berbew | ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140a

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe
Size

93KB
MD5

caab8a37f68d668dc525b720f4e6edc0
SHA1

79d8487d9db6bf9ca3306427c0751e689e60725b
SHA256

ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140a
SHA512

64c36bede5a40b4b5534729c43f91ea4f499d13ea139ebc77281f56c91ddd1e4125b985b6b6cb976cdc709281a96bd3ad14e9668297c53bb62da015a16d44e8a
SSDEEP

1536:PSsWnjvRZs2QJ1Jo7mj+P+9E1DaYfMZRWuLsV+15:ujvGJ1m6j+mGgYfc0DV+15

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Colffknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dohfbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmlhii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekemhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgmpogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahode32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkalchij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpjkojk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdiooblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eapedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2364	Cdfbibnb.exe
2668	Colffknh.exe
3504	Cajcbgml.exe
4552	Cdiooblp.exe
3488	Cbjoljdo.exe
2760	Cdkldb32.exe
2844	Ckedalaj.exe
3668	Dekhneap.exe
3832	Dkgqfl32.exe
4568	Demecd32.exe
4048	Dlgmpogj.exe
4000	Dbaemi32.exe
1600	Dhnnep32.exe
3696	Dohfbj32.exe
5080	Dhpjkojk.exe
1036	Dojcgi32.exe
4912	Dahode32.exe
3648	Dlncan32.exe
1284	Echknh32.exe
3332	Ekcpbj32.exe
4216	Eeidoc32.exe
940	Ekemhj32.exe
3444	Eapedd32.exe
4344	Eleiam32.exe
4876	Elgfgl32.exe
3416	Ecandfpd.exe
2728	Edbklofb.exe
3916	Fkmchi32.exe
1992	Fcckif32.exe
3856	Fdegandp.exe
1052	Fkopnh32.exe
4808	Fcfhof32.exe
1740	Ffddka32.exe
1676	Fhcpgmjf.exe
2052	Fkalchij.exe
184	Fomhdg32.exe
3508	Ffgqqaip.exe
1260	Fhemmlhc.exe
3700	Fkciihgg.exe
4688	Fbnafb32.exe
1556	Fhgjblfq.exe
2452	Fcmnpe32.exe
5048	Fhjfhl32.exe
3568	Gododflk.exe
4636	Gkkojgao.exe
4756	Gcagkdba.exe
592	Ghopckpi.exe
2600	Gcddpdpo.exe
672	Gdeqhl32.exe
5072	Gmlhii32.exe
3636	Gcfqfc32.exe
1340	Gfembo32.exe
4796	Gcimkc32.exe
3868	Hkdbpe32.exe
4064	Hfifmnij.exe
2312	Hobkfd32.exe
3892	Hflcbngh.exe
2832	Hkikkeeo.exe
2280	Himldi32.exe
2188	Hcbpab32.exe
3304	Hioiji32.exe
2012	Hfcicmqp.exe
5040	Ikbnacmd.exe
4348	Iejcji32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cegjejoc.dll	Dkgqfl32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Gododflk.exe	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gcddpdpo.exe	Ghopckpi.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Fomhdg32.exe	Fkalchij.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Lfkgaokd.dll	Fdegandp.exe
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kipkhdeq.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Jinpgcmg.dll	Ckedalaj.exe
File opened for modification	C:\Windows\SysWOW64\Demecd32.exe	Dkgqfl32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Ffddka32.exe	Fcfhof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhnnep32.exe	Dbaemi32.exe
File opened for modification	C:\Windows\SysWOW64\Fdegandp.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Anphnl32.dll	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Lmldgi32.dll	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lbdolh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7028	1716	WerFault.exe	298

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkciihgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikbnacmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbaemi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkalchij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fomhdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjoljdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekcpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffddka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dekhneap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elgfgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghopckpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdiooblp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcfqfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkopnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhcpgmjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahode32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Demecd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhemmlhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkkojgao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgmpogj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eleiam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecandfpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfifmnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafgeo32.dll"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gododflk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahkcp.dll"	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfbibnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbjoljdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhcpgmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdiooblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkgqfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojcgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcfhof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 2364	4116	ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe	83
PID 4116 wrote to memory of 2364	4116	ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe	83
PID 4116 wrote to memory of 2364	4116	ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe	83
PID 2364 wrote to memory of 2668	2364	Cdfbibnb.exe	84
PID 2364 wrote to memory of 2668	2364	Cdfbibnb.exe	84
PID 2364 wrote to memory of 2668	2364	Cdfbibnb.exe	84
PID 2668 wrote to memory of 3504	2668	Colffknh.exe	85
PID 2668 wrote to memory of 3504	2668	Colffknh.exe	85
PID 2668 wrote to memory of 3504	2668	Colffknh.exe	85
PID 3504 wrote to memory of 4552	3504	Cajcbgml.exe	86
PID 3504 wrote to memory of 4552	3504	Cajcbgml.exe	86
PID 3504 wrote to memory of 4552	3504	Cajcbgml.exe	86
PID 4552 wrote to memory of 3488	4552	Cdiooblp.exe	87
PID 4552 wrote to memory of 3488	4552	Cdiooblp.exe	87
PID 4552 wrote to memory of 3488	4552	Cdiooblp.exe	87
PID 3488 wrote to memory of 2760	3488	Cbjoljdo.exe	88
PID 3488 wrote to memory of 2760	3488	Cbjoljdo.exe	88
PID 3488 wrote to memory of 2760	3488	Cbjoljdo.exe	88
PID 2760 wrote to memory of 2844	2760	Cdkldb32.exe	89
PID 2760 wrote to memory of 2844	2760	Cdkldb32.exe	89
PID 2760 wrote to memory of 2844	2760	Cdkldb32.exe	89
PID 2844 wrote to memory of 3668	2844	Ckedalaj.exe	90
PID 2844 wrote to memory of 3668	2844	Ckedalaj.exe	90
PID 2844 wrote to memory of 3668	2844	Ckedalaj.exe	90
PID 3668 wrote to memory of 3832	3668	Dekhneap.exe	91
PID 3668 wrote to memory of 3832	3668	Dekhneap.exe	91
PID 3668 wrote to memory of 3832	3668	Dekhneap.exe	91
PID 3832 wrote to memory of 4568	3832	Dkgqfl32.exe	92
PID 3832 wrote to memory of 4568	3832	Dkgqfl32.exe	92
PID 3832 wrote to memory of 4568	3832	Dkgqfl32.exe	92
PID 4568 wrote to memory of 4048	4568	Demecd32.exe	93
PID 4568 wrote to memory of 4048	4568	Demecd32.exe	93
PID 4568 wrote to memory of 4048	4568	Demecd32.exe	93
PID 4048 wrote to memory of 4000	4048	Dlgmpogj.exe	94
PID 4048 wrote to memory of 4000	4048	Dlgmpogj.exe	94
PID 4048 wrote to memory of 4000	4048	Dlgmpogj.exe	94
PID 4000 wrote to memory of 1600	4000	Dbaemi32.exe	95
PID 4000 wrote to memory of 1600	4000	Dbaemi32.exe	95
PID 4000 wrote to memory of 1600	4000	Dbaemi32.exe	95
PID 1600 wrote to memory of 3696	1600	Dhnnep32.exe	96
PID 1600 wrote to memory of 3696	1600	Dhnnep32.exe	96
PID 1600 wrote to memory of 3696	1600	Dhnnep32.exe	96
PID 3696 wrote to memory of 5080	3696	Dohfbj32.exe	97
PID 3696 wrote to memory of 5080	3696	Dohfbj32.exe	97
PID 3696 wrote to memory of 5080	3696	Dohfbj32.exe	97
PID 5080 wrote to memory of 1036	5080	Dhpjkojk.exe	98
PID 5080 wrote to memory of 1036	5080	Dhpjkojk.exe	98
PID 5080 wrote to memory of 1036	5080	Dhpjkojk.exe	98
PID 1036 wrote to memory of 4912	1036	Dojcgi32.exe	99
PID 1036 wrote to memory of 4912	1036	Dojcgi32.exe	99
PID 1036 wrote to memory of 4912	1036	Dojcgi32.exe	99
PID 4912 wrote to memory of 3648	4912	Dahode32.exe	100
PID 4912 wrote to memory of 3648	4912	Dahode32.exe	100
PID 4912 wrote to memory of 3648	4912	Dahode32.exe	100
PID 3648 wrote to memory of 1284	3648	Dlncan32.exe	101
PID 3648 wrote to memory of 1284	3648	Dlncan32.exe	101
PID 3648 wrote to memory of 1284	3648	Dlncan32.exe	101
PID 1284 wrote to memory of 3332	1284	Echknh32.exe	102
PID 1284 wrote to memory of 3332	1284	Echknh32.exe	102
PID 1284 wrote to memory of 3332	1284	Echknh32.exe	102
PID 3332 wrote to memory of 4216	3332	Ekcpbj32.exe	103
PID 3332 wrote to memory of 4216	3332	Ekcpbj32.exe	103
PID 3332 wrote to memory of 4216	3332	Ekcpbj32.exe	103
PID 4216 wrote to memory of 940	4216	Eeidoc32.exe	104

C:\Users\Admin\AppData\Local\Temp\ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe
"C:\Users\Admin\AppData\Local\Temp\ec8effe51741bbebe087c681cb53ddb2a91a1a47491f8724c54f8d7e6a68140aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Cdfbibnb.exe
  C:\Windows\system32\Cdfbibnb.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\Colffknh.exe
    C:\Windows\system32\Colffknh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Cajcbgml.exe
      C:\Windows\system32\Cajcbgml.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        28⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        54⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        59⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        60⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        62⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        66⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        67⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        68⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        70⤵
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        72⤵
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        73⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        74⤵
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        75⤵
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        76⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        78⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        80⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        81⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        82⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        83⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        84⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        88⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        90⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        93⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        95⤵
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        98⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        104⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        106⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        107⤵
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        108⤵
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        109⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        110⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        111⤵
        
        PID:700
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        112⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        113⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        114⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        122⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        123⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        124⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        125⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        126⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        127⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        128⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        135⤵
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        137⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        140⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        141⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        143⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        144⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        146⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        148⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        150⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        151⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        153⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        155⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        159⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        165⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        167⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        169⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6556
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        175⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        181⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        184⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        187⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6432
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        189⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        190⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        192⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        197⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        199⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        200⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        201⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:6520
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        203⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        204⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        205⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        208⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        209⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        210⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 404
        211⤵
        Program crash
        
        PID:7028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1716 -ip 1716
1⤵
PID:6948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
93KB

MD5
37055d01678e1d79d473e80e0b7dad4b

SHA1
aba9fb0b71a52dfddba6c37172314ed80d2fda1b

SHA256
52e651053fadcaaa47dad34ce116e47b7b87603362ff507b48d4781c560a268b

SHA512
00de8701cd5c62cebcbbb31846e8c957e1983cae715d21deaddcd139d1f1de878511c4cfaa237abc863506362e855716a36bc8515fd879e17e9c87d0eff98522

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
93KB

MD5
f95beacb816dba275d76b44397ebd24e

SHA1
162fbb6d921f4815b25fafb08298dcbb8e1f0169

SHA256
fd28224abd09e2961f63404c3b07356000bbda726bea9c88a80cf2fe0c2ed1b9

SHA512
b8a4939b7f28cb8ee1f2b2cdbaa14f68cc36f12305457c02cbcf2c98fef37eaf7af0e49c1301f016b68210b9dcc6ce87b991e7a22b331451a6947e58808e32c9

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
93KB

MD5
ac18242f8170052e9d02729eb63aca4f

SHA1
597fd6f9a65d695dcda1df28e1e6e82957edeba3

SHA256
dd16cf220afb01c80d941ed23afc2dd8949a585270f40c21c9a80393241ebc58

SHA512
f834910ed6d72b4597c1b9feb636e9e90bea8732ca75538bfdd08bb3923c4d9c539fdcf9ff3d88cf696dbdea1ded4411eb0711fa833fe1293b430cc25be7f2e2

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
b153cf0c9702c097315fca3ab3477534

SHA1
07c67b8162006d01f4175378930e75d8ab258d2d

SHA256
27c64e6741c3719a579a7a524255deabfdb1f063546e493cd1636f5c5140650f

SHA512
e6533a3441cdc60e9405f867f2bee4998354c6814a9478bb552f6f312fdb8178965a2065e4b47076b5327dbeae50fc1cf0883917e1e56046bcdcbe888572fe8f

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
93KB

MD5
7404b2a86538c8297b01029c5788114e

SHA1
0070295c839765a26edf96295942d736b86c85d2

SHA256
e185f270b47ff463424652c277cf912496e766740266f9828fd17e2898ced76a

SHA512
dcb6f2194229d12712dd7a9fa57b383eae5dd5d7c4f6723a774b07ae76a5debe8a14b19e8d2f28abdbc37f08e3382d991fd5a4ef24112871abcc51a4899da278

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
b1ca1e9b083ec122296d9e136f6fa81b

SHA1
d05aad0a509cb1740d821a97fcb488c375d4605e

SHA256
bcdcd63f7ad03c0f538233b19f92891401ffd4538b4a325345e4faffc4a28d9d

SHA512
0229c584b472a6e4811626aca32cd55de3e5542d6e28779857e866761c9665986070027c8fabcabd74153736b13cbf7a3fda9dbf7256dfd64fff3692e20f76ab

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
93KB

MD5
296a9c66127ecb4187cdb1a9c7d15f30

SHA1
0b63cbdb235c0998eacb864e3b44a63edf6e0f46

SHA256
bff3896204e11f67c509e6f8d8f7d15c0334774e14d6b851668d5453f12553cb

SHA512
1adc2bf5610eff53097d8e6fc4dc02c49d16e2c4998a52e798a052a1bf1d97664bc31bd8330b668adfdc22395dfd225596d71b7ac7509e92e0f54d6523ccd250

Download Submit
C:\Windows\SysWOW64\Cbjoljdo.exe

Filesize
93KB

MD5
07c5611531f16906514a7ffbbb25ef93

SHA1
6db12182b4a083fac7ddd8457bde0fb9f8709a1f

SHA256
b6bf0c83d4ab6710472270edfb4adf293c41c72708302dfb23c35691c7c037a4

SHA512
a45aa3669183eba1a7c280ef4e5f26a0ae8e5b7a714fd82f189a1da01b0f5cc1c059adf1e8502df5cf3e29fda9bc9757edb19a419fb76d68b8ca6a2dfdd747e5

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
93KB

MD5
579e4eb5ab9dece106df6987912d7f32

SHA1
48222e7ea5c721f84666e0fa1d4d2c4df5519855

SHA256
39efab0a2ddc1991e6ca49b14e3b08b21995e547270e9579282e015b90e34977

SHA512
7eae9e5ce663df76f144de66257463cc1b307e0308770f94ee3ec79ff942125b33344f74484df24b074a1da9d53e0f4fb98057d9446f1625db15df0f45d8d3eb

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
93KB

MD5
ef5e3ef52932e6138685118b7ee471cb

SHA1
56530d914d480c7659104a6c4f314481e8a8c5d7

SHA256
00b783f6d20d32bf1f850023929c0909a92c8496df0b018fb82f131156681df6

SHA512
f7dc0b75eb512b1b32e04961c2820e879937e5257ee1f83c65ed362710e07c2bb7eca9b3e4ed644c476be2d2b9e00dc9be7059265524e2cb861c301388054bb8

Download Submit
C:\Windows\SysWOW64\Cdkldb32.exe

Filesize
93KB

MD5
f4876729d33d5cc6159ea814d310e974

SHA1
35fb73e286c84707127405d8f02388714248cb1e

SHA256
211c011a3c6ee5d0f59f634508247a47767c3f7fed1df87432c5cff658f0652c

SHA512
76e33471888e60eb7dc7e8eedf16b14970d30175731edff57b2641402fd9b83d2b5f719fb3cf7bb3b503c68b89ffaab1d353a35fe0aa6553c091a994ea5cfc04

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
14b1e419f36724db5c3b976b9ecd5597

SHA1
851d519d29bf5c6a34beb91489000c1e13658825

SHA256
e65dbff1793d3b5e1450d0c38e9ce4f9ffc3f28e33ae60b408c6031c0e61069c

SHA512
9912276f123df6b13ad6f40a46f9d5fec60d99aa7abafc9cb609136fd33feb6e434899e26ce5a427830b65d6c758a09f8e0fd3ec1e0dc68068fe0b79b919f4ca

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
93KB

MD5
ab962be98a7b249e4cb182630d08d954

SHA1
4536a49ad5f3e9a380e402e4c3e2d1513475c537

SHA256
8af16ddad8aa910de6923fb1832e0c68f252b21a538370bfd7453fc605fff792

SHA512
6f9b8cbf4025f2ab69f4a3790ac19290f14e5536d8509f75ca5377c3742cbc3337cc37421bf67cac0f632e75e42e1e0032472ebd543b5068ecf65eb25f11ed40

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
93KB

MD5
19efcb95ff6b316e7e6df9e7695d8fdf

SHA1
172189544154354edf6d88941f7cdd08214f5ae3

SHA256
b600ce4b9df113e81635e43373c1c4c2d407eea7eee5678ceac65bf6af7a0001

SHA512
3ea520b71d2b24fe2d89ba36254d9de09e85d1420780b866b1402ffaa56813844d85980b4b147d78a9872821b8c0ace61c388dad53a5cb9af55f6d435192b988

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
93KB

MD5
6a488887389d84b1682b8d9a7829f995

SHA1
3cc9ff0abf093ae07341b166168497f10347a3b1

SHA256
b0c9f2bda806287a201634acbd1f4b2033c926918f42c3327aad9cda73fa8202

SHA512
dc48a5c93f15841a32615bc2432b2b519532cc37490277813b2b2d413873cb408511bcba800c59a7e4186d0d6dc96691b165c18f9581873eae8357cc758b6291

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
93KB

MD5
78f4ae1a1eb82d0a1cc46f21a20a9501

SHA1
e04daa255efb6308aca13709ab5428064bdbfb8c

SHA256
8d407e9637949fe9757717ae1d2686c5e3b95b697cfe46ee9fcc1ebd2736f434

SHA512
edc57faa239b0f9d0e0ee64fbfa27e758c8263e78a4faf1d36bc7b0cd6cb66c7e6c4129f7337b49290ed187f4b7bdf581c3b2afed2562a9fb84b26512a0862eb

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
93KB

MD5
91d82fa823b18672a7e95591dc979b8e

SHA1
27f559349328fedf3ba36f10ce7acbce79266c1f

SHA256
03616fc0e00092dbafa0706ef3f507f25c22f78ad3500f2d1bb5cc0733bcb56c

SHA512
124723acf234bbf1e0b5ddaff388ed2e697d133e8101bbbcfc9bc019b578085ade72b9676fc2f9b3984fcfdef7bb67af4378c79cec47354ad05a087b7bcb2018

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
93KB

MD5
1bb8301b76221731a92a8cbcd61ecb1b

SHA1
3b56f6d45c5b5ce94c1ad09e0fcf7514bf92c142

SHA256
fa6eb0384993960e9adee220478ca719db4ed1574c9976cbb5ac7f2594fbfe81

SHA512
e944e22102785976a9c4ed445c2f570d2c7db952bca2f0688fa34fea2e591cc56c3d9c23aed95ea12c38c8e6b57e89e9a7e4b25715a945d726725c198b4d02bc

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
93KB

MD5
2c42a27bd75a6e0f2a4deb5fffd45d0d

SHA1
13087c605f6b1017466062396585dcf172ac0fab

SHA256
e0c55fc80758600436b69513d12eb539870f4187ba7eebc626c3955df2056984

SHA512
14333e4a6558a1ee2d9988f2b0ebdf172ef3403d615596db02629d605abba88d954b021f65475811506e83d8317e42df532c90fe00e06f1421670854a34562d3

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
93KB

MD5
95b4b3310d9affea53590a8a1e897fd2

SHA1
d83002f5ff903b8b6ac7797ef4eb2fa56e1d5b04

SHA256
6d3deb48bb8a20f39ff86498c2e51a3d2910de2f5130bc39fd49deb26226e0db

SHA512
29ec47b0c44aa69ac49d24495a7e9d3b3aeb7c2f98fdf58eb85a78c980b9103a7e63ce1dcd9f6747b9700946bc7c6e4d90a2abba3c770b67c0bd55243f8b3555

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
93KB

MD5
12f94f53d9e166eb47998161429f2ecb

SHA1
fa00990efd370aa5f1436721d448818921f342c7

SHA256
85bcb8d401d84d2c1a2d1b9c9e22aa68be4883a637d940bc217d33a90bbeff09

SHA512
b3a04c8bd7da77ecafc53053e6ab6edf28d2953e8edd1ad540ee8195578de62e7107f3dbf0e02b8b80c52e6239d3ca1418de266642ce39eb14db7ea8a74431f2

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
93KB

MD5
ebc9045b4c1d49a1e45beb5e90fe7f7b

SHA1
963055e36969105afcc4d11d625eb60e1cf8ae54

SHA256
47d9d517de181711fc98423866794993c261210399f10f38ac32698e3a898674

SHA512
bb06bb4bcd50742157c0d8ef99e56fd32e2d39ca83c7388263251557bf81a64bc07ff1180d9d85a3b144cf1312068d6ef957f20053f9529546a9ba8149c61a5a

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
93KB

MD5
21d444eaf3b6d20b45f126a1529adac4

SHA1
05c03cedd3786fead75d2ac8ad2fab54b668e1e1

SHA256
addc50e777028b1710870cea6a691af337c5956b405ea01a3eaad47e360d547d

SHA512
c42897f047837d5239a7a45e1e17844bfa0ccf4f80992f4979e09a5e5ab8cfde1c59ea25ab5ed08dab5406652b3a0b4e8d4b7e001bf7a01c43e193b734486b03

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
93KB

MD5
e09fb104b57e32643036431eada9c6d2

SHA1
4e1cd8ff7d3884e6892fb9de15fb7e44a66d292c

SHA256
8c6096d16934e8dff72932f01ddbf71a159b3a59f272dcc3a8899ce986d152a4

SHA512
e6c52bc43559186b44d7342d0938bb82d44abb8812ec18dad4ef48e644c6695ea2f76162afd5474f635648a3980e1db3a01f4f2f501c0df6b54525317182b714

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
93KB

MD5
497f4836e0c9d61c764e2ea850d956b8

SHA1
5b8a43f6821cd15f8ba68d68dc12bc4b92c2fce3

SHA256
456715e96b3f0e5b9b5b2fa4b031db806fadadae3309c929faf7a5166be426c7

SHA512
a806c9bc340eb5e761f24f0532659e49f27a3c583402218982c2d0c7e21d8121843e31a7b3ad34f4cf9191a38f29b65a651216481bb3b8812e8438617ae634d8

Download Submit
C:\Windows\SysWOW64\Dohfbj32.exe

Filesize
93KB

MD5
7c2616546f2e63661702fb7b9255032f

SHA1
6aa4e4774a235e9682d620df858b83d6f4056b65

SHA256
607e5f9a16cf9f3e6e569feff167c9f5f764750f0f033326b9f63990d8b5dbeb

SHA512
5448fbe3752107f81384a10939ec6a7c4936a4e226a492a9e6ad81555e296cf2915443f9b241cc7a0431fda6d7f658dfaba335b2208318f03ab9220b9da83f86

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
93KB

MD5
147449a55fc096c12d4da485615c05dc

SHA1
7f3484f0bded72a2af93514d0eee103d7bd150ee

SHA256
dd154a34ebbf62b5062b14c62501238823f41f84d9e77a5d4da2981b8b11252f

SHA512
25f0e8278b7f77564fb3e6c6a1a7add5e0c92d8e1a8503e7a8e9cd8ad2a280582e862004cc677b364a56983ce0f69b92fddc3bd861c44308dac969f29a4a8fa0

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
93KB

MD5
2628a06c2bb39a80735f35f7674da163

SHA1
008dc7ce48340b3cdc171262ef66f7abd7ae6749

SHA256
e9ff4f0362fb56582291c1eed3bebcd4b2dec96e39ab0eb57307f7b288a0b605

SHA512
bf641d295f015f53344ef64d5b908dc7bcb6c2ad2bb5ca9ec3c7ce6c5a95d618555e35a98591d52e323444184395204151071610538e22b02a059ccc369b1290

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
93KB

MD5
284093e4f8e1d05274771f190a875e48

SHA1
90f19b6cab21cab5e635acbaa49b03337a864a70

SHA256
773a8e9d729fcd7ee1bf890ec014eb8a578b30fdb5f343a1785b4dad00411963

SHA512
1a819a0703ae14985dcca71fecc0618eec396aa41a67d6caf9c9f8c6cc8e90d0ddd075935d7d2c93c0e9b69225da8047fc73fdcdc3b2830a225c15a088a59151

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
93KB

MD5
cbdd1c8eaab655119daa5ff0790fb927

SHA1
2bc8a6e5206fc014c93b740a83a6d6e52d3d212c

SHA256
a2fbd38d9a50473723c7e6b3fcf0d59f434388e8df88d3975bd8e08b06781654

SHA512
2e83afa72ca972c5b7ba4c7509ac6c9a67f825ca95ce688b237af4edfefdc04ae504dc173643ce371827dba232c15022125b005bad10326ce4db999b8f32502b

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
93KB

MD5
a56907c8355950dcd434248774dffe4a

SHA1
2321684b9e9bd726e5b1aae327e042b1329cf5a9

SHA256
cc157612d384cc107989068ed9e0a34bb40ed4b939d87f688e076c8957a75945

SHA512
a75665a1936695ba3bb4e5e8ef7baa7eb7946ad368858b177ca03a898d6d25a88e3b8af0f618960c22da0fe16fc0d0c0746852eada514c35e8d602a18d7e268b

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
93KB

MD5
12fbf512d0204a47536d6d38f7485216

SHA1
2fa586386d5e38934c88cc9ab4be3936bd64ffb1

SHA256
893358fb238bac15cd437929a9f150a1db2d15d57a24c78a29c1b442e9f9a3ea

SHA512
0726ad72ffda2fcd8ae36769584fe1ed26df989defa29535d84155496f92aab2bb04ed70a9c9dec0e98ca5464e5de67889f664d9a0bb93daedbb4099d30fea82

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
93KB

MD5
492d65aeaf067673e366511308103817

SHA1
2e48aef432a2c1f18ea92de5bbb83ab5f2692c55

SHA256
2a2b43fa0e5b29712d7440c193eb8651b0cbf0ee12daec91525875cdc114ea78

SHA512
87293a0b29e1b8672d27172ef6de3f6f727c61ee991a3af9ae500572877c76a4a95a7fceb0145f68b90540ae7db5fcac95fbb6c7b7313abdb77a286fcebeed95

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
93KB

MD5
89264f3c8f55c4ff34275a2acd491049

SHA1
1a9ddac573e16dc0d1f53971af4ada3bc5745224

SHA256
e4ca1071ef3a08d9fde7ad71b4c57bec89ec56d54dedb4fe61ef4338be655499

SHA512
3e4271014174ae9a55617c4c8b3126eb09018c7528acdff9c3d0d80b7aab964ad0376ca28e262dd2ce1571f39147fecca3377013a0b0b44842c7d8d8bc623c6f

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
93KB

MD5
04e2df099521c49319917c8dbdd85804

SHA1
61f7adec34aa032988575d0211779eb5bb54413f

SHA256
203fed8776f746289d85e4aac4eddc35a1aba9507d626a721653e100d6ebe733

SHA512
41b395942b732b8ca17eab0bcbf3b5a7d20651e1fb86c2bf028af8e7c702019051cf96c170d802692baabcc2f11c044f40cf204aa161b7e0c06cec3895a26f6f

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
93KB

MD5
810ca724c0381163365daa3a59ba5479

SHA1
e6859d7803d5cbf09b9debaf345db35284c8832a

SHA256
9cc28c42814576a5e812cb6026c8b324a9ae956439054b2191b7076b15a89e7d

SHA512
bd55454b8ef7d59c7c5979aa6154f3e06e19c7fecd6fbb7e02717406f2f275a70c023ee98e255523fa7cd7f0d5d57dcb9f86d8e97db647949bb22e15582f1078

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
93KB

MD5
4f0c65d7d239edd136a090f0b2aa9d36

SHA1
3507aa0aec8b6f81bb3abdce775c214390204e92

SHA256
71eda639e118053b205f04ed72227c2c685b8bbda9c9865879a2dd291f58dcd2

SHA512
40755a28f246b22e736728aa5aef68de471f13ba74b129c35ff5a100741601e3c91186e75970a98ce492fecc8adf3eda53965a596b7b40fb04b83552080b488e

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
93KB

MD5
3b1bc833ff25e3c60d5750d0db2d3168

SHA1
1390919bcaa28272285f2d3f615111c2c5f2c3a8

SHA256
428feec9e78f5b16c6f523d8c7d429bd044cc3b6b49672b7a79f7569d1cd7a02

SHA512
3700b87c9ff2c854589860e00393d5b4fe3b063a94b9b23db7e366d4521d0265a1e26137401926f4b4c72fec01ba8d80a358a10442458fd066ee0d88bfc0b0f7

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
93KB

MD5
ba55ba780134a1320dec71a92ad8898a

SHA1
18111036e1cc0e8c05c9f981442055725b2998c3

SHA256
ff01aa0305fd146e6f1f1b7316df8354d43248c40dc6817c09cd1b6ba8151de6

SHA512
5aecb0072940f397756e8a48346919d44864e6b5ad357ed1cadfccfe9e2e634046af763643b8f7d429db66c781bd6b8e91418451563bc60e2ea6e7f7c73e1b24

Download Submit
C:\Windows\SysWOW64\Fkmchi32.exe

Filesize
93KB

MD5
c9c2d4b3f2382223048bf79580885ed3

SHA1
24f4081da0d74ed3eef68e388a78e04d4644a6e1

SHA256
9a2fc1b31c3e9e98561e8d658ddc604af664581909d16d4951fa7b463c960c51

SHA512
34fa1764346f7072bbade2e098cac7f411fcbb6a0d94cf8b362845a71c0f090104ac5d49f403a23f6b5077fb1ccbdac339b88210ab060cd0b185fb22df449cc9

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
93KB

MD5
1e2c6fd02285e8fbd6cbe638cf5a5400

SHA1
1f11b0c73dc60062eb31627e3b1227e971bd7799

SHA256
2fe1d22381e936502a19ca719baa119d9a6c1563b0dc52824ad6527c634f8a59

SHA512
e59c00ae05ce979f07119909b66363f732f2c91794746e7b505414b4769138ef466b32c30d6b19a745f16b31155e3d389ab511af4659aa61a68152ac3fa270a4

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
93KB

MD5
a46be0cecbbe4b3715f38fb1830814fe

SHA1
d41e299e956500fdeca530b511c5c945d0a7c09d

SHA256
174992f04edc39ae45b09c06d991a18b73a1ba658359655bcfb94c78c8c8141c

SHA512
bd156278b71ae7cc6b26d5ec751124155ca009ba228f47bcf082db09ad0cfb129977fa0f5bbd0f168a0225788395ba9a51e6ed28fded53ef256e82523dfb13b9

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
93KB

MD5
53ea5a345394e12fc0b73c9104bb4827

SHA1
f400b4c86ed59f6faca4000ba4356532df2d5863

SHA256
dff860f1ba38f76f8484ed9d6bcfaf6d03e054bfbf150d5109c53b4099a86642

SHA512
385ef6667c43452f337ee2d8414abc83c3ab091888c45e2b33fee613db6cd9c74d701d5bbaaa6eadbfd8230c1fd0abea3a4ca5d7e79182734428e90129164d25

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
93KB

MD5
12b269ac1817d8a7b1e0b79cbb5c0671

SHA1
8a05cc20520297dc24b0b0537effa92fd430bd9e

SHA256
d5f0452d565fb77585bc678cd5b180182ad4226161eaf8279458883b78704a31

SHA512
d8333cd88d78a0f924556798ccfb11af94c6d4e27e0ae5298e324bc62da9611294e8e2dd70f6eb2a1fcb45f42eb6b352bc4c5ca3265aadf3c5f3530f0bbe6b94

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
93KB

MD5
ca2578ef2795ac029938611689e83696

SHA1
0a5f8a65e9ed1d33cb5f13b98d554e1d83c44531

SHA256
e5bef76fdcaf0107da1c3f113c31d522bc5b93a7b576c4551cb0ade87880e804

SHA512
287b98859670778813128f68ed2b376e56d4fa6ace16f9032c635b1b7ff64075b309daf13adfcdf9c9384b97499436c59cb81ec26cdb3b5c54e71a8edb0f8c3f

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
93KB

MD5
5cbfe413e4b00beb71b642ce766709d5

SHA1
e6086d3558398fb6821e852bb09032eca9067fce

SHA256
4b5ceb2e089f2eee9fef36a569ee29535f446975f9fe1051828231fe60b416c3

SHA512
1a41de022a7c5cdf03405202a53dafdea998268c65d18ed1d966d267a54e7a870082bb5788410c8270603e7336d3de1f3191c58f61aa4b5ec69ce82e8343bbd3

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
93KB

MD5
caf24f8297a8a33306312959d33d514f

SHA1
d2dd1223f190c39b19c6355dfc471fc9f2ca1253

SHA256
835a7d5fbaa0d12aeb8f3efae67d3904fee5b4b3fa87afb22d878a62890f9552

SHA512
702cabb64bc459813735ca73f1d9a90fada72f1d62aee15a7648ab646c9b892bc32d5d69a4d5fc1a494040bbe57dbbb46e8ae824e86245371948583adc42efb6

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
93KB

MD5
d511f97b568d7a3340fe845742035a41

SHA1
8d3c661a6199f62778c6ea5e838b0f9aae113008

SHA256
86763a7fff8367b23b35b4561f8be4a886b2903d6e331175357d6e3fc009099a

SHA512
4c1365f599a2460743fb4f055abe2b5c4f53b8d82665713eb4049f5578d6e5d5502709bc0237de3a8e740329ef015cdc6dbff68a9c5356b731b979cb7205ef41

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
93KB

MD5
4f16cace47a26624fe17ba84b25298dd

SHA1
dc283b9c79ec9ccf7456e10f2c5f323c437a15ab

SHA256
8ef37218638b974849533f3e92d3c8685b675af4c5fadd886e13f5faaec7a887

SHA512
0d3222b8227d52bea2eef220402c0c75104d96bd48f8cfdefe1a26c84e27abe325e0bf172e07c1c489c1388e5cd5c1b05fec7af36e1f200568adec3735936e1e

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
93KB

MD5
edc2454fc7c9a091775837d33d7a1951

SHA1
b024e0ff7afe004b77141b9d2965f57dcca608ed

SHA256
c1918866ca0a55bcc5d4eb52ef2434ca59a64cb9dfa2efc38c474c9095799ee4

SHA512
1df39120985db25d740d8c3f7dac36ae02ea603e88423af051f07ffc3b0f6bd7c47efa0426637bf4dcbfba37c167246823c69428d4daa639f9c110619c909c4e

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
93KB

MD5
a734425fe154457b5f99e78024f7017d

SHA1
6e625295116069de49d45b218e383bcbbfcad95c

SHA256
a7405eedd0d61feaf589c2bd73844197b0539230d11951d3de4d1feb3454e5ef

SHA512
ea32af60da02264d50f6b93941cee10e80ff0da1b89af46790221c94b73d71935af897c3252204bb7fce6636cff1bea200c307e4a4f0a10dc283186cdf910955

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
64KB

MD5
cb68bfbb2435ab78dbdfa1e0b1880c04

SHA1
7cc0f78db34caac3351b8f274c5cd4273ba9eeab

SHA256
6602c3eb61c199ce55c6a5aaa57f93a6a4816c00fc85aa4760928118b269f3b4

SHA512
20887abda81c88c705f8922747444b32a045456504f04809a8313344a10ba6ead65f39eb92c09e8560ad06c8292d5d3dc6a0e1a4cad17dad90f3c05372e77770

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
93KB

MD5
f3468a4e82410a6013f6afdd87efe713

SHA1
9a1c2542d448491e8234d91cb6b35f967b63976f

SHA256
2a7289b7d944da8519f35d36f0fdee2b3856ef8125e4446d4573a41521fa4b77

SHA512
e988445040fcb9ad71ddb3cd7c52d8ac739cfb7dee08eb1cef9353c7925c0231ed10f38769da86ebe2eca4ea45970f07ba113e3049d0eb3204d65012e5a549f7

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
93KB

MD5
cc224b9e34534753127f5b8df84005b7

SHA1
3835f1ca4c86f1378a8d4913e5b8a1f631b8c450

SHA256
0684810afef1f547e5214ea69a3e673f3e5f83bb829a294326cccd9932a90cfc

SHA512
1331d0dc55df7a6b460c3a0efd2fa8e995563f1631b214a100574b07de7a4901cb9d267309e7648446e4faad9d19c0386167d93e50d9eb72d5d1f56c25a5939b

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
93KB

MD5
8ef26b860ee2d93e41ec78f04b3418a9

SHA1
2fb6d5c49d78fc06b8f27190d21a1dc12b0c4830

SHA256
de050e466b45918be16ef3c05ad7a2e0d766face614eb7e4fac80cb7257472f1

SHA512
c865b40cbe53487c535062a97aa617ac6ca594a965c809eee83474b1f0826181cc1f2a17848e48fec54edd798339f108a3e10231361c5a500ecb07af9a8267ac

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
93KB

MD5
977a9be567bc4c9adbb120fb1c077843

SHA1
8b8493307e3f75c85e4c68de145ebbf6c4ecfaaf

SHA256
e493dc7524580208ad1dd6fc4112ba305ab773db5d033130c6aaba028fb2d6a9

SHA512
bbdaa79f7e07f1b2dbf7cbc59eb4b0c0730f482cba2c26cebf8abe8038e7204a45ea19d493a0d6b656bda89da8e04b0badae543ebcdebf17bceaf4915c892c4d

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
93KB

MD5
ba5f388a72afd3d1eb8237b689d0ddf1

SHA1
120b8d1cc72e6b6dc849de1c7c97b51f6a69f093

SHA256
84405d160a672d448531fabadf6f6ea3ac63276d933688a0b5248b29b151e87f

SHA512
3c118415a502ebbc565e83594c12e2beecfd4aa87f570d6ca83ca1a2f4bf1177a859cdd5a9a64e3d7084812b249771f6cd3c7cd7299f79ee4f3b6ecc771bdb5a

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
0ed4c7e2d4547c28ae375a5dbc8a12d4

SHA1
c8b9f499e20779fd51a8b4bc612018e65035c455

SHA256
0f0c1161ddf005038c563f176028e457974035c91fd51108199ba09c7be7f53b

SHA512
e24809ebe76207589b4df1dc7ca0f530c6821ff0a08416f63bc345fadc87593e6156cd218bcbf42873b34dd40ec4312f6242317fa21abcdca2188b88e346de27

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
93KB

MD5
73828fc3d9a2a6a58aabcf3dfa058c8e

SHA1
5fb9e2440ccf56785c19e48b6f1c25fd0d26b355

SHA256
1e646020391d87422eb8340ca9021453b58b162a133ce2e564cb3620c94454bb

SHA512
d2a05d3437b71627d7fd7c6fd2ab5ec457bfc0213266b4cbab84e88cb572aa2eae5daf8b2377acaaddd598da403fff04f2386ab26dc2e76ba7e3a8a7d5022698

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
93KB

MD5
453a9552fa5da8cc5b26ca10a01b9bfd

SHA1
62511a874c08b1855b016a0b4c395dd04d63a096

SHA256
5ae85dd8dc8217928f9862d6bd0587090170f45e0efc3aa6a169b87ab89aa2c2

SHA512
f71a720a7ef0c016237bd971bcabd39fabf103025c31615e4b54d996e8f24545c7e324793a9966e0748f84f0bc8718ab0a13c1aae454f0bc8ac7ed1bffad78ae

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
b955e161ea2fef776634a79073c5381f

SHA1
f382ce7b8b87baeda5c5a91e05fdbbc805a0536b

SHA256
a040186f2c9fb88a6123548f136c5f73fb1921d5b4bfcb4f159960400aa0bf9c

SHA512
03f0f9c409e0c1565cb3bd53d7869fa6763b832b787b1fc6a2a8628c69220874a4dcc2dd73d401a5c47c8a6eb982c2a645d3c2e99d907776bd0dbb6855244f81

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
93KB

MD5
71c0a46a83b59aa63000ed80ab36fd7e

SHA1
3cd2ab53b61f3c5311a1966dbf1d5c9378d096ad

SHA256
15a3f01154fca35aad4da866502647d6885e24be8851f20aed472d3bf15d822f

SHA512
ec78681cc4b70645ccd75b6bd3cd31dfe1d613d96e10cf383b355d071e0f4f2a243c454fea19b2b7fdd0068d62ee3dd1e89ec19c48bf33dcee7084ce54314548

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
93KB

MD5
9c0b1f9ce27980e13226d4b4d88e559a

SHA1
5cb8a5df7b16997c25fdc28957b3f0380f5b010c

SHA256
697630a84620136ace2be116f2ad50e248de16ed27e30a8e97ae7ddd3d58dd67

SHA512
3c8e2e78933f70e0e7b2347a2c93233ccd6f958ee685b922bb8fc691830d9008e5417fb897f3cf1e8356737e381a96606977261f000ba489ea432a13bb17ec29

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
93KB

MD5
ccc322d6084254f498bc0b21d1c52c4e

SHA1
dcfaf592ae271e8039c29f0ed2e8f233ce6810d4

SHA256
c7e4c200b0d64501b131eeadcdc7426401095fd34dc7fae25ee2527cc8d6b53e

SHA512
bf0e9d1f7d4ccc367af314c71e9ed14afcbdabc6bc12264eb9f5fdaa0d17e414450a53e1cb7f0ed69c18bfd96fa2d87be143903576c340de2d612b59de4a7c65

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
93KB

MD5
e953e228b82195fcad2da73cd5243e2f

SHA1
2e633bb89cb8782adc31d37e2ed4df34d2f60494

SHA256
31af0f52c48fc4ba5327e004caf9b9b9744f442fa77d311c98f403d222775c6d

SHA512
a1e8745c85ca04f777839052063d55742e3b451e3d10af4899ac1bb7c15619ac154e4cd9b0650306ae6f68cdad5f45f21dafe818f20c74d6f4c406d0cb81e08d

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
93KB

MD5
71ca388e7aca173f44d788d4d887dfd3

SHA1
da21a8ba6313596b8003c077daf5aa32b9b91afe

SHA256
6a94716d85052340de3e1ebc238708d0452c36a33e83e20c9ed05f241710ccd1

SHA512
09cb8a4c95aba0d471100fd94d5fcf18b6f9b8ca085ec7d8a2c77194581e686403f2b69ff6d0b24a8d4ef8e5a3598dc1ca22fd52882af28d60cd976255b8092f

Download Submit
memory/184-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4116-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5904-1495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6280-1488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6720-1500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6924-1496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7156-1475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads