b492af0735dd71b717

SHA1
3d39a909f1594d0ac851c9682e165a845d8c4d45

SHA256
9ee89a5cc522c453458c2c2dcae34848f27a4060d1d6f30aabc3ccfa7e30a37f

SHA512
e55afc4e5abc0f8d68fd5311b08d83cd9c2b98fb886c38794b15ee4c9c058421305f8c07c7cfafb7525f23df7bb23cf99cf47448c33ecb8a52958b41b92f170d

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
94KB

MD5
6f0b472cdb666a6d2346839ad83673e7

SHA1
75ac8570640194218185c7dcb5d9fcf96217ef76

SHA256
30a2ce16cc963e5e44675ec04ad902f3c53a93735ea118d9dc5b941e2eed13d5

SHA512
695378aeea5d5776628bd718f5d44e3d96eebbd79e3ff7d8d208c5775fc24710a3d0765413aee4580177564508053065982d4b8a645e0570e863dfa617ac7061

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
7ae58e5be17b9aa13283beb4dfa02263

SHA1
112ba544fea77ae90e8ac3abca53e2fff6eb0f70

SHA256
1256e601210674552fa4a2effdfea2b406d956cc117ca665ef280cbac89ea1a1

SHA512
bcc8e0bc5c16faf4595a176f6d01b1640ca18e059dda0e67ab39ef275baedd45cf5344ca0999da2a33616aae7a2290ee5883397234411ed2be787f208cd9c532

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
94KB

MD5
ad932f1a0dcf17a8d4d5670d884c255f

SHA1
578552d84afa6668c902a792a3cc7986d094ca92

SHA256
7cf2f5436ba07b59cab0ce86aa8a85e16e024e2687c005393048d3e80acf393d

SHA512
7b86ccc04a7557901c8f9e12c3fa2640babc38ca3564718076a3f98bd7ca5b4b4b9a3f2837a53f39d38ad272895072f4bc98d507bc2bce68a39267f67995d37e

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
94KB

MD5
0584c32831e2f9084c323a85198073e4

SHA1
6e58e34f651f0a8ed483c11d496944ed5e4094a0

SHA256
a43b450cc51f7e60e81faa754d7adfdbc3a933e130236d6d579c28c5bc3150fc

SHA512
37d5329b7d625802ce5bb9d618ebd34f160ba4f7ed7d53778a830f27f97c78bfd90bff9190aa019fd695532884190631d6d64176c6aaf64f523f3d618e3c1b3e

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
64KB

MD5
3c6b68ad5ef14c9b818ae8d492b7f941

SHA1
dc671c57a9d636ba762660b0d768b0ed91dbaeb7

SHA256
1ad084b03d37c3088bf1f92542363e077fa2aef58e4ff189b388fd2dee884abb

SHA512
837004f21cfe4de57538b71a782151183b68345b92a9278ff2ceda3107296a2a1815d05661c656c5487b6148405084355dd9a0179c25367787e2c5b0d78234e6

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
94KB

MD5
1d95b265d03cd19161524c1c03730380

SHA1
ff0bb051b3e46613e4eb0520ae966049b3d16933

SHA256
ad10e006d18e8b531789d6e3a334bfd9d9f5830dfefb6892a6d01834a68a0354

SHA512
f12e0f90b617135adedb681e29b47dc64f574991cde11790039d6e6cd903edb0002b0cb9bcbf3ecf72f7f37572c20bdca09b2cdcf594180d47b86aeaddebda96

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
94KB

MD5
c9468260c89eab6f1731bea7349c0a4f

SHA1
030590786012c3fd71ef43cfe40ee12b4a8c9621

SHA256
b0859540a13385a8241f16e401d49c7912c73e090107906f7bd288efc0258db5

SHA512
81955c316d3773b3bb2a124d4c25f2cab6d17aa94b54bc25fa97e1d64e70589507cdfcfffed3baf836a23b783cd022cb47f77a1f78f410b8096d7e4187fa550f

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
94KB

MD5
807425fceec25204529760707cc43305

SHA1
b44b487c7bbd84a5cf0829d85978fac872d60319

SHA256
511e093f6d9164379c9864438c11b3e0d916e48b63ee752af70a0715aaf740cb

SHA512
e7a721c264f70b3153164a8648ec32f3dd344f1904610115ad255981831ad4ac08fa1c22867b272ae75b732808a51054763eecb124302a3ebb9ef3799b3d7317

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
94KB

MD5
8bc019bb979f105cba56eca626168964

SHA1
b1767e66a3a279583a9b825a30a9bc88a059f230

SHA256
c63d1fed2b63db241ae3b2c2faa7ed945f2bb400e277d25676ded95f900305b0

SHA512
b8fc93cbcdc4b1d35c9c761ad02c5125c0d3916794a9ce7cc56e44df284a0ad96e75178ac8c2607c1a80ceb909cd73375576c1a5ec6ee9155c09d3bb11306b60

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
94KB

MD5
a4c0ba1764b2008945664171e4012c66

SHA1
bb3a412ab8a21c5e57228aec0f40365f9076d2e3

SHA256
eafe7739268c0c3d67fdfb3b65746260fcf63d14bd26d809f26cc90ad9a78162

SHA512
e93d30e6d719ea11a748cedb833e452d47f48753d4ff7d791322736f42236bc63dd87956eacfd65963b294fc54d5173b72a290b1dc2f9b262225eda958114676

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
94KB

MD5
1a1ba2b74899f144fd79d661c25c896f

SHA1
6d3fc4505eaa4b0ca1341d9477bd555704ff0d05

SHA256
a85f688bac2d81af8b318fddf231c42f9620df226ea26521a3146db50cae517e

SHA512
be1d364f50eb8fbc2e0c4ccd45bf701c6372084728e150568343f440708ba5870ee1f288f8fd336a3e6fe2fff8fe3867e2075817484933437cc2bfea9b747460

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
94KB

MD5
e8b79825cb2c0a9826d448ae8cb03ad6

SHA1
41c19e198586b37e2d50611edddf7c4616df5c56

SHA256
cb7eb218a52e0d36892658cac32adaedbee9807d6649b72d5bfa37c570d29f6e

SHA512
c290887543703bfd314ee5c6dbebd0aced5bce177efe3bc0c79c3b25339e5dde4fb4f23a31fbe06ed5d8efcf5bd5b7beac1ff32a1ee804c95f7826956d71143f

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
94KB

MD5
1d3b0e69e59ae5f986a7d3e06c0d41a1

SHA1
1505add8a588206163ad3210cbf30e1815fab411

SHA256
707316ee7011afe07ad5cf9da191a1b026b23d63fc5f1c4c1df09dff185731e8

SHA512
dace3b55f6d86031648347df3a4ec91bff0f4d01c0a8798be636afc3fe9be7fa83e4abe9c6915558d8d29ee0c6c3dd9bf096273c505f4ec970515eead1038cab

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
94KB

MD5
1996eacb7c53f037e95ecdd9c0bd8c53

SHA1
f4516b0dbbde1ec280e6cec95077fce04d968e0e

SHA256
d9b6a1950437179147375b820b1e7b2815f3b8a0d543992f3301340215b66742

SHA512
bd67ac2deda0d6083ce0ea909bbc23e85f6ae3cb7154bfd685e0c6643eb2f67195193adce4065b1dc291e5c9043a9347136abe7f33157caf8fb2974d8143f504

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
94KB

MD5
9e50e7ef253b7e9d44364d3ecd8424f9

SHA1
af75a191a597d826d12d3d54a8c427a81081497e

SHA256
92ea41b38c768bf3ae734ca948801b07a820f74b0dba990ea0f680f6ead51e37

SHA512
4b7fbea3fe3cd742c4339dd04c328244ed631dffa1913d5b3e51432b4ad4e4f383abd96769c82e634284218e07a566d0851bca511399f18898d6de610b966f23

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
94KB

MD5
3ff01d6251541892d6fb5400f8d3a71d

SHA1
c0bcb85f8ecd3cd1c31a4881e019602b05fc82e1

SHA256
a738df1e61594d446791ba9fc5e512be240684311f40db3369cc8c4b2633fbb0

SHA512
e124757a886aa1d447ab59ed916d59ea9aaac74755f3b2f95ff8803b65598eddbb9a314cc7b2ba8145d16c70b7286078d4239e066daf0dd02b4f53ca1cab69ae

Download Submit
C:\Windows\SysWOW64\Hbbhclmi.dll

Filesize
7KB

MD5
fbff054e88694ceb67671704d4c981c9

SHA1
7f2780cbb6ed895d706845a81424e743b17c2e04

SHA256
86db1692a99736d83df0aae926212c53cb23611ead84f00ea40450589450c0ca

SHA512
1c1febd67bfe056401c195f2ea1a28c4368ca42469982168d450cd5205c72cccbb22ee29436a8ea71c926670fb00356ab36f2ef5039f3566fb777e6c624cc46d

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
94KB

MD5
0f7ba1b36ce70e8b7b6d3ed1ff46358b

SHA1
1a162da801b75fcf984f5f368f107def3ea4b19b

SHA256
98019fe9debb5c89f6f8004d982de32a52fe1ffe0425eae69b805ce1840c05e1

SHA512
c98f44ffb8ad3a03540a26544549fdb9c4df272b00dd75917d761cb48bacba3c8383a90c5253b67c54e14ee06634766fddabd325df87c5d582552f98e471f735

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
94KB

MD5
1626fb8fc771ede6374b812dc2611ec8

SHA1
09ff8ec2fc10b5728704804344ab4672717cccdf

SHA256
ecf9e7e6a3e140a91cfa8435ad70f143d1a92049352009c94c56e8601b6ce67c

SHA512
64e4d60f12ef402750829266200b6f7a1e232ecf50a23bc12e47e71f9b2d30d89be3f74c7303b0f025eac8aefb2d3ad7a29fab9a7483c048aa6515378f81c672

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
94KB

MD5
31b765f985052de3cf24494cabf3f1ba

SHA1
f289758da3fe24536cf905cd8e03d983f2df2607

SHA256
a037f26eb26361ecec5c212c8ee5ca80eca1ca9b4bb783fc783466f71676c152

SHA512
fcd2e4c448a2e08872997601eac589ea8d9d8f27d650e38993761c6b1eb225d6755e7fb8c4e235c51d91691ab609b50edc64ebe99069eb8ac3a106c931b25b6c

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
94KB

MD5
1fa42e0bc70023afa650702b96221a04

SHA1
5c8bbc99032603bc0c41aa0f6b1334d2ba2549be

SHA256
9dfaca358bc9c6687774a82e8be7ad60223d7b6ab99507a9829163b3fba70018

SHA512
7366f5b2271acf88a0358ebdc3e586236b9eef8735fc0332c678cd71654c6ea4b3df8e70a14be897d0eeffbb2239fa5a9903a564157775a9c87107bc66f6a748

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
94KB

MD5
3240ff60cff45335fbfd859e3e08218c

SHA1
ca9d74476e01765c07a8223b0610573b2282f56c

SHA256
7e2a72df391555197d07535370053af14c827721556aab1df5b2131b1c73e4c7

SHA512
5d4b35b2aa42272a06263aa3af83f9e4ec8308bfdf9ce0177301e3493001cf30c29c48a68fc93706137eba3f617e04e3295020bda188eef7fc3f6f2501583952

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
94KB

MD5
53896ceeda882d61dbcbc306b113e4af

SHA1
8e4fbf9bf0eda27737b269f6834df015f040443b

SHA256
c98e424cb275c7214f7ff48ae54ec5da48d58549985fadc557cdaf15cfb4c2ea

SHA512
d4cede1d7b9920856f4be3ae7bfc5795ecdec20dc51f8552457afdcf23a74cd936a5920bfb6b95bc10eeeb0cfe4affd267bf590b8333cede2304c7d1e9025243

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
94KB

MD5
0dff34883ff646f8b3ebcb85e970ca7e

SHA1
f9382f10b249c73005f84c94449c42103cdb760c

SHA256
c1417eb10af1c4c90ef74d308cd107861bac10676f7defbd458d0922fc0d2c3c

SHA512
05f61327296a50fc0dd5d013ccb6e0808f402c56846899c0c615c865376f9ccaee42d2c5e362383b0c7a15e406642912b7763ebf206c0a904c445f9b49eafa87

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
94KB

MD5
af86e1e6b3ddcd2c6a244dafcce80797

SHA1
6b6efa3070fb76c12556f2b50128491313bc214d

SHA256
5a23ecf6ec219a8e86dd9e5e34bf99f68d9fa584732c9ebb73f8d3d90162dd09

SHA512
be3b73d76ba32c51faf892350b4845658db1324f56fdf518d673b8f22695eedf9b108a231f447c3e2ffe73b8ea642a41164438cff0ee86043b98a5adc4f08c88

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
94KB

MD5
ea9caf29fe34899dcac0b61e24dce242

SHA1
c442cb922593dd1488a7ec1abc8cc33f4a27b9ac

SHA256
033958a3b89f0c7cd1c65befd61d611d42603a97bebe7e0ebbe9df0d46ec52d9

SHA512
ae056507e45157958935e362106846fc1698ded6f94a8f03d34957a155be6b5322f44f4388ff86814dd36160b64398a345a9180e4d99eebe7d3117588e810ae4

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
94KB

MD5
017505801846ee2c2adbd8db80882e2e

SHA1
d5c1bef1d800b1137358098c95b062a7132574a3

SHA256
412824357089e555bb044239fcdc1af8738d18df21ec0af55e610c2902d53881

SHA512
1794bd3b5670535024c37e6329bd68efb5a62fded37466080395464e85dfc9c4563a3457d0f69928945494138f3f89d7ef665f63bb046e04f8e0ae738f393d4b

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
94KB

MD5
b6d09a8695fbcf65ed5128e318c6978d

SHA1
7b11be9ea8ee8b4779ccf7a84cd83b1f66cc00b8

SHA256
278cacc852e1f03b5f2a4dfaa74fc9b80e09395c6e0b767951ea83ecdc1b4726

SHA512
cadba1654b800fef99a351c2fba8e89319da83cf5e65e47c0b07e58c31f4d8abc20f6ab5a9f5ecaff76d7f91e7516ab641e0e3a1deabefad15a7c919b2715639

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
94KB

MD5
3df1fd63b9658c233ff66fa6518192d2

SHA1
d66ecb73a2d288de8292369edb7fe1c4f2ad5e61

SHA256
24ca3de94a9fdd72c1ce0a914ba75a9c9d5c13dfa1f80f31cf1481bed7996bc7

SHA512
7b860b0df27125215343875748d42a248b2f1d68f4da87c4c780618dccc1acfd09c14ff7a0cab4d543c661ad7eaf619d7c1b8c3ebaa5026bfffc1e491539b44d

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
94KB

MD5
fc9a28fba3070dd0165a156ac7e5c524

SHA1
75e3d439c7a3b0e3e058b9788615b8287bbb1e7a

SHA256
54d675aedf3c99a4e0cf5a5475c7db57eee5329413d8b1cf8fb0943e6651481c

SHA512
d77530b35bb45d40896ade8fef2a11eeb0ba6dff53f6dc261c837938736f68c14ac96b973ec52382340ef62911b4545213408d81d63da0ff6f75d0961660e85a

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
94KB

MD5
01662569913cfa9b2e86a2632bcbd5d1

SHA1
aae85a95d0c240282f128ab70b6bee1e77f7bdd7

SHA256
719e0cc44ee61840ecef4ee0b9a9725f49bdcb1cd1d6171bf552f51d32bd01dc

SHA512
f271b5f4505254a1a6466937f57891857fe2f40572bf47d45d715603d1ca8c223fe7db9c20e0b8ecec286a757f94b556cf5111b2e391b512bfeda8c7d62eb2bc

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
94KB

MD5
fb5bb82e8f455fd485c0d20c7fac9d27

SHA1
3ee28ea374d8b9db2b7a823671d69b1cffd15be1

SHA256
d1912e8f553fbadb51a80d1cb88a5fa6ebdad5b36a8dbb425211955942f3a0cc

SHA512
e27dac32114a540d4582c3bb6083f3e0dd54a77800924dee9a286e5b92073f965582963aa27828dc767e400e7924df3b3d90625ef506fa6335163ea83bb9bf6c

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
94KB

MD5
fb40bdc2669588e34e132c6fb03adb49

SHA1
72e20634deabeb3262564175a050f0d23ca4c943

SHA256
e4bb58e35b97cc6ab827b4eeb36f66875c6aaf91fb47fef24406648c40035344

SHA512
7852b1305cc734e355020dc00cae38db355dca9e7a0b2117cf96893315187fbe097b5b8f2381a3cee63b4b6abce7632c39eae5e757eb7fc00f388b1ce85ad2fd

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
94KB

MD5
e9b04e9288345ec7e9c3a5b3d79441a1

SHA1
3c9339d0100d1b7e2ee381de6696b1044cc70735

SHA256
6a18e622a51fad87aa80c1d192f73062df28636c4838a7ed65184c010eb67b66

SHA512
452eec2e2cf255ab9902ea42fae4bfc421258e493b534a1b70b69711e63ba011c3454a8bf42d58c4c2c693a3cc8f4ec9910f15a64168ef563c5c03e5712d025d

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
94KB

MD5
d415df7db550752ffeb432467f4623bc

SHA1
6b6e9e738d31bdd2e557d93fe48fdba30f77e8f1

SHA256
4e4d180591993285f641c5b7a632dafea220d172d9e66d2e5d16549c18a84ae6

SHA512
f50244cd9f03803de8e0593dcf25c29e39c9289676bb887f6a31d90c1a812c502bd756382d215974613d7a430b7e2640836814dd35126fdf8e316f876b8ea040

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
94KB

MD5
2df2499b67941324f7af95be4566a2ac

SHA1
5a320b7d8802053c2db3c87b6de12c16677d8e2c

SHA256
8c6ad828fafaaae3f9c1a2bb26fc110ca7d9c2c7680fb269503a046648bce522

SHA512
4a76cfa748add0118117b4a1420cda7d12c4c20064eba47ee970f0a79679b16264f9a5c996fc8ce02edd486f8b275bcc55c67006eb297446cbd5f45b0019d7b4

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
94KB

MD5
ce63aeb30101ea389a445b9fbcfd95b5

SHA1
a86af38bc2eca775bcec380dcb3a9b679300bb85

SHA256
80fbdcaab1cfa5315ad3380f0f99a1ea9abd277a1653e5ea4593be0dc09a81e3

SHA512
c3e6f3b06b2a3a6bf125969dae0f57fff028fc07e78d5d3dee55239a2f5cbdcfce69845010a1838b649815c2d5d9fe5bb5a097e943df56fba530367fc736dc0d

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
94KB

MD5
5dffae3bcf115c75e881667a084e531f

SHA1
c16d977544640e40e7c27f1a2fa8fa0acdf3c042

SHA256
8bd4184ae466ac44badc46ce80a6e2a1168eb545ee24ca5a2719bf8fd1243563

SHA512
8feffb33b901834fad1e0a14c38430b07633c5d0a7848e3ef81581b922d363d1efebbc3d42a6045e5ee2fdd30a1624aa952355bdb07df72cdab32605231d5409

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
94KB

MD5
e6d74e1293d7e45d584cb68a82d71d97

SHA1
c1f9026c586966a11d853d73f184e887ddde44c7

SHA256
ef04a1b90da5d6d1541e36b96ae1971c272e7a1a4bdc1acf8f21c6f8a16f1f78

SHA512
d4415a99d09dc4525bae198b4829dd37d64073cec4a443f8c4337fd736e336fe42742fd0c9783ab9d1990d5e26210b16eede30dcfc99d58b375c4c999435cdae

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
94KB

MD5
f678cad89e2443db25177a1e2d1275e9

SHA1
e7b648a5a3bf7801445173f725e20240e7c811c3

SHA256
1cef64fdacd3df6820e0396464453d3902e2cf014cd93f1bd238834e1f7be985

SHA512
99f2f306b6615e4cb2ec47e1823746edec21d0822e8ad926ff6bbb89a1c3162810b74b88f76f47ea2d03eccb16a268a2514a73abc65c72f59daa96a70a2076ba

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
94KB

MD5
8d19dcf9031f9d4b97b170cb28526777

SHA1
2d1269f9a9fe0a8e1cf977987ddb483f15acbe13

SHA256
331f7e4aa31ed8e7fc9fb2b8631229d147173498332897a3849dd2345380e10a

SHA512
f19f484398177653c91f9631699f90751e4220242cbfaa369bf51cebcecd49c0c04f92852c5fad1552bb5909e6b58ee5268d42931518e048c3186b18cfd380b6

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
94KB

MD5
8e1477b108851e80d4bacb163ce29b25

SHA1
ff4dea046ef6dd01c8e6da45c86889878d6709cb

SHA256
c5ab8efb9c9fa7f3ee5aa4c55731b3da9d8dcc85644da98863820e9b37fd589a

SHA512
4571a4b86a38d70854bd55705bab119c61bfd3c269c858e28ebf41fbee61a51d39dd9880bd9742300e44c78ea07ce0ddbf6e2610a9a913e2257ab00843274b40

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
94KB

MD5
46ce19f6f8d6373cf531e0fc491af5d5

SHA1
9f435fe6166a8735aa5b62eed12be1b27391ac9a

SHA256
74a0cbdb6c5956bdf4be1178f3d8e53ad2459bb6a2dcbf403d53050452fec78c

SHA512
462a6156d2b731bfef3702de0093eab45e67ec2f5728fbec12c088013628a8a24f051d32efb5f40927ae53a90f8071ec1e3589a0f72476a3921e031950f3764f

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
94KB

MD5
11e8e6a1a132cb58ad4476fa93cb1976

SHA1
a1b5cc68d15aca1ce49c155510b9bc09da897db8

SHA256
42e8501d2bd1f811b9a47ffb547d3bbb51c3f8e42480c0efece57baf4e8146f9

SHA512
1cfaecb6f6113f5c8f9be2c47699a733cc50377512bea61390a3556add4eb717a8122e52bc592aa0b9d1b2dddba6846cdb6bfe435431475543a8db7f2a362803

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
94KB

MD5
6842b3d0a4d51ad2774fd9435b1bd8b9

SHA1
c42f581b5fae69e1ee7427dea856811808f6f973

SHA256
14afcc633ce301a6f0e747127a6a23e90e65408f157dd4de081450ea7920491b

SHA512
6afbb15655c6f5f577ad72ce362a0d96bc66d58570493d193f101eee9f0dff86ecc62a21c9cd5b1edd084db71c00181d97422f772e76db0584a4a0e1aa649153

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
64KB

MD5
bd9c51bbccdbca7d21a62c0225118654

SHA1
c86091e93e3a2ccc375c4e58049846a81c5fd378

SHA256
505e0a4b444ef586a43d7030ab7abadba93412118f4277b63ada9d34a1324f39

SHA512
d91125db1e0b3757dbdc229ecd49aa1e895874fabd4e8175819cdf05f8cf17c6da6c54311b7a72e9aba1aca28ac1f26e31c2094dac78dbf855ef070cb8ce325c

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
94KB

MD5
19df243d1d12dbc6b58567a7a91ccc1a

SHA1
d839b5ad4449fb2356e96269c9b38b585c5fdc3a

SHA256
792d659b624bf2437c901348a6235b0ac56a86a7de10931e1b6a56945d99bef3

SHA512
3da02e0d6134741e616c926a610570f726cb676d0db11034c0dc98c35295c6e4553ec5ac9712e3f9cfb1108595d33741b74586be7de656c039d1ca17b96af74b

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
94KB

MD5
7f3c8ca5e4ce55677ea2424c69de4e08

SHA1
1716f3b6a14928937eacc0c21071b3d233b4eecf

SHA256
bb894a0cc1e59317330fa9543ab0d748e6e59341f1d193f78507106d710f241f

SHA512
79a440186a5c550381f82b736a888267418b5614de95b3db670fa6e2c0815671669232c5ee8e9b2a1ae781f8595f0bd80057b03dd205c5956874d93bb5b0d4ff

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
94KB

MD5
acddaa14c1aed4a0f105ba4a70568ad7

SHA1
c5662a36ab94cb0a18c7a06a08b7f1d1bf6f33dc

SHA256
3ac6833bcddb4619cd9a80917e8ea14b23b7411d03fdb9ab952e6fd73c2412eb

SHA512
264bd78c560c5e67c2485be9cb82c1cb87db67510931ea03c5e2d625819aabb54603996fd46c462c054847b76d1ae7f7603c39721d83a206e8911c5f1ff38b9f

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
94KB

MD5
42221b3708d558d6e4d45c189a24e948

SHA1
016d88e08dca1ceaf9170f5a888b4ad28a163bd0

SHA256
a9f8264283e979f4e12f9bcee62a6d18ce560fc64c15631bb24384c8c089da98

SHA512
48a74da453cc1eacba13203e927ef91c7fc407937ec3bcd834575ac0f81195314e96a87d54bdcbbf1e8218b53cc5a5305f9dd4c21274b9e28882f93c50088f3e

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
94KB

MD5
63d91e0ff6aad4c0cf3d9e9f661567f9

SHA1
c9d22520637421454d46222b44c24fc9ccb5c3c5

SHA256
976135c7c52881d1e863b7aa0528c3db05c2c25e1179206c92c14854573dc30b

SHA512
fca22aa6b57528ea24310b4c91e651e20cd24b9928ae7291016e1b6f4c6eb016544b87f08e92216fd5c7fd8da4017c1c8381f8cf9bb52e71ed2cac9aa8ed1356

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
94KB

MD5
45d4d57c20e71707ede3d0fea89dca53

SHA1
445b73d3a5b3bb5973c15e035f1c67da55ae72a7

SHA256
b147b1a39049eeaaa2e4bd68c8ae901501ca6592932849c49f78f8c333a47bfe

SHA512
6734d5580440c410ad3f32baee90b8b30b8acaeb9fb4cb729818e7ecf07451ffd55bbedd132434aeacc769e4b3f7c21637668a7c9cce76e9570bfaa93acd2bae

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
94KB

MD5
288010d2b45b7b7c0a9c0c8d86683215

SHA1
635a0ddc079572049c9e5b5eda41e2126c360ae7

SHA256
1b280404ae023a09c980e1ee19ca8b480a9f4a7928f74b03128d2602bcc15130

SHA512
e8e8d9280e1878f62109ed8c5ce6403ecef3b7d71195656c4d50b7e80fffb072a9d23e86cc7d4e848549ee2087c65ed4b8413efa55cfc1a98c80436ae6984b81

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
94KB

MD5
aab039e946b24babbfc8a1069bdb203c

SHA1
0380f0d87fdd78cfd8dc14e2d5c39912640a278e

SHA256
00eeb6cc1c2d360765082288ac5b570d4e9ff75de08694f47ed99f0b7299c187

SHA512
82f423c10b990bb54194518ccb779cb27e471ca8c50d99a5b1809784beafeda2e19ce0928beb1ff5603dc7a21ce568a5b810b1e229f115f00ef0495b2bb13fb1

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
94KB

MD5
9e47e496d2477d886c042abbec4672da

SHA1
039753c2fb3340f79c8a85e2d5df0a03c73125cb

SHA256
330f8afed489a38bc170a5f9a41da570769a1a599a3bde0a89cd9b260f06c774

SHA512
78f55d3da00ed23a33b1cda6a812be1c6adc133743767d028933063b8a492c25792024ef81f131611f33bead5d1fafbcbb3e3d1e20f5d5d93693294861379520

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
94KB

MD5
bb6a2a558d60e9ac6779ae41191ddb69

SHA1
db564f283d226ed38f251cd8cbe514b855d5a37e

SHA256
be0ead8e897c03e2ff186e844b037c30d16821729110be5384436d119b3eab01

SHA512
3ec704e00636b3668d98881d4cfd69b53d794c3ab2c596d112ff10dc5584dd5eba8b56f7d84157e5b4924735cfeb69ae4e9e5f406c0b8fd3b6de12fe42af21a2

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
94KB

MD5
e510782c6aaef3c86c76656daf9ae5df

SHA1
b6ca252eea3962ac8b935626d7f3453cf4700140

SHA256
b7228569dffc6aa8cc092ab71e7351f56fd7f58d28c76c17ee518e85112a2293

SHA512
cd386927b9a3e56fa9ac3713cced49e531cb5557313daf9a15dea868115f7702e194f5c7deab9522c2df73f473b26fb5ca478464b66c46881f74e904c257a2aa

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
94KB

MD5
bafb64b641a7958b0240214fdded96f5

SHA1
92a3789db29766d624647a60eb79342259019ea0

SHA256
744a2af0134d1cc21053fc808b915592d0d84484e1329a92dac1f3bcb125757c

SHA512
93a54141499db2c24b11e7e8c219a8b888ef997f8ef655a49b1f3ca0864cda5777277ed48649793bd4f763b4c59a123835538102e0760a20436d02bf4b6edb7d

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
94KB

MD5
440f07b5c27e88595388cffb5f950916

SHA1
b2a45df7a5b5aaee54368bc422376f37f42db855

SHA256
a4c97e7d2d6d2b8d50eb23e4da07ec2f5957b1609bdb4b82a7dac49cc20dbf02

SHA512
e60d70278ffba48b2e080ee1b81a8113c0dd2ce42c26bcffe511ff56a29496ca31b28201d89a0640945715d4c49bd88a8182e27c8f69251a1b26ee82d67877a4

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
94KB

MD5
21e36fdfddfb8f36d8c482897974fd71

SHA1
262fbc3e487e13a07da1198fb06699dbf5837674

SHA256
0295163d1f49990e9c613908b95abc8b592bb9df4819d8c7bee6d365270ead70

SHA512
ff492550ae6d6c0314cbe869d23a20fd89af66f258c7443e142eca3bbccd4c5a5d1d2745beea3c0e2a26bb251be87513301da5e00e040604a690cf268cabd2b8

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
94KB

MD5
a116eb2bcc0dc1c28610823ff76bc492

SHA1
9cb594b68feae510922433bedb794c949876cfb1

SHA256
10c7e2881cc016205c241c9eddfa92072a366bf815ef896f7c0046fc0b88137d

SHA512
3e534e7ac20f9263b4dcbe8a3baa6aa2f5d4c863df79cf30cf6a3ce6544978dfb730a3062f87a5a9d2371b76b46be12f03fe25ac1dee40dc4c467c433315783c

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
94KB

MD5
3a847fa58917b631fa31fcb18aaa7cc9

SHA1
3412fa004a69f1f7f04f8fb9d904717b95a5c9c7

SHA256
8785e746a3dea657064657828d3bb470e674143fa88c0bf7fc2964eebdb89403

SHA512
2cd14fe6dea5f10f0d9f160d1c52292a1ad610523f15aaf69f8939de161727b361cbe840b5ba81c3c8fa0517b367561abd317b29c9a5bbe0ce17f12a96622f79

Download Submit
memory/116-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/220-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/552-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/732-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/764-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/896-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1140-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-554-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1664-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-575-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-568-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-582-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-581-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3088-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3412-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3480-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-547-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4760-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4852-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads