berbew | a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae

Analysis

max time kernel
96s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae.exe
Size

285KB
MD5

d0437265f41d7e292127749722db1c78
SHA1

6e0d5d6a49b2280a9558484325fc0b187a980172
SHA256

a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae
SHA512

2cc49a5038b2ff47a135e5362f2e1ff920f184f1b6baf78758b024566dae2aac2fd87667443ce22b070c0b5761f67746a2ed9d1803121b545df7dcf88a29c7d4
SSDEEP

3072:CeVjqzG5Uk/ZNMURKtweuKVcbMloVRr3uMg0kAqSxYiJ2QM4GKcZ:/R778tLuKQIoi7tWq

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmhale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iifokh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhcpgmjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2304	Fdegandp.exe
2960	Fcfhof32.exe
4228	Ffddka32.exe
3480	Fdgdgnbm.exe
4876	Fhcpgmjf.exe
1772	Fkalchij.exe
4500	Fomhdg32.exe
3704	Ffgqqaip.exe
4064	Fooeif32.exe
4988	Fbnafb32.exe
328	Flceckoj.exe
2716	Fcmnpe32.exe
4240	Fdnjgmle.exe
1336	Glebhjlg.exe
4772	Gcojed32.exe
1200	Gfngap32.exe
5096	Ghlcnk32.exe
956	Gkkojgao.exe
2392	Gofkje32.exe
2760	Ghopckpi.exe
1132	Gkmlofol.exe
4724	Gbgdlq32.exe
1760	Gdeqhl32.exe
2632	Gkoiefmj.exe
3056	Gcfqfc32.exe
1852	Gfembo32.exe
1596	Gdhmnlcj.exe
376	Gmoeoidl.exe
4420	Gcimkc32.exe
4540	Gfgjgo32.exe
1860	Hiefcj32.exe
2928	Hkdbpe32.exe
632	Hopnqdan.exe
752	Hbnjmp32.exe
1688	Hihbijhn.exe
856	Hkfoeega.exe
3812	Hcmgfbhd.exe
4424	Hbpgbo32.exe
4556	Heocnk32.exe
2728	Hmfkoh32.exe
5004	Hodgkc32.exe
1932	Hcpclbfa.exe
3188	Heapdjlp.exe
628	Himldi32.exe
3252	Hkkhqd32.exe
4968	Hcbpab32.exe
3908	Hfqlnm32.exe
2788	Hioiji32.exe
1428	Hmjdjgjo.exe
3520	Hcdmga32.exe
4608	Hfcicmqp.exe
2236	Iefioj32.exe
1944	Ikpaldog.exe
3432	Icgjmapi.exe
4964	Ifefimom.exe
4844	Imoneg32.exe
3400	Ikbnacmd.exe
1160	Iblfnn32.exe
2200	Ifgbnlmj.exe
1824	Iifokh32.exe
3424	Ildkgc32.exe
4568	Ibnccmbo.exe
1248	Iemppiab.exe
1020	Imdgqfbd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Choehhlk.dll	Hioiji32.exe
File opened for modification	C:\Windows\SysWOW64\Iifokh32.exe	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dekclg32.dll	Gbgdlq32.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Naqcfnjk.dll	Ffddka32.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gmoeoidl.exe
File created	C:\Windows\SysWOW64\Iedoeq32.dll	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Jfoiokfb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gbgdlq32.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Hfqlnm32.exe	Hcbpab32.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jlednamo.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Gfgjgo32.exe	Gcimkc32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Fdnjgmle.exe	Fcmnpe32.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9592	9468	WerFault.exe	445

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmoeoidl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbpgbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmjdjgjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdnjgmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffgqqaip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfcicmqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flceckoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffddka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glebhjlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmacdaj.dll"	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibifp32.dll"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcneih32.dll"	Gofkje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhbcf32.dll"	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2304	1608	a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae.exe	82
PID 1608 wrote to memory of 2304	1608	a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae.exe	82
PID 1608 wrote to memory of 2304	1608	a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae.exe	82
PID 2304 wrote to memory of 2960	2304	Fdegandp.exe	83
PID 2304 wrote to memory of 2960	2304	Fdegandp.exe	83
PID 2304 wrote to memory of 2960	2304	Fdegandp.exe	83
PID 2960 wrote to memory of 4228	2960	Fcfhof32.exe	84
PID 2960 wrote to memory of 4228	2960	Fcfhof32.exe	84
PID 2960 wrote to memory of 4228	2960	Fcfhof32.exe	84
PID 4228 wrote to memory of 3480	4228	Ffddka32.exe	85
PID 4228 wrote to memory of 3480	4228	Ffddka32.exe	85
PID 4228 wrote to memory of 3480	4228	Ffddka32.exe	85
PID 3480 wrote to memory of 4876	3480	Fdgdgnbm.exe	86
PID 3480 wrote to memory of 4876	3480	Fdgdgnbm.exe	86
PID 3480 wrote to memory of 4876	3480	Fdgdgnbm.exe	86
PID 4876 wrote to memory of 1772	4876	Fhcpgmjf.exe	87
PID 4876 wrote to memory of 1772	4876	Fhcpgmjf.exe	87
PID 4876 wrote to memory of 1772	4876	Fhcpgmjf.exe	87
PID 1772 wrote to memory of 4500	1772	Fkalchij.exe	88
PID 1772 wrote to memory of 4500	1772	Fkalchij.exe	88
PID 1772 wrote to memory of 4500	1772	Fkalchij.exe	88
PID 4500 wrote to memory of 3704	4500	Fomhdg32.exe	89
PID 4500 wrote to memory of 3704	4500	Fomhdg32.exe	89
PID 4500 wrote to memory of 3704	4500	Fomhdg32.exe	89
PID 3704 wrote to memory of 4064	3704	Ffgqqaip.exe	90
PID 3704 wrote to memory of 4064	3704	Ffgqqaip.exe	90
PID 3704 wrote to memory of 4064	3704	Ffgqqaip.exe	90
PID 4064 wrote to memory of 4988	4064	Fooeif32.exe	91
PID 4064 wrote to memory of 4988	4064	Fooeif32.exe	91
PID 4064 wrote to memory of 4988	4064	Fooeif32.exe	91
PID 4988 wrote to memory of 328	4988	Fbnafb32.exe	92
PID 4988 wrote to memory of 328	4988	Fbnafb32.exe	92
PID 4988 wrote to memory of 328	4988	Fbnafb32.exe	92
PID 328 wrote to memory of 2716	328	Flceckoj.exe	93
PID 328 wrote to memory of 2716	328	Flceckoj.exe	93
PID 328 wrote to memory of 2716	328	Flceckoj.exe	93
PID 2716 wrote to memory of 4240	2716	Fcmnpe32.exe	94
PID 2716 wrote to memory of 4240	2716	Fcmnpe32.exe	94
PID 2716 wrote to memory of 4240	2716	Fcmnpe32.exe	94
PID 4240 wrote to memory of 1336	4240	Fdnjgmle.exe	95
PID 4240 wrote to memory of 1336	4240	Fdnjgmle.exe	95
PID 4240 wrote to memory of 1336	4240	Fdnjgmle.exe	95
PID 1336 wrote to memory of 4772	1336	Glebhjlg.exe	96
PID 1336 wrote to memory of 4772	1336	Glebhjlg.exe	96
PID 1336 wrote to memory of 4772	1336	Glebhjlg.exe	96
PID 4772 wrote to memory of 1200	4772	Gcojed32.exe	97
PID 4772 wrote to memory of 1200	4772	Gcojed32.exe	97
PID 4772 wrote to memory of 1200	4772	Gcojed32.exe	97
PID 1200 wrote to memory of 5096	1200	Gfngap32.exe	98
PID 1200 wrote to memory of 5096	1200	Gfngap32.exe	98
PID 1200 wrote to memory of 5096	1200	Gfngap32.exe	98
PID 5096 wrote to memory of 956	5096	Ghlcnk32.exe	99
PID 5096 wrote to memory of 956	5096	Ghlcnk32.exe	99
PID 5096 wrote to memory of 956	5096	Ghlcnk32.exe	99
PID 956 wrote to memory of 2392	956	Gkkojgao.exe	100
PID 956 wrote to memory of 2392	956	Gkkojgao.exe	100
PID 956 wrote to memory of 2392	956	Gkkojgao.exe	100
PID 2392 wrote to memory of 2760	2392	Gofkje32.exe	101
PID 2392 wrote to memory of 2760	2392	Gofkje32.exe	101
PID 2392 wrote to memory of 2760	2392	Gofkje32.exe	101
PID 2760 wrote to memory of 1132	2760	Ghopckpi.exe	102
PID 2760 wrote to memory of 1132	2760	Ghopckpi.exe	102
PID 2760 wrote to memory of 1132	2760	Ghopckpi.exe	102
PID 1132 wrote to memory of 4724	1132	Gkmlofol.exe	103

C:\Users\Admin\AppData\Local\Temp\a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae.exe
"C:\Users\Admin\AppData\Local\Temp\a81d68ab3128db704c170ec16e178dff79422d64bc002766c1edc5b797da45ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\Fdegandp.exe
  C:\Windows\system32\Fdegandp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\Fcfhof32.exe
    C:\Windows\system32\Fcfhof32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\Ffddka32.exe
      C:\Windows\system32\Ffddka32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        24⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        25⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        28⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        33⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        34⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        35⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        36⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        37⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        40⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        42⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        43⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        45⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        46⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        53⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        56⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        57⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        58⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        62⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        63⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        66⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        67⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        68⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        69⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3904
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        72⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        75⤵
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        78⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        79⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        80⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4528
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        82⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        83⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4384
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        86⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        87⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        89⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        90⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        91⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1432
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        93⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        94⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        95⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        96⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        99⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        100⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        101⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        104⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        105⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        108⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        109⤵
        
        PID:320
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        110⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        111⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        113⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        115⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        116⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        118⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        121⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        123⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        125⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        126⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        131⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        132⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        133⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        134⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        136⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        137⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        138⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        140⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        142⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        143⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        147⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        148⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        149⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        150⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        153⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        154⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        155⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        158⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        159⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:996
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        163⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        164⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        165⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        167⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        169⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        170⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        171⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        173⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        174⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6224
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        177⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        178⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        179⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        180⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        182⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        183⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        184⤵
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        186⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        187⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        188⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        189⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        191⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        192⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        193⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        199⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        201⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        202⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        203⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        204⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        205⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        206⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        207⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        208⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        209⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        210⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        211⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        212⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        213⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        217⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        218⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        219⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        220⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        221⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        222⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        224⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        225⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:7056
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        228⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        229⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        230⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        231⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        232⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        233⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        234⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        236⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        237⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        238⤵
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        239⤵
        Drops file in System32 directory
        
        PID:7196
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        240⤵
        Modifies registry class
        
        PID:7240
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        241⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:7328
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        243⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        244⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7460
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        246⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        248⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        251⤵
        Drops file in System32 directory
        
        PID:7724
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        252⤵
        Modifies registry class
        
        PID:7768
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:7812
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7856
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7904
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        256⤵
        Modifies registry class
        
        PID:7948
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        257⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        258⤵
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        259⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:8124
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        261⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8168
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        262⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7276
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        264⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        265⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        266⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        268⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        269⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:7752
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        271⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:7888
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        273⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        274⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        275⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        276⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        277⤵
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        278⤵
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        279⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        280⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:7660
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        282⤵
        Drops file in System32 directory
        
        PID:7764
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        283⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        284⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        285⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        286⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        287⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        288⤵
        Modifies registry class
        
        PID:7516
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        289⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        290⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        291⤵
        Modifies registry class
        
        PID:8044
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        292⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:7452
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        294⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        295⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        296⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        297⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7672
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:8164
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7760
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        300⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        301⤵
        Drops file in System32 directory
        
        PID:8212
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8268
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        303⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        304⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        305⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        306⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8460
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8504
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        308⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        309⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:8636
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:8680
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        312⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        313⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8768
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        314⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        315⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8904
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        317⤵
        Modifies registry class
        
        PID:8948
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        318⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8992
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        319⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        320⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9124
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        322⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        323⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        324⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8340
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8408
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        327⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        328⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        329⤵
        Modifies registry class
        
        PID:8620
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        330⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8748
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        332⤵
        Drops file in System32 directory
        
        PID:8824
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        333⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8956
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        335⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:9088
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        337⤵
        Modifies registry class
        
        PID:9156
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        338⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        339⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        340⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        341⤵
        Drops file in System32 directory
        
        PID:8536
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        342⤵
        Modifies registry class
        
        PID:8644
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        343⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:8868
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        345⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        346⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:9208
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        348⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        349⤵
        Drops file in System32 directory
        
        PID:8604
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        350⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        351⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        352⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        353⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        354⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        355⤵
        Drops file in System32 directory
        
        PID:9204
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        356⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:9248
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        357⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        358⤵
        Drops file in System32 directory
        
        PID:9332
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        359⤵
        Modifies registry class
        
        PID:9376
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        360⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        361⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9468 -s 416
        362⤵
        Program crash
        
        PID:9592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 9468 -ip 9468
1⤵
PID:9552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anogiicl.exe

Filesize
285KB

MD5
a61f1b7dd3d93d6014450331f27d90bc

SHA1
3095e99c9c105cf10e5c804c22e099c98d8ce98e

SHA256
d852a0fe089ad7e0f3be35f09d33d7f6ab9054d4e53a86df985c192adb04630f

SHA512
39ce46597ca44ddd327c40970c22bda9023c6cb0a8e8987b37ac6228b11a5f3134aa3fe3821946ccf4233f34dacfd72b16e0d7935aeaa392da726ed8e1d19e39

Download Submit
C:\Windows\SysWOW64\Aogmoeik.dll

Filesize
7KB

MD5
5e278b018d72efc2961c11d5ac45b021

SHA1
e386097d5ed8ddeec8695b241a1c57a40d933100

SHA256
30948f17e6ab6c47067b561e8021ad5fab6d5799bdc944f437ca059dd8c7f727

SHA512
51854ab8d42739ef4c2000e7f1c39140d208167ee6e33aa68ca8a7c426465653b13e35fa9d9027fa9dbbed10e24d52a412a8d12158585ecb5175fdc2785cae1d

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
285KB

MD5
659e1d37911a5dd23f62b4d63e2ffcfa

SHA1
cac6a0c6060acfd204421ec3e491370a47162244

SHA256
19dbd72764f90c8fb0d5918777b805b6ef93bfad738813768d9e55e02ed12ad5

SHA512
6c253feedd840341c51fc51e4c4dcc498164e1d7e19742de53cc02e42af6ec4ef01d3c699f65e59f9f4f17173fd2ba55db8aadcd621d92d67996de731615bc72

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
285KB

MD5
696a49cd7279be01f663dd991d501908

SHA1
40fc2593113edec3c04fa63b59c461f0b0c3f9ba

SHA256
0732dafb3eabcfaf50dcec471684e62189d4ff9e0a5bb846bab7e23c5f7d4649

SHA512
5bcd237b842b85758f37408d32199949a4ad1d3305fae30f4f362eee33cfb97bcaf2ac0d346e70c79d050bbe4ebbab051a231a1017793f383e8623045ecc8a0d

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
285KB

MD5
a836d6cfa699f83d487a0e3916758698

SHA1
8d7acdfc79f84d190100bec370ed9632160e2827

SHA256
65f6acef37db0026d067ebb160dfa5fded005b05ff90ce63d998745e1b16b61a

SHA512
0f7b26d16193efe993b8998fb0d94c1df5a249736353122389fb28ebf60967cefa71b9a3839883fb8e52b94b463ac82248d53b2e48db089d4aa95293e34680a1

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
285KB

MD5
649892413aa4cb51a84a11cb42c8982e

SHA1
17c550c3114ae6b0b8252ebd260407e3e6d80176

SHA256
5a778c6bc3794d0b0ec44af7aea20a635a6c55c7c3835ad0e279174779f59e0c

SHA512
44e52c4ab33b7d719a63ff3d3fd3bfa5cb4b8c209d17444df6f0cb7d4afc942a1b883522c475acb06619211f055de9d2e275a41a667457f72d4c55b832b62a3a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
285KB

MD5
ae9751b4a730ebf4a7fd01b8523896c0

SHA1
dbfaecf53a51b64ecab472f730b093eeba95894a

SHA256
ae8e8de2da186db1adf5eb8eabe9a98078c898e23f69829ecabdb4c2af1a9b4b

SHA512
0781eef2252963c1feba829fa3dfc956231c476b25a8e60afa91b883f3aebed83874661e549ed8e6e3c88f618f566b74581562873f43b179a2159c592d35fcdb

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
285KB

MD5
c155664162ce4f8e87329555033019ef

SHA1
58376bf8a0061cfce7d75577969f6cb731c87f00

SHA256
07d05b96ab2b60d8e7bc9fa6566050947ce27bec4743b918e96345d54d434e8e

SHA512
0a6dbdcf921bc6262c38e2f2076b8f06100dd82dcb73c9d3364df0802956af9f17b1521ecf7eb4812e60705e664af75a5df908aa60a9ce3823d9286491b5fb57

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
285KB

MD5
6193dc38ee0feec5dce529443a1e6bee

SHA1
a006a2d5850e3b047f99d68330ad2af5f616c551

SHA256
ba631bd1938778baae47721b3a8243d4bdce7e303872262aca38dc18aacbabb7

SHA512
32d347bb5880f48129bccba1fcafe99fbba2d2dac7090bd85067349b3d6779093d5eecf3472bc0645c34ced753b93e36c5aaf2116f63af6273c530b18ab45519

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
285KB

MD5
ddef5d09f962e92df3beab3d5e93f4e8

SHA1
435fcbb1314ced3ea8f9dfadfcaff71aede2d9a9

SHA256
376a488aa03c6641bc948b49a80da6714b4076fcecfecc6acf036fcda1492158

SHA512
a2f25f7692b51f2305130e5d972692167b1575786338bed972749ce16c2db96aae0cb1b1a7ceef8533c6e3c1d15defc82a88cbe747f59a8f3c42e699efbd5b3c

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
285KB

MD5
1994caa35dc9683903f2fdec70648a92

SHA1
e41db95451db04a61e22e392bdb9599b3fab8cee

SHA256
d7d91159b180d47238cb665d2f2ae0eee3136cb8961359d57778a0fcba3a28bb

SHA512
9a66bbff8ece8ea9ad68d932f3e7635c99394c3febf91893d11e05fa47e7cff4dd5c01bf8e59dc3a867cae99d6a2b3c9fc592606b6bafb736c480214bb3ed195

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
285KB

MD5
93f2b93c42465f466d2c8a64988e7028

SHA1
92c4b72f8db9cede7f9bcc6c37d00c32309be815

SHA256
73a896f6c3eb3851c9623b8cb6bed7eec54f63ecc581be91c89e26fd43b784f7

SHA512
630cbb17ef44d3105b44de53e246a7c0e44fae94863012355d7fe7232286b146ee2da3e3fa1595691cdd912a33b27f7d9dab584571fdf41278a54a18c5e71962

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
285KB

MD5
58d2ee00bf1c34727bb18b5d64932cd9

SHA1
eed4881a651c3c007f3a5819d9843b01c1db1f74

SHA256
cd3462b837bcd7573206c71510fd02b302778c254a076e13b73cfd2d7fd7df12

SHA512
4424e30986b3ad852b62c6ec532bd45ab82148d0bab138a84a9d3b75457c9692790cef4e71bb2fddd9da5bc6add941fea6f44200be2d10b016d9f338d9de1aae

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
285KB

MD5
3370f6f9b023d6a3f89830312ba85b2e

SHA1
b1aeab05ea028f7d0f2e78e08b895027baa43030

SHA256
6368a9019f2c4092857cfa5f9fd07b42cc24d7bb9fe3afd34c0965b2c73988d5

SHA512
609df97c049e9f11a8a410a70ff8057e075a1e3497eb092dae692295b270b74e764c5d80b37a669de4b0b2c3cae070f3310437e3185e7bec6736f7374099167d

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
285KB

MD5
1a86f031a5f7227362d28e05d104b729

SHA1
1d56f9bab64fefdb93900422eb2a20fd0058f535

SHA256
91ef4bb5275ace8906eccfc9c7b68af87b9b1cb4a54409ce6b67ae221f837087

SHA512
38dd1580928851cca4cfa6f3d71bb0fe036821686da712c9e89d063b437b0990987af60ba827d42c610a4b82f2c0bddb87e15b027da3395f839c7a9a442397d1

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
285KB

MD5
918f2313e4911affaa94c1b5e170c380

SHA1
100bf6ae3cb954e15032c553f748bfd975319694

SHA256
dafce2199fe3113dccc73723f73bb64e4d2d09630ab74260f5f602fc95f6877a

SHA512
6e7067e4c6e84deb5587f2eba893ce3fe9122ed49e026c2bdd0d11bbcedb2647c34548832f3df3daf38c08e8f1f22b473235c374bcd186d7058a7de5c549a23a

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
285KB

MD5
10675979b826cb599f88716faf1bbdc4

SHA1
f7f04670a26a5d19d5b0669f749d3dd6614a7ac9

SHA256
50742098e3e514d30c83919623161d674d8e5e63f0f6bb83ebc6bad6a2e9f862

SHA512
45cac9e7460b89501cff3d20a1c68b36a5af2d0245b521e17e5da04034a7865ed582ffd2ac2e6b1619a776142cd486a510b033bd3d62fb17950801619fcc9118

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
285KB

MD5
720417b0fe96e547e8eee27fe1e24817

SHA1
2e8f603dd7b60696e023041d54cd5135fe9f3049

SHA256
05af33558e7191670ca34ee5df30ef49d2c1b00f8f1ed36818172a8bece6c195

SHA512
f89a08b89835d0aa2d0d3219c5631837aae8e7e5d76d87655173965f9b589f53a6477d130291e11e270430744a60d5bf7b6306f1e0aca4c37886a862cfe332fb

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
285KB

MD5
0fd61be157f260ece9d4140239dddcee

SHA1
ce1924d2eceb2188c9b8309b32e868d7fa6b33c0

SHA256
d6be0e05d96775c9db0353c7942ec029df7f9f7b49fd681fc2cbe56ce19c0fe4

SHA512
a9968f8e856c328cd3c8826252cdade6b3237138caf40987a49667443934ac9c980613cea9b220a662d7aecb32011484bc1f6dfa432f8390d3106bec86439898

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
285KB

MD5
868ca2a5615ada8666364b7c2b3fab63

SHA1
c3156af2f81269ada3e1239ca49c3b87c3377bd1

SHA256
64477856d3f8ee079d16b7f5f52c015e67e49b0af50d8c20f27b69d2beb6bd36

SHA512
08a9cf70a73043b70899b25816f7d1a84efa487292d713275cdd0152c896cf4e4b8fce344c4fa5295d203a079a3f09a92e86a08f9517659d2f51712cf10dbe1c

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
285KB

MD5
4501477fac715aa6e17488fb5073f9aa

SHA1
3ac528227da5973246fe07116f7a261a8f5ec117

SHA256
561883f955b4f718e6468b975943df960a533764609784ebb6ede35bbf866198

SHA512
bc85869150ac304e115c6cee7420a67160795dc56727c40e3389e406b68ada3b90244c5b321b3fe369fa77df96431c61b050fe757553039e7e484409a6d24d95

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
285KB

MD5
aed7dc4c445d464f26551bec56885c32

SHA1
f75bf01602e2642c530ee187d351cd54ec1aa03d

SHA256
68a4d82dd8f2b0a61f40951b1bd5eb5414d3dbcdf3280015b705bb9f91d616e8

SHA512
d8e99f1621ca9cf089b7559f8c8c3c4e36415bd3dc8ac9b1068e2c3b27e712c020f1e572c7f7f1222468a8e33560b51cd53b3e06258402224a9744a9f70061c6

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
285KB

MD5
50d925b97d5baf448274f1794feeac0f

SHA1
b9c5a6f7f2c2692c1fbba1bb5369ea0642ae4a44

SHA256
79e9f518978a326087a52484dc50cd47b2fca2234d5b44a6d5289927d0080de4

SHA512
7f7870d536a9839e13abad556f8dcd83cd941add38b5794942dc34b721f979445e8b154e27b5c745434680354548b348baaa0e75d78882b1ca8876711f1155cf

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
285KB

MD5
b3af8b52a10939069ff2236039316877

SHA1
9f1eddbbd1fef7c6f0acaa7d6a2a2fc6e462d869

SHA256
4149fc9058229f5f357213b235b5f848806a97cbbddce6311b2de0f1cf340586

SHA512
595afd5e0b134cef39b16261fb7710a5d3cefe152b404ff2ba11a581b8c08026e8f735b524f3358d120f54a46521fc2f1c78b7c8c8017bedc17989f4df9ee4b3

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
285KB

MD5
d7fbc68ff0af1fd485fa2c715cfae372

SHA1
a4fe8b0b687643787b208eefb5da8a0d819c2a5d

SHA256
96ba0b37ef4d0934c9a379b013cca714f2b5455dae2c713237f0c84573f72cd8

SHA512
eba5e47880ff5b76f5a2f2f2f54c1962a6211997573d1b9d8597f77a9c90cd33a2ce7ad2390a6f0c7d139755fe1e45ed2ae5aa30b9ad55fb16edbaee82cf98e6

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
285KB

MD5
2711f4b4dfb963c4c05a343e86512a07

SHA1
625a9780e400e34510ebc1d5809bbcff4108cece

SHA256
248caf06d35837dcfdb54c268c0d523c53ab3e1a3e249ee3d7341218e2d67aca

SHA512
16514d5188e1b096bf22621b475221bb19d4dfd574dfe6351ef3cbbf8ab11ec84c9ce978c2a7c90d1f46b0865d7d792318f2de0e7567b957710c32113a11be32

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
285KB

MD5
327657bb9ebef5c913454c7a2aebd909

SHA1
5a915e88b512e821d284e83a0696d6e8ac741c6a

SHA256
c40234ea4312d4e52a8914de3177023723760bdefdd8c57fd47873642c4933aa

SHA512
4dc0c2f8e2b972130dec49e452f1ff1d47ca8f847cc16ea4a6379f32be1a65debd13d8868a36919eb1a1b2c818dcae9650f3bc5f78e3e08018c6192ac552024f

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
285KB

MD5
af164c66beefe548a167da7ab81a5b3e

SHA1
9fb4412a5b5556bacc81a5826494dc097309de4c

SHA256
ab2425e098689ba98328769d6e7414f986190ac668700d1049933ffda5d32d3d

SHA512
98e39f1b55660207f13b8bc86f3e312cdf6330651143b4f3d4aecd9430a037b492f8365c9a47a7014ecb97d4e91eb534cbf8151ca8390a88522b43234a69bbe3

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
285KB

MD5
fb986f4b3ca6ebb80095602a2e7b538a

SHA1
ba0c5cfcba88f4293ac40440f8fdaa82f165c76c

SHA256
516931a66cec037819ca1380153d2882f39de6fbdecf401a7ac6ac8453c80a6c

SHA512
aaf85eef96a579ac139ec0a4ff74d3c7b2cd7ad3bcd2f49cf36e2d6aaf73be16124b4aef790f4174d02e24512fcbdcfe67a46f881b15dbcbfbbefb2d4e813e4c

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
285KB

MD5
cc7bfafef7e4fed304e027508b32b47c

SHA1
c40fe4004e7823692d839392c67617e343350f3b

SHA256
5d7ea6547c26af0f644828cdf4b19984e98a8b5c939b66f43af42b1127f33d1b

SHA512
c43ef0f2108ec30dde26cd8df42531893a31c328eb05d672331b87faabfb344e0b0b4c8c8f55d2d38715c12290e3bf38c60a23db384ac1171579b0ad0f1feb22

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
285KB

MD5
15cdd2b7dc55f4e8d69564a0c093750a

SHA1
8be2902ed9cb158e9ed774a78fa62c09fec31412

SHA256
58ff439bf53ace3aa2c44acd54f4611a40cee124ab198d813790ee12c8303b4a

SHA512
d1734b419874dcb7da2611858d85f5362adc3838765feda98d355450ffd9dc7a28cb4e855f7bad357a9cb0591cf0075d29d0263b5c824f51bf1a8d2f5e6b1d3d

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
285KB

MD5
c85b84e3541f867c35d2854cfede6519

SHA1
410ff936c719ba809cc22e6b718938263d6b84d1

SHA256
edc50cc6423609fd65063984a5466d180393d8e3108975c821c7dc70c22d5a80

SHA512
61e8cdfbec778926a51b4ef594c1dc86b0e09b3b075fc2924fd68d6e82ef77c43e1e03dcf8fa28d98d61f638ede369db62d33d9f468bc4eddf3826d1fd98ffc8

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
285KB

MD5
73135da59b35d0afeed52d0ab55088af

SHA1
c0369dfc3a6c1fde6bc11ccb9d24629d39839741

SHA256
0c9061eb9b4ab5246170a3ac5b65623c33c87a69e162e69b89473bffe64a08ec

SHA512
63e796d1fb75d91f58e1d936039d823f54c2974dee4b31f08478320dfb144d95bcf75c9e79faedad198c346ce34ac309fa6b9e30f08a528b91680510c9d358c7

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
285KB

MD5
f3e4686d7ed7510c665db13e863b652f

SHA1
e85a23cfd45605ddf03314c541b2b01920c59988

SHA256
8d36ec233b713e1494dc7e5024d7c28ef3cfa632063b6600b53623a017dcb8c8

SHA512
ef28fb27360b6e134ef5c32bc69c15bd5632ae5f73e8aaf5273f2fb4593cb45c08edd722af974cadffc45f11bed6eae8fc87be28548789f3f70680bca7e2560a

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
285KB

MD5
cef9163836746bea7a1b74e9cc1e0596

SHA1
08288e8c3ac5468b2f19fe62ab8464e47b7f8d9d

SHA256
d47fc8c403c7f22aa4492914db195d4fab027143d5a18659685bb73b2a5d337f

SHA512
ce746aa88e5a8b4299c14ee441b3704ad1f577836cafd8dbe8c06f5ceeda0f416d378d64b821876e95d54b07fee62e4c12c34ded806acc03768262b67139be4a

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
285KB

MD5
78ee1ae462cc1090522c1b060100ef83

SHA1
0c47bb1fcef6a8011a1ec282fe52e6144c3c27b0

SHA256
6baea4d35225f05ea4da8aa00c2e23a09b369f6c702aeb28d907bc527f679bac

SHA512
42bfab433bb9a94d31964e49d92d200713e7724e3d92241818376f15ef6ea70f270a6d797c99669faef0bd58462c50a21aadde62fe108beb4828fb8f67937b14

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
285KB

MD5
caf4d1ce0789a9ba785b8a68ac0284e8

SHA1
be2d56de134c1d1f1868516676f021b06564e9e4

SHA256
1f576adff45eb7c34c23af15dded7e623dfb61fb477c19d5250289a8aed6db1e

SHA512
37642d624d4743f8075216c60aa0e532545c9f5803c423d452269f48fd51a147e406ed30d5b0969fbf7d9e6370b5415575b238e2e1989a7c69ae2835e70ab74e

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
285KB

MD5
bb1f0f0efcd1cd86dbd7decfcac6227c

SHA1
3840d349c5ac49208e8490c6829fe049721dc7d3

SHA256
2368c2ee9e80eb5ee1b1f60180007a5bcfe2b214a06856ed39c72316882ab29d

SHA512
eef6357189990963544036f86fe20cc21db9bcb40843b73feb0324bceb97efcc89738f4d74b6b5c2f68485b03dac77e5c9763b7fc80145de1e05be73c4ed017d

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
285KB

MD5
e105334c47583b5e17c6e042f9f1076f

SHA1
3b1522116701794f9f829e3108c658e4ed678890

SHA256
3a90c9e0bad7c2af04059fdc471b753fd26da4caee0c3867d08bf8132fcc53a0

SHA512
093a76b1bb0ed269d74e799955c549b0d9246fd0c89eea9ea8b529f4f4b3c39d998a4cf1a60a5b11fd39586d3088e789e8f58c4f285229c4d8d65d2c163e993b

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
285KB

MD5
b4b6f4e8d57e2a53485e2939776bdc49

SHA1
b7a9390c0a9258511d7cb1b33e42c762f9fbb5f3

SHA256
c41b61dfd5e5ea4342691b965d388d9c3322304d419f5a5c6b44ba0cf27264a3

SHA512
05c675f3387c534b314320cffdda0ae2031733454c16db11a4a051b6a326cd063520927d9cc187cb30a98c23a169a3881b72547f396d53b43b4499240d139384

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
285KB

MD5
1d49294d3d63592e020a0af0ddc446db

SHA1
23c094d2ac8214e7c8fd8250e91c1338eddd3cc7

SHA256
0be4e518b13a93d02ca7667ae38f8671d3ec98483e63113a30ace5be2a66e2da

SHA512
1104db72353b14d0ea6c64a714f175396bf4dc947dadcdb774dc8762b61c1fc2668e4c7086aec1d94ce7d5e3b74373e3157f911ecf4cc6b645467cb31ea7c6f5

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
285KB

MD5
761a9621cc946c7477c96a464b524f0e

SHA1
9c18c0eb228eaa8de8288b5f078f0be2c744ec9c

SHA256
49787ac22dc62cda7a39130de54ac702eb7ddcd6281d82854706b8572b5a67e6

SHA512
b3515deff8de88c480b50f480b622bdc1e15cd320a9338fcef88444b05004b0ff2ef70c4dcc851400ace37ef116912cab8dac4c81d716bf885a1d7e42662ed96

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
285KB

MD5
b9e2a50f68e449e7c9127906b8ef78ef

SHA1
076957d35babde61c0b3780dbc884575b51d8206

SHA256
d464063849994d449b5e897efeb717f43c579f60add2fceffa7ceca08c8433cf

SHA512
65b9009ff55dba79a0858712555068c8454fcfa5a13a9ebde2e967a50cf72dee610bc5b3c20c2208aaefd0b0310924599733ebab2473abf8f789ddc100833ac7

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
285KB

MD5
9746902d241cf8aa524f90d626621896

SHA1
f0bd45aee74ea9ca61782fbcd53fece3888af8e7

SHA256
1845bcdbca3bfc6cecadbfceee90b32358a1b983186a75fee681618636a025de

SHA512
ba26fbf99ff1fd64e26e19536dbd9be228f67d6fc3a4ff0ae37e43c8ce9b02c6ac173a24ba64b884aef9f241a590834df18feb698752cb0d3e5ed21ce71f9095

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
285KB

MD5
00603bb0db38d9bc07f06ed39e2b70eb

SHA1
1ee971bd2e0529a0a8903c79cdb5a155fb22b44b

SHA256
d603c25aafc2bb00cbab21584a5195da84b5d4301a1fe533732cfc07e2d8f4b8

SHA512
b1ecec18457bd97cb39346d08271a94449e3992ccc462d36485ce485ff018e56e779dc576a276a10aac8817580a17f628da0134469267004acc77b11d5cdc040

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
285KB

MD5
fb8269eb65d8eb9c768f19daf2d6741e

SHA1
381ef300fe279c49f62620f5adbdc8b66c62ee79

SHA256
0eff953df14261b6722e740865b932b61cc119a448e131a220d59bb4ce3c874c

SHA512
5f34c1de8551908bf62566f3b6cc0014ef416b87559e4249ac86d8c86e80869b62841586f224c3e692b0047475e3faddef7c18adb0e63680a684a26dbe0d3288

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
285KB

MD5
22e850c76e26483abad1b5beeb441b9b

SHA1
69fe96582ea1934111398442b1fe7ce376db951a

SHA256
eb4112e7faff0229214e0b46587c6f0fc01dc6c1bb9ee0eaaed86952206f2d33

SHA512
6472e8a3c618fafa3aabb9c3182e4a1bcf3aa1cabdf6325ac82b9178f0034d2f2530457554926637a971974cbccd7df452d4ce8282452e83ac5fc355e5894759

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
285KB

MD5
9fecd0452d021529c9e65af208991986

SHA1
f88c2e6547518a68d73ede12d4922d2f4c774135

SHA256
2385a773c409c6a0c4a2f3f23c792bc4049baf9cf59d190156f2975276f1e595

SHA512
15cba44939c3ecc845fca7cf6e56c38cce5802562f8fca60fa7dad8c04f90810b831119cf6daef31db214da11880683031e269e05bf024318d20c50546050a51

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
285KB

MD5
3fdc080618ae4b5b891e820bfe8d386e

SHA1
18cf1ef08947f8b022f7934d38a825073095fea4

SHA256
236075d78b39b1d4a5824a16e91c3c4cbabac5f373cecb9162feb6a41fe5e347

SHA512
b131877ec08e6043e489ac13e7fac8da7b7d00242c6ce6df51eb9216d882cf9b828964d9479150691ed57ba1753e66b4bc46024c58ab510493a5cc50c35b7da3

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
285KB

MD5
9fa5583be24adc9a5572d3b84d5f4a36

SHA1
b7312a69cd8e47f368686f0282190d99d28682ed

SHA256
b5c9457679cfaa9cf6be1ed9221c1c3808f98073847c1dd9b326e44b72f5057e

SHA512
b2c739574582a6d3379ac6183c876746b51ffbcd1d9515cfc04aaf25a11b78a2fb0d392ae0441682c8bde1baa8751025225edfff36d7f5cf3330135d06049071

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
285KB

MD5
b778916d6c4c5c6ecf210cc0826b2764

SHA1
9b92e15df0b061b43d575aa614cbd6dcfd4fdd1e

SHA256
7ad211915fd20bafedaa22b0d46a3477de94a25acfac633bb89043f9276815e3

SHA512
8b0ee957256f063ce9feccc6388244c53d6345d216bf8928ec4ddfe50bed6f5ecae2e30f95fdd9eb526c84a7f69179ebe03e9cdce46229a0424f12579dec245d

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
285KB

MD5
38f26e53b96137f163ce5569da203acd

SHA1
1c0bdbba737ca271ecbba20bab17bd064d2639d0

SHA256
b97ce64a814c43f849c1dda85b9da37bf708e68b9226763116f94ce8e72e9937

SHA512
43354df8464ab15be4d443eed7520a01ebb277af6eca52cf770d47306aa77af880a68a2c2f3baadf4af6e32d3499373c167b38ea37a520564819509e70ebd111

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
285KB

MD5
2014918ada171e33129b837a15f81b95

SHA1
0623bc48e6e9198579c823722aae7fdfa2a2c976

SHA256
265bc6cecfa48d59d608d46b8df195af17a77608cae325ca85a65a11554b592a

SHA512
863f21ef630ce631d7b936f024cbddf0d3cffd654e9a500263b8f8f0419d4976dfe43759cec5a7823da784584097325f426fac801715747fe408b7d64404b061

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
285KB

MD5
5f0b28da3c70c2b185fa07d2d55925f3

SHA1
ca05da5859f4e0a9cd4de424dc09b725c46360cc

SHA256
1460ec88e6aa96eb07f77c23cced2c8af0df532295dc52d5be3714c30bed5c97

SHA512
ec5fb383e183eea7d90243743a3fed67db7b843e78bbea7dbd73fbf97faa94c86b73f3d7342a9530099cbba2061de6208eb32b1f59eace7244d310603f82b597

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
285KB

MD5
5313d2e97e12d110ff7aa8a5ac8671e2

SHA1
84b132cfc9c63b84c1edafaf56a31abfa9b02fa5

SHA256
d39d9424365dd1d7749bf9a2d8c0a5e612e84bc2bc7c2c8667fc0e227a9e4425

SHA512
83bd08c823732356d1ef6d6f2c3241779ccb9dee03cf5a62b1ca41d17e58fdc6ba6f2c11b94d654e77155b67d9d7345b4980a9aa459c452055ecaa16e8f02d28

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
285KB

MD5
0a904cb018fc21e3e4dfeda167d6e03f

SHA1
022545353fab5e0ad03c64e13c5d7907f1ec5a6a

SHA256
6a9cab35ac082e8f562688fe6044f802f78e271a7ce8f3848365a339674c1817

SHA512
e0e63fb9780c585d9c7a14ac0e13a05ea92635e05a7f37c71ded7699b3d3888a0eeaa34a74f0def8c79ed35a8f6b8f35fba92670aefd786607affc8e77f1e5aa

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
285KB

MD5
53178ada50dac78d70536432bd1bb197

SHA1
04bcb7b8837a161fbd0624c97bbb9058d2e4baff

SHA256
7b4472103a3def161d153a0b6d7d4881177b38521be352ad7ddd6aee3986a8ed

SHA512
40f46ebe6da7b8ced61382b259d901c6d8fcd88eb67df917f7034461aa526996bcaba351d6e81b3c0054b153ad6188ebf9937443a9d3da65c93006434112afd8

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
285KB

MD5
50edfe24bcaf4c3861e899eed12a529f

SHA1
b6c3b4b2757b6959f2c365df48b0bf127834be25

SHA256
dd2b5a2b170df8db8e6783fc2a337569047abddabec29e2b4f031cf921c39735

SHA512
c18ecbd947d9ad8b93f9b3b5a519b37039e1d67c3c102e8779190c194b9751c6220914e179c10917fcf1e03d3d6ffa6ab197dc4a6230f0d64a6a122347d194e4

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
285KB

MD5
a6d103925e784a01a177b3684c2eed42

SHA1
4715ce77a91308c99d747bdc877983de9d0c3a7c

SHA256
74598d1cf1c5a77352477966d5a003b2d4c132f3e7ab5a3f80299203d7493b78

SHA512
8490cd13fc28212f33b845bdb27579d607c88875f1a9735070a8c023c80f3b94f05db7996b1384a855e21e777932a005c64da75e814763f920526245a7443f2a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
285KB

MD5
237ae45dc6caf0ae5043298d38fd06dd

SHA1
390a38a61d640883a38b5742ee528b7a15e88d1a

SHA256
4d387c8f39c0668ab2bfaf5425e7f9981627b768d45d8be06b012510519d1fdf

SHA512
c12232b75caf7c8c8bca1629038330a459e641f34716bc7bf710554c43ddca83a02ac87e2751352d829eb4f9391ff6348290cef25806acb47278ccc678f28c0b

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
285KB

MD5
14eda6d168590d3f8f8da807245f5ee4

SHA1
7e12a0aa4732f3af7f0e843af5a91a7b0acd3aa4

SHA256
d01a21cd6d13ccc99c13686a2c524a9cd7a3a5cde5212741a9f879b924563f26

SHA512
65dee92ed6cb40bdfc58566c1b94d2c092e6918d3ff0c462c0710930f3a77dc3daed5b45f10dfd9e30bf6328829efb6cde20cf19607431beba6c615d89064131

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
285KB

MD5
f4b29738924a02d1b92033224bcb8942

SHA1
944ffa4621a890c8c39c2d70bbfba955b2745e32

SHA256
27362eb181145aa78ce8e3b5fa0cde58d6589d1213f86166a37510d3b71fee1e

SHA512
a6ff9684011009a1dfb77a4ba6d9222ca55d97167221fd0518132c32e6e65a1ffed06f557039160c348a4dffcd75ed572f6aebd54aba330525b10dc29a5f26f0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
285KB

MD5
b957a896ea29f5fa3f7f1f9ac5d4dfcb

SHA1
dffc3bedaccdda9c3ebe23dacb4931189c8492a0

SHA256
5e0cf94f5015449ace5737e9d1075e3e34aafc87bbe25be00865d03afa31fe9d

SHA512
2dd8006e4de09b83f5dfe8da6c55894a762d8c2876a9fae133eecf2366d4f92deecd78d2e21b264bb7ee65b95487e13fa1b709b5b790717a3c22730cf5900ae6

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
285KB

MD5
10334b62a28971624d6495765ce37b95

SHA1
c0632a85ce2a028a03abee98be4613353968b285

SHA256
b15b8a0a6c8c9488a95dcbd8bf518896b125c637d132075b35c37415f4c980da

SHA512
49aa87e03f8ffe4dd77e873fc8b5a3a45b3e785eade79c6dbaf81184b67c3d6ce4c8b207507e873fe640a8bfecad16c1df556a89d520a6da011c3d337e23a91c

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
285KB

MD5
4e08987ac995276c5323eaa9510a416f

SHA1
51d0a00efe7ff56c797fb05bd6d95698883ddb42

SHA256
16eaa4e5b607ce24851e25d733918a522a758bd0b0fffb84cc5a0f73c17eb1be

SHA512
01088cb5ec9be17c8d39a0e4b5dce0ae7823f892f1f7a55e79117eebba4a9e76807789bcdc464618a4cbf7fab97f3872dec4ec218670f9ae724b460372d27692

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
285KB

MD5
83a4515e543ec2bba42c5a74f7622502

SHA1
b474cc8cfcbc45d216f758240a8edaa11c954ddf

SHA256
9741f926140f4005f12d53263b51496789ad476ff0e3f6938e24dc1e8283c18c

SHA512
8716f483efaeaba5cd3e1e74c4f999a8280bfc94f2c117d2f09c2cfb28a4240d77803df43df8dd41be052c43af46870e9597ef31131a1387b5b8970e0609b850

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
285KB

MD5
8588efac0363cc9887fe0e44942d67e6

SHA1
36caa8e555ea10a100d9a8ac2949fb030698732c

SHA256
0e207d396273cd603649ede3614aecb10d053db5b32c2ee8a0600fc6518c1c99

SHA512
e43ec28c9e7ca8513e7e4d6e1d9b3d42d8a89c772ab6be1c6305184afeeb12f36f4e1258d628c90890e3f14b4fb0fb146e91ba2fcedf57fce4635c4d772caf54

Download Submit
memory/328-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8400-2527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9088-2549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads