berbew | cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe
Size

512KB
MD5

26291d06d9aa3cb10e33eb4d47278f70
SHA1

14d0edf566c206d49427ab0aedb0cd8452318d6e
SHA256

cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7
SHA512

d87ffc53a2522455aeb37d03e81310d95ab7bee1cdff3284fd2e22fc1c8309111f154235528770d6c7381327b663b27a8ab2cb731e950be828cac5890cd007c4
SSDEEP

6144:ovdA+HUZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:ovGUG5t1sI5yl48pArv8o4L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2084	Fafkecel.exe
5112	Fcfhof32.exe
4968	Fhcpgmjf.exe
3484	Fakdpb32.exe
1396	Ffgqqaip.exe
1876	Fooeif32.exe
3600	Ffimfqgm.exe
4684	Fbpnkama.exe
3516	Gkhbdg32.exe
1208	Gcojed32.exe
2748	Gofkje32.exe
1088	Ghopckpi.exe
1944	Gkmlofol.exe
3944	Gbgdlq32.exe
2860	Ghaliknf.exe
3432	Gbiaapdf.exe
4516	Gicinj32.exe
4412	Gkaejf32.exe
1160	Gblngpbd.exe
4580	Hmabdibj.exe
1820	Hopnqdan.exe
876	Hmcojh32.exe
4888	Hobkfd32.exe
1900	Hijooifk.exe
1448	Hodgkc32.exe
4800	Hfnphn32.exe
3676	Hmhhehlb.exe
3804	Hbeqmoji.exe
4324	Hioiji32.exe
3684	Hkmefd32.exe
4000	Hfcicmqp.exe
3232	Ikpaldog.exe
5072	Icgjmapi.exe
4136	Iehfdi32.exe
2032	Ipnjab32.exe
3948	Ifgbnlmj.exe
4392	Iejcji32.exe
3296	Imakkfdg.exe
4336	Ippggbck.exe
912	Ibnccmbo.exe
756	Iemppiab.exe
2780	Iihkpg32.exe
2052	Ilghlc32.exe
4224	Icnpmp32.exe
2500	Ifllil32.exe
3908	Iikhfg32.exe
464	Ilidbbgl.exe
2536	Icplcpgo.exe
532	Ibcmom32.exe
2256	Jeaikh32.exe
2644	Jmhale32.exe
2008	Jlkagbej.exe
5092	Jcbihpel.exe
1824	Jfaedkdp.exe
2864	Jmknaell.exe
3456	Jpijnqkp.exe
3984	Jefbfgig.exe
2432	Jmmjgejj.exe
4092	Jplfcpin.exe
3932	Jfeopj32.exe
4996	Jmpgldhg.exe
1596	Jpnchp32.exe
1640	Jeklag32.exe
4032	Kboljk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Defbnajo.dll	Fbpnkama.exe
File opened for modification	C:\Windows\SysWOW64\Jeklag32.exe	Jpnchp32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gkhbdg32.exe	Fbpnkama.exe
File created	C:\Windows\SysWOW64\Fqqlehck.dll	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ldjicq32.dll	Gbgdlq32.exe
File created	C:\Windows\SysWOW64\Bgpmhl32.dll	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Iihkpg32.exe	Iemppiab.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Fakdpb32.exe	Fhcpgmjf.exe
File opened for modification	C:\Windows\SysWOW64\Hfcicmqp.exe	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Gbgdlq32.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Gicinj32.exe	Gbiaapdf.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ffimfqgm.exe	Fooeif32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hopnqdan.exe	Hmabdibj.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Hfnphn32.exe	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hbeqmoji.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fcneih32.dll	Gofkje32.exe
File created	C:\Windows\SysWOW64\Jmnoof32.dll	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aaqfok32.dll	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Ffimfqgm.exe	Fooeif32.exe
File opened for modification	C:\Windows\SysWOW64\Ghaliknf.exe	Gbgdlq32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Hobkfd32.exe	Hmcojh32.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Mlampmdo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6212	7116	WerFault.exe	277

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfcicmqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghaliknf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhhehlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imakkfdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iihkpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmcojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hobkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgbnlmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffgqqaip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hopnqdan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hioiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hodgkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbeqmoji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcneih32.dll"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcdak32.dll"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffimfqgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbcedcn.dll"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpj32.dll"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifllil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifllil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hopnqdan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2084	3836	cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe	82
PID 3836 wrote to memory of 2084	3836	cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe	82
PID 3836 wrote to memory of 2084	3836	cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe	82
PID 2084 wrote to memory of 5112	2084	Fafkecel.exe	83
PID 2084 wrote to memory of 5112	2084	Fafkecel.exe	83
PID 2084 wrote to memory of 5112	2084	Fafkecel.exe	83
PID 5112 wrote to memory of 4968	5112	Fcfhof32.exe	84
PID 5112 wrote to memory of 4968	5112	Fcfhof32.exe	84
PID 5112 wrote to memory of 4968	5112	Fcfhof32.exe	84
PID 4968 wrote to memory of 3484	4968	Fhcpgmjf.exe	85
PID 4968 wrote to memory of 3484	4968	Fhcpgmjf.exe	85
PID 4968 wrote to memory of 3484	4968	Fhcpgmjf.exe	85
PID 3484 wrote to memory of 1396	3484	Fakdpb32.exe	86
PID 3484 wrote to memory of 1396	3484	Fakdpb32.exe	86
PID 3484 wrote to memory of 1396	3484	Fakdpb32.exe	86
PID 1396 wrote to memory of 1876	1396	Ffgqqaip.exe	87
PID 1396 wrote to memory of 1876	1396	Ffgqqaip.exe	87
PID 1396 wrote to memory of 1876	1396	Ffgqqaip.exe	87
PID 1876 wrote to memory of 3600	1876	Fooeif32.exe	88
PID 1876 wrote to memory of 3600	1876	Fooeif32.exe	88
PID 1876 wrote to memory of 3600	1876	Fooeif32.exe	88
PID 3600 wrote to memory of 4684	3600	Ffimfqgm.exe	89
PID 3600 wrote to memory of 4684	3600	Ffimfqgm.exe	89
PID 3600 wrote to memory of 4684	3600	Ffimfqgm.exe	89
PID 4684 wrote to memory of 3516	4684	Fbpnkama.exe	90
PID 4684 wrote to memory of 3516	4684	Fbpnkama.exe	90
PID 4684 wrote to memory of 3516	4684	Fbpnkama.exe	90
PID 3516 wrote to memory of 1208	3516	Gkhbdg32.exe	91
PID 3516 wrote to memory of 1208	3516	Gkhbdg32.exe	91
PID 3516 wrote to memory of 1208	3516	Gkhbdg32.exe	91
PID 1208 wrote to memory of 2748	1208	Gcojed32.exe	92
PID 1208 wrote to memory of 2748	1208	Gcojed32.exe	92
PID 1208 wrote to memory of 2748	1208	Gcojed32.exe	92
PID 2748 wrote to memory of 1088	2748	Gofkje32.exe	93
PID 2748 wrote to memory of 1088	2748	Gofkje32.exe	93
PID 2748 wrote to memory of 1088	2748	Gofkje32.exe	93
PID 1088 wrote to memory of 1944	1088	Ghopckpi.exe	94
PID 1088 wrote to memory of 1944	1088	Ghopckpi.exe	94
PID 1088 wrote to memory of 1944	1088	Ghopckpi.exe	94
PID 1944 wrote to memory of 3944	1944	Gkmlofol.exe	95
PID 1944 wrote to memory of 3944	1944	Gkmlofol.exe	95
PID 1944 wrote to memory of 3944	1944	Gkmlofol.exe	95
PID 3944 wrote to memory of 2860	3944	Gbgdlq32.exe	96
PID 3944 wrote to memory of 2860	3944	Gbgdlq32.exe	96
PID 3944 wrote to memory of 2860	3944	Gbgdlq32.exe	96
PID 2860 wrote to memory of 3432	2860	Ghaliknf.exe	97
PID 2860 wrote to memory of 3432	2860	Ghaliknf.exe	97
PID 2860 wrote to memory of 3432	2860	Ghaliknf.exe	97
PID 3432 wrote to memory of 4516	3432	Gbiaapdf.exe	98
PID 3432 wrote to memory of 4516	3432	Gbiaapdf.exe	98
PID 3432 wrote to memory of 4516	3432	Gbiaapdf.exe	98
PID 4516 wrote to memory of 4412	4516	Gicinj32.exe	99
PID 4516 wrote to memory of 4412	4516	Gicinj32.exe	99
PID 4516 wrote to memory of 4412	4516	Gicinj32.exe	99
PID 4412 wrote to memory of 1160	4412	Gkaejf32.exe	100
PID 4412 wrote to memory of 1160	4412	Gkaejf32.exe	100
PID 4412 wrote to memory of 1160	4412	Gkaejf32.exe	100
PID 1160 wrote to memory of 4580	1160	Gblngpbd.exe	101
PID 1160 wrote to memory of 4580	1160	Gblngpbd.exe	101
PID 1160 wrote to memory of 4580	1160	Gblngpbd.exe	101
PID 4580 wrote to memory of 1820	4580	Hmabdibj.exe	102
PID 4580 wrote to memory of 1820	4580	Hmabdibj.exe	102
PID 4580 wrote to memory of 1820	4580	Hmabdibj.exe	102
PID 1820 wrote to memory of 876	1820	Hopnqdan.exe	103

C:\Users\Admin\AppData\Local\Temp\cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe
"C:\Users\Admin\AppData\Local\Temp\cb13de2caaa0c4eedde741c826d876b68921ab4bd8081823f64c8abab06b44f7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\Fafkecel.exe
  C:\Windows\system32\Fafkecel.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\Fcfhof32.exe
    C:\Windows\system32\Fcfhof32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\Fhcpgmjf.exe
      C:\Windows\system32\Fhcpgmjf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        25⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        27⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        34⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        38⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        40⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        41⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        44⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        50⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        51⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        52⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        53⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        59⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        60⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        65⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2132
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        71⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        72⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        79⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        82⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        85⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3268
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        88⤵
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        90⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        92⤵
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        93⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        94⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        95⤵
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3704
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        102⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        107⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        108⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        109⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        112⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        116⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        117⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        122⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        123⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        124⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        130⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        132⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        134⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        137⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        140⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        144⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        146⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        147⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        149⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        151⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        152⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        153⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        157⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        158⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        162⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        165⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        168⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        169⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        170⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        171⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        174⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        175⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        176⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        179⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        181⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        182⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        185⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        187⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        188⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6804
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        191⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6848
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        192⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        194⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:7116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 404
        198⤵
        Program crash
        
        PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7116 -ip 7116
1⤵
PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
512KB

MD5
7856fb690414c0098b7d0f245509d79a

SHA1
919043ca74d9b38086556a5418e3f08d56fea15c

SHA256
fb0a55650c3d47b0501326c49b59473aa3e6d649e5fdc264e8e263de11990c2f

SHA512
05679eb87c8690f6df4ceec96d6b6c41e8c12ea11751000684a21cc08cad1ef6e2e2e188f1caabb71d9e6825840fb5e91614281e23f0a1e8589b23d855e58e8c

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
512KB

MD5
82dbbdf28196031c4ec67a035558d926

SHA1
b8e3ea97cd898166981eba266b8887b1ab39c23e

SHA256
41c7462b4d34efe1880737aff40e23a0f9cd2df0b454bfae35363f09b45f4819

SHA512
75c7eb9db6b35b46f37368ef1e7fa7a1016bb13ccb4bb9743e1778a3490fa1a81a0df4c954a2ce0fdcce541e48271d03707b10b05ba5d7b181e901ab54e2e023

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
512KB

MD5
a85d03bb4a20c7ded2b20a2252aa93b3

SHA1
8ec1ee72d8df22c56bd0f02706d6280743e8b1a7

SHA256
bad6b109476e8da8ba6ed2fcdce314ed236881ff25c7d9dded6b27dd9ac0bf85

SHA512
da7835404abbf734bad7fa25c79971bc8d3ee624f21bd6ff78ffdb5ff6ba459d40a5622de262b6c3a7542c046c47636f9c8280aeffcd3517a74bc7962c6d127e

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
512KB

MD5
640f4d906ab9695839e16ef4ea9fdbd1

SHA1
f7274baffea012490d521991a30de7b787abad45

SHA256
97a77bc8951692211423a06ce07f24267e3a2a29aae45d128c0da310f839475a

SHA512
fda42928f795cb54f44b2b8418cdd2f208e6fe425b6555d72fe21e5f65e50a06e69c331a180191d8b84f72ef844b46f5b5a40a698ba366f238a3eef82dfbd9bd

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
512KB

MD5
b0c1c5cd4516b5b972ee0c97fe6724f5

SHA1
61a6dfa22a7b18c304dcfd60baec65488bb3a86d

SHA256
bb9a8f0cb9d1fb95f3bc219497a660c8477851e3e5704a8295d0b36b9da8d6ec

SHA512
92e9bfe4ef1bd2922979f4845ac3467d4a78a59518d9beca50b4067019cfdd983611d2795b58d3a12e9d11b332a8b5ba8928eeb28ad8469c872b035eeaeee400

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
512KB

MD5
62732a5f66e2e58bcfa1e2e74f6b9d78

SHA1
51dfe7588deb964d07051f40460beacb0c7394cb

SHA256
8f23a02bd8e73aca5490cf4c529d17749d9d6ca53a904c56848903fbb695c09a

SHA512
1f26277172a68f9ee353f7921428d756298c0f73e4437bf253a0628aca612986776e2b20b341a160ccfdbf9ca67b995ebba9ab09daacabb641564d79c59fe524

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
512KB

MD5
c60bd55d5948ab1eeb89eb2a09626c82

SHA1
a6d38ce7a6947005c4bc063ec697554206a18db9

SHA256
9d4bf4a12685c62105f1af7d3b892b19ed19358c6f43e0df80eeeb01cabc52dc

SHA512
fb7616e1c871cca602b7ecd56508f5527980e83bcfd59cc7f151e762320ac4287954d0c490e62a950d8d149b39f3ec17e54e5365ce7d9e426bdf5cac5a8ecffa

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
512KB

MD5
7a7a3819c53bb10566c74522b7ec240e

SHA1
15d814dee1097b7b05afb9a837fb7beba273fc8f

SHA256
393a1c2ea8ac612072e6f585e447e517eaf581565587f15b1f09b4a86e34dd2a

SHA512
3d5e843b60e6aff57c4b8a903a4e1725a0ad1e3b3565c341758f48b1ad77dc97e260dad21489a5a8482916aaa646d07cc1f0517c0b19c143a679fd1d21132a3b

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
512KB

MD5
a9fd95f4b6af82fffa02f45117a06d25

SHA1
f805efc3a17c33ee24aa3b33c5dba5d21385758f

SHA256
ee5d83ab0d0dad160ee53e206dd9b777e906a2026fff36e41be23e1f9750a6dc

SHA512
db1322c126cafdeecb94c0a003e477dede75166a56ed01903dc184ae836687b6ef447870e2eb3076812d6e576158e65fbf3a2e9a35e3c06ef2418d2c81d9abc2

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
512KB

MD5
5027dbbcf7d13d409d691956c16d12ac

SHA1
581a948e830cf418073e1ae87c4b6964d4271afc

SHA256
df1ac9d4b3d36b2a7669d29352fe7cac089c6be520353b6793562803dbc58138

SHA512
ae3ef5b98aecb35ccdc35d716a8815b10ed54e470a3fa66aab3988b7ad9294bacb682e26bdac940415ef95ae39e0f6c9e46d2ee4f410c7d94350cd0916641188

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
448KB

MD5
d72c83a7e0efaaaf3a5968399bf3cb75

SHA1
e4caab24b2defaeace43db771520e3f2be353f5b

SHA256
b9296bccd2e4e929288b2b7e05f74be18d743c70d876fe8c4706fe5f5a24c101

SHA512
8545614a47f82399c3568786dfdad44be747af385968d90dbeff76062e1560fbb0217b8a15f6dc784ae642ca558ce7395645e8aff5890a729f4c4a7d32bc5483

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
512KB

MD5
4ac81fc4acec47f621746a1ab3cb9366

SHA1
ccf804f140f96641fdb90a5a597096dce5615eba

SHA256
0a43e2a82175b2d824fb2714c34a1a357e792aa8222b5cbb4b3a55cfe4c2ab1a

SHA512
67d4766d487a2cea2c62c8aeb9ff85dea6b091cae71e23dd1881a526762a29f3aa8ef93b5a0c9bf5eac76b3c8b1c6663b9dde3e4a88f0f75dc4259e72c54fd1f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
512KB

MD5
e94c5da04feb8dbc9c2256b1c17bdc0f

SHA1
b0e876725085d56508532350f945b6baec39ed06

SHA256
921f7bd5c3397fc75a86dd67e8df43e4f87b91d8332a7d0fa82c2b9077b3eec1

SHA512
1b1edf4c8b7b7d9a6e8a93e852675b8aced60ec1c7dff4d149db6743b67a7e37750efebef8f93dc2b63ae83322796ac2af08315bc7d8ef62ab41b0912dac98af

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
512KB

MD5
c7efa1f46fdc02fc654f32b4a62ce59e

SHA1
c3d563765c4107ecc2c3617bdcda4175ec7704e5

SHA256
8d8784e6c1f240e997db83e594ad74b4e3182bcca733e72902e4c34d72089528

SHA512
468183a6bb4d292030e1e2ce977cc136eded6a6091c4334df4612bd9bbd87fddf69a7eb00447d5568ce068cf8a255237ba0f863f7f5984b21e446b8210dce6ca

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
512KB

MD5
926d93556913bcf85e7baea72819f4f4

SHA1
10935f08ba8376a82ea0e8907f44929dfe106dcd

SHA256
96df9c4964bb677439ec585e467f7d061ed28e588aef942b1914483109d58ac2

SHA512
5e835e63eb579c1834e436ff3a26d52701269ce3851822c460f92f5fec60c04677c80ebfa0d0ab37ce8659976020b1d2a66ec6c6356ebcac27fd0d310fd39274

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
512KB

MD5
900fb372aa7b6c9af6a175d64a51fbe0

SHA1
cb667a61a73cad3f3b38ead29714a92535958bbc

SHA256
dea7f5990a1f0b3d03784da7af07b0909200dc22d8ffc89cedf84db9605f3447

SHA512
218c3148af87637895f42a090a780111473b7d8b4f7c3ec11ed67afb53cd9d37bc8dfa0cc437ff2d99212a2877288f4a0b85a5ec3c11a4b00284dceb3a90bd78

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
512KB

MD5
f1bff71ae0e712119392b810b5a53157

SHA1
a1134d6f3a708a9d6f5ddb9e9594ba667a6f74d3

SHA256
fee0b10e2a77ed8d570fee840beec857e574df7718c7086877eff316362e0cf5

SHA512
174ef9b24024c636c54570576ec963e8395e78cbc1e140b16b1285e8515dd35530f10ff77e4059becbe26ca11ba33ad86ae3379ae3623eae250200829ad04555

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
512KB

MD5
9614e7c8a956bc3cc80747ebd021bfe1

SHA1
cfea98fefdc52d6211e13c480dccee531defca6d

SHA256
0c3bf66a27e2149e63a225a199a45c706d38dbc2cb8d899ed2c1b7289f42fb8c

SHA512
fb7fd610f8b0c4575c5c3ab2d8989d1fd3a5214203fe8fcb0a47980def787e8e4038f2585de960a8888086a172aa940ea78de9af57ec1d9c1d3d2e9eae94d333

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
512KB

MD5
94ec571aad828c934946d2df7fc8c09a

SHA1
6a279949578050ccfb80efb3535d4a01726e7706

SHA256
d5bfa99a7964e05b0411416fe803a823f6389e64686337d55ac405e662feebe7

SHA512
ec975fcb0129e0154a3fefa0cf167c5fff88010d9caf17fd3a95e35b97b11be0638a089c2cda09c3cfab27e61889f0a4678ed30f2ba167494d3eac62d5bc4ebc

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
512KB

MD5
d29d3e01796c14144d1fd3bf94aa9325

SHA1
bbde20958c6e254f0d7e5ec18cd3fa68a295283e

SHA256
fd77c7345ea840d6bef22848be1844b306db2a7dab2132eab63680ba95431058

SHA512
1ee1c5ea09ad0122cfc75f2873c16ea32dbe3ad2b5aa00a11252e4ebc4b0c86a4a837e44aa1848d391091b36c2e8214e9cac2ccd27af334d0bb2e978d980e9ac

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
512KB

MD5
c87f82b3f8d3fbf1319a0ea7c3c09269

SHA1
cd3c22a9aa7bd2896ce802d6298ee0d6c8cf7015

SHA256
f9ff99232b47dd75ae92e86e8cd75e9ce4e96160753e85a59538166452a68f6e

SHA512
d6bf97bbc5c106d38591dfc22a6ebf200d43b4ae78fb5ef6f9b73260d92b72840e4c6946792a9eabb358b77d851e217efce9355f2020d93c17726fca6dd749a5

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
512KB

MD5
7615a0854e546c5aa4a1232557e11e51

SHA1
fd68e597a5ec637da36a2a5ac051a29106240fd1

SHA256
fb6c1bcd0146a24fc5e75323a58415de5f25bb2cce4283b11a67a051e453bfd4

SHA512
8559d56f233adc9de75ab36230d3edcf2f9bce8f76ac627b7201919988057dde3938403a655a8b85cb3d2debdb421ed34808e1a52d8f3763b9581d5a164c13b5

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
512KB

MD5
34036adca40799fe0b23ca288fceccf7

SHA1
aead30404a635ff78c6b0083d5575c7419e39abe

SHA256
2bd028a22a39fedd51d47c56b8acea419168e1200b2dd789c143afca01bfb76a

SHA512
2942f0e424f287fcf55243f39bb018f146c1d56734fc7f5450a7ba5b75998607db45634cb955eabfc1f7e115821924412482a9a13a64a5a0e51ac713f3ba919d

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
512KB

MD5
efee8dca7a4c57b923978148014aaf8d

SHA1
f73e7bd43e38e6afc47bbf0195928ed9ba640e97

SHA256
8648091f6a2a017e764763b0ed140f4639935c101404ea1d422203aa49499644

SHA512
6677715826d2dfff5c1ba0affeb9bcc2fc5f8f5ce35494e450af415ac849469962a917083e64617e222a5a5ec639bc11a5a055bb8aa7f97e9e854b1a269f95f7

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
512KB

MD5
1ca1b978e309f663a605c42c780d4609

SHA1
47664dac341cc182c2d919751c5e8c9e7b337961

SHA256
ea041a587ccd86c3d4b69666c2f2101f8da1e5dc45c1ea075123286aacfd8d01

SHA512
913cec3d789aa0732df53e795d4fd6f11f5b4c93396b1e50ec4404eefe9e6020f1436bfd6bb5fed46a166808b8b6396b0247b11249f50eb81c8f3c884dcf7bb0

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
512KB

MD5
8289263cf15002d4d9d2f21e2849d507

SHA1
378079c2ace8d3ef7f8bcc90ef808d749bbb7a5d

SHA256
c672373af44c603f8de8cdc7159e5286beb0254b2b87e8e9c4844d49c12eca38

SHA512
3913a2a2c3c64889e6374978313c7df6810ea2e8e481ded88e871ffafe3e5f2f21b9c2455c73ad64500a7a6622375445fa8b6b2059a365792671ee0c0dac1ee9

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
512KB

MD5
e186d9fa3c05ef0060bed4ea0c61c3ed

SHA1
0c5697a6eaf9922ef3d981143e4856996bbe1319

SHA256
7d1a2045e9b71ed2f6c93791c19e116a7e195f674c2249fd01c8e6ef83b334e1

SHA512
900c3d232bee1e57e521cf6c17138ff90c5907e674de116114dedfe59a1591a88d5e24dd1276eb04e9bde46790b0f48a195d59e305a063bfbbedecfe59731d86

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
512KB

MD5
231341b406e7a129637d56df19510570

SHA1
400d081f0814af49156ee9471cb2d7740505844a

SHA256
5d4bac7c791c78a5b357ce7f41bb9483803a2b3124faabd2dee41320e6de2bb7

SHA512
405ee46e47b9754135739624b7c730f6dccf710683f4ba0cdb0a17244338c546bb82528d7a0e14324c0a9d1586793b16c3c08ac3d826e65cc7c31b032784f348

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
512KB

MD5
029c0330dae21c9f487a8ca2d354ab76

SHA1
dfbbf7979eb1eebe7f8e01ce46b0aa58d2b731ac

SHA256
99301b8afbf42e58a33b06defcb05404b98560de19a6b4c7af74d51000bbc327

SHA512
cc89e0d3437b1ab238591a3c58530be46302ebcc5beff2208c13a2679bea41f15bb567b8821d171155a04fae7a05419924d4909a23e7e8ae3c5993806dd9981c

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
512KB

MD5
e16506e9485a2127e81ed319179e9cbd

SHA1
a57bd647d5b4ced8b223812286980992f768aa24

SHA256
956252bb0418174abca2919948784d84e79e44d8fcf0ce54bbefe40fb9b5d0cd

SHA512
88fc4cb292ac084e8e074f41945b0f5057439080211d11869cd0360fd6756e5ba915f5e7b58ef144692858f026be46b4be39ef7d48f11fe8faf1d048a1832379

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
512KB

MD5
95ff99c649181b79f1e4c04d3b343fd1

SHA1
57daea74be772a90ca0b17b7344868286118e5ad

SHA256
c34abd9a4295f8c1480d1a84c4e4e481357b49874b8fb28a9f75872137a032b3

SHA512
0a1619941fb9d79592e5ae044ccd3ef40040adbf686a840aef12e52100f3310ee7d5ba9c2cac44553211a8f465f1ceeb37b6d42f1f784de16fbf08dfb8451cc7

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
512KB

MD5
5c39f644e5aa9890dc14e9a25fcfa044

SHA1
1d00423fd0d363f111cdd67594a4823368fe21f2

SHA256
c710ddaaa8a2af09b605fa557b0cb3fdc25930c94cebc52ee51b8fba1dd750f3

SHA512
10bd83eda6f427c731143ebc673084f801d19bfb4c65e7e99ebe3e3b41f6b925f90ec9ce3cec55d4964f053c809fbbe67238179d014bd74bc5ea5e3c3643851b

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
512KB

MD5
8daf32582c4db74bae418b8fd9a08ae0

SHA1
779cd1c21b77ea2e3b7d5115fd6f6b3719255397

SHA256
0599cad979044c9d81c3642cf890cd55e0cbc2812ce26e0eeedb74d7997c5dda

SHA512
fbabf0b2934cdcf365326deac7eeb4248aac7406a460265dbf487667e1a6ccb4ef3ff44cd6f3c45d0358148a323565adbf9b5aeb443d764fa7603449f42808ed

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
512KB

MD5
32334455d51c053b76ac0a9ce641c642

SHA1
f8118ed0b494dea7f943730ef3816f9891d36505

SHA256
17fd384c7d8aecec1d3a7ab575e6c407b649fb5689435305a79cfd2fad36ecaf

SHA512
5f58a74954bc127b87fc63b440f03cf399dce442cb3388ec1109286f810934de941c94044cd2ddbeda485f09941ea4f13553b0c861014cda6050f4b4af2a2715

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
512KB

MD5
79d566173f78ebb7a81264b12e12ea34

SHA1
cb706822acc003540950a5b1cc053131c0653649

SHA256
abc828d74cf61e92b550af282ef4a49d7586d9bfcbcdcc5af611f41136f9e77b

SHA512
1e8fb3efa4822b7de4da91dba5cef9767eee5157c99939fdf4f6aa12fe800ada48080503a9dd48fc2fdd954bb0d10af14e7dd5deb34751366b2cdd7981359cc6

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
512KB

MD5
9d80e3eaa586fbd9330fc739b1d0c29f

SHA1
996945c775f13a0459ef46c604845ebfbf6d7639

SHA256
5d4f6da129d89905c5545c68b95f7a424f646dcd7061f2b9a814b1b181e3337c

SHA512
aa3a6653427d8949d7396e27c5c6cbbc63528e83e381c870f2375256f214dc9697ff348e568e5322a8f053348c278e55a79c3fe8cf9e05c8dd957cd8f2a950b8

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
512KB

MD5
a0763c67b7c895c389c8d02bee7f9a14

SHA1
6b98939963171d689e8f80ab6b60257ab9b40cfe

SHA256
68bdbf9c238dcacd6d8a2f4ef98d85457356842c52fc26c5112ff1851eaaadfb

SHA512
5996fe8ef62d920a960178cf20c6a6218f79d4b63e7f7d7b060fd6065af1c0ace5daf5b3b2b0a37cf078dc9cd6cdb1ff4bda31f4d29693c3ab2420e767510d00

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
512KB

MD5
9e5bf758ccd50ddf60f254ce7ac1797c

SHA1
2272ca838b647780890958cc983aef2f7586f348

SHA256
d60cf438f3c6235278d1b8159080db997c4bd598f5d757803a83bca34c288c61

SHA512
11284c1ac50cb7308a9e12770026fa3d764a436fbd087e479f9973199ae0d089119a02190becfa8d43dc88f4d0c10f450f3745c7988f17f626626baeef5244a6

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
512KB

MD5
16f6975217972ac38f99c3cf1d0a7ac7

SHA1
7520d61b375ac6b0308825f40e8961e98b5be533

SHA256
2c33d46a4892d5f9c70c00c8e9c582ae3c7c639a280e7b85924da145aa43932c

SHA512
35a4ab09b37125dea805e3318be55187fa4e5b0d7f6a08a99cad84c6828ecb0d14e480d1f9a71b4967b0e66eb933f790ddc26244e4b6143fc22b21650ef1896b

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
512KB

MD5
3613e4a757622493b007252665355c6d

SHA1
f9793b0ee101f939d7c8addc084fd9ef7e86a0f1

SHA256
394cd499e74b3785b44bff553a5e4bd0aa78a1b5a2f9d3ffcca6d5a0ae44d2f8

SHA512
ea5a7b30918bf71eed44a72b2906f005ce7090e6804603d5e6da31745ceb71a136b35324b8cf53685d56c315ec2360056a9ff5a1e7dbe946d819de315b66c48f

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
512KB

MD5
f8de18523d94d513417a3f058d30137c

SHA1
e6d07148e41292279b0cee9eefa7b6038b4c1c66

SHA256
fabad79e96de78175f1369e0056b6747e3f3559c19d49a9790b8f34c4cb105d4

SHA512
40b6c7c3c179dfb730ea960e04855bd270e0ace44e931867644fedf0bbf444d3420601f459c082642d875caafc6b9b6aab491eaf4997c6d51745a30535cc8401

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
512KB

MD5
836c88c63e7cbeca9c9fa098f0d49fa5

SHA1
3e6849f7fa75837fc134867a2aee8d29b5e66613

SHA256
23f38d29cbd99ae2ecca7d94aeb540a73753ebd7fb55d71040b5b5bbe27b6281

SHA512
19db6dd657dfdbb6facb40ad106aa25cdc7170fed71475a62fd37f3a985090fc66a16be3069d88546e147b1f246d24aa755601315308033fd17764c5c879a5d0

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
512KB

MD5
f64a65cd4415d9ca3c5c3fd74e768319

SHA1
f43d74e86e233517d2fd68c06cf9c76889590bdb

SHA256
d8d64293ccacfac9b82c3015c1c55c19335682cc888dd6faba58e6a708bda676

SHA512
1cd9d10e2764f920c90587d4cc63d0742b6223362ea9e2b9ec2ae71192871f95c42397b1d1670cded5b2e48b7d9287193955b3dcda25dcd027feb6c8b003c931

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
512KB

MD5
1c2102b04eb309056b12c97e84501f78

SHA1
b6551be161ceb7536b18e05ae965f5667b7b1e1f

SHA256
dae5797ec0b9ce742e4792117669c1b5ddf2d7a6e4d13aabee9076f01946311d

SHA512
156d5edf735d26086b7b9a2aa6c8e5cf6010657f212082cf80a11689826e59bb3e84ef83d9081d66228a89e8e7c0b33f0be89e81a25d9a943d80e41701075c07

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
512KB

MD5
7600204d1b4f3109644e51c512901372

SHA1
2acd79c9b00b681944d65dd5cbdeb2d3cb7738bc

SHA256
226f8463c43f9c1a3d6cde54a6b3de8454b54fd6de62e156f83f84871c455883

SHA512
2946ff32f3c483a3f52bd1247ddebab1175c98e68d8609459570c603066cf9a423528988f348d80dea35857f70367ad9d1a38f9b9c6dcfe75dc607d37065ea0b

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
512KB

MD5
214073364e090d6f65e8334b0a6dc380

SHA1
2ca88a0a0f63624e200e1f82b686fd7bfa04a836

SHA256
1fa18adce2523d5750cd67b835c0c621b4f2f05a7e6c9b46220793cc584156d1

SHA512
f7616871396a669b07374df47744a013c5c6ba47f8609f08d688f72bf1938afcdc16ae021df65f1a7d942e0d1f641a0d1058800e7097e9b4c6446612b894637c

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
512KB

MD5
29476cb8ead65f2ebb91ef0e1da2f42e

SHA1
00d891b649c87ccc7da2492dd1a2023f9ede4890

SHA256
b1c38a3f320947181a01d327e2ba632f4f43e8b3cd7710ff491f8b660e46d58e

SHA512
75a00989664a883ee4e068b03245adf640f3812dad0ba04a5060ce56689d1df84e5a5927524c543520de7510a7d505f1efaf1c5d660caff87f2e6f51fa8c80a6

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
512KB

MD5
c8be58aabd51970d25f5aca88ea82c04

SHA1
c6b63df2c90b5534ed5c50f34173648e8dae6f91

SHA256
bebec5086c780641b1165e903bc37a71c32ffc092a08d11e1af06aebde623745

SHA512
65fca464668af0500f6e2bd0de5d38f22efff7e5958845e82ec8f760b1e2799f2e7d40c6b14622182a6a6f1981053679044b5b50f8a9310e725bbabe60c32e03

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
512KB

MD5
ff764e50f2e722116a03f0c22904a4b6

SHA1
c11527a40440705c66aafb1f51ef5cc2f5e3ba1c

SHA256
4968c23ad5cca724bc9cba149ac19e28c606570bab9dc6a84727d6e52fc112da

SHA512
d688393661f30e54efdd25979be5bffd4faea78f6f3f917e27328b58583f88006367c02a3facadee7c57b110c5484655dd184432d785fb9267975b55d394a635

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
512KB

MD5
d65c702a473f7c3dbaaee4f5937bf1c9

SHA1
fcae22666ff48f02d5f79be8648ab5e7953a92e8

SHA256
3c697e189951cfffd3da7154fb66a333e9530261d99277fdf379f72d8f61b2dc

SHA512
b99905212520fc57ae47471aa4b8f4ab588712853e513adc50f2d72bd4f23b2eba9745b591775712f2d013e9fb3351625aa187d42b4886d06ee256bf2e8880d3

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
512KB

MD5
de4602c803c58fc3a51c9a2c98143bd7

SHA1
e5f59ece91b5bc1f3652ad4d2475a31474e46632

SHA256
4d983d9f245c798657a3c4e7a781641cce44c173e9609bea07dde91454a96dc0

SHA512
b880bc81a942a6fd9e13b0fd972bcc211cf209fb922fb68367567682d7c3ad8b6934b8eec11101b0353c0dab76f0307ecf9da98ac2b79b9a1bc71d8eaa388fd4

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
512KB

MD5
93f334da2f7e8b7766a6eb124fe24065

SHA1
44b3af4ffa4ca3bbe25520d2eb5b714e12bf9a20

SHA256
4d754cc1fc2f9cf6857f7595e5df828da2b1558fa6baf8759d7958326ebcc84b

SHA512
a61ace18f1b872befc3d2a03168337475b0f58905d91c860af68bd1e590cb081284e442505b93d8529495bc5f8452566e0c5f1ef8fcd89c6a04d172a2ae08351

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
512KB

MD5
afb1d496835ec68fc8b739615708c3c9

SHA1
8305f4d38f63615b4e817aa4c82e06d7a4fcf489

SHA256
7b62b7e0690bee48d472485996f4553df86e6388d4ed1867ab685b6826133dda

SHA512
bb4ba8e54435644b6234380e583bd2799dbc43cfd9287221bdaf23b8160fd491576fd2ef14e06434bc6291417ee0e3c799b10626d94ac6c6ea9f3d5200314cd6

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
512KB

MD5
083940239abbaa0fd9be6394f492718c

SHA1
85a67cd8ad71d3c66633138343f8f256cffaae0d

SHA256
a9a95063dd8b6b162e70eaee47941fa48d322bee146c700d3b9f62df8e73aa97

SHA512
cf2c4dbb5342baf8325f8e5764cff2c751563eb52062419479756b30f11ea4c4f9fa43d23ff7d5107be578554bb6aa6995dddd80128c691659f237c98ab00269

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
512KB

MD5
4b053693c588164f89c08d04011ccf25

SHA1
40191a84e1ede157febac27e86223c25dbb9008b

SHA256
6d0970935fa17bf7ad8fb8222d37a107927f23a384b79532d821a9db4dd719c0

SHA512
bc88187044fa1e58d821233219cf7a4f9b1605fa08454cc5ef7413190dcecb0ba07caec9a8bdee22aba976e306222921daca4a3b9a014bd355eca43809a5f695

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
512KB

MD5
221b28897fe3fe36c24d7340b54459da

SHA1
cdbd77589a293f8a24505c8d8e09c760c795df57

SHA256
245d6071aba1eba1bc7c307f111692d92e8e1222a0b46a00bf9daefadd3bbf81

SHA512
5985dfbdeb446c668b9970328d97d9d204998eefd3c496ed126ffc685a7216bb5cf48ee3073d6a3e9cbbe1d97bdafdf0bc4eb082daa624bd7117c1b7c40a3173

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
512KB

MD5
d138cec9016a4d1a1a5a8e00acb8d3df

SHA1
8b47616b2cc1fcd98328608b72e462a16fe2002b

SHA256
9da43325fb5885de949562ee3cb60ece0c1b90740ad52060b51f971943737d95

SHA512
a9c31cd292fe896e4d5ee4b82f70c8e4ae8467d25ed2a46822d78c6c99a24074cbd33b38b4ff8fda49f1bb0fa936cfd3b0b2661feb86f11bca3278d30c1a4b5f

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
512KB

MD5
7ddab85a9313839d398a356e8d087c69

SHA1
bd7be329ac164dcc7ba64b5c3d663a2705b5a404

SHA256
8df16ea08cef82b5c1a583b1636f71c24c937324b4e7644488f150e1e9b1a5e7

SHA512
961f269f7e6a66979d0920324253c588de801347f15148c994679e9a026c475be67547175d6d079e32dd61b9d7ab3fc738490ecb987942d063f23585c31ff0e9

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
512KB

MD5
79d63178e2fd9000f5df1f6805cc66b5

SHA1
0ade3215c74d4efcf1e5078cce1ce9c1e07ab1e2

SHA256
5955f621483c9ce991879acbed5dc2441e749c57007a35bb35f4fc3ee4934b93

SHA512
47866e7580dfec387542cbf8c254511902d42b20e2d1540e5f683c2750bf412ce96dac8d4c2b7d2b445cdd3692b9ac7794168c27b91341a528ddd2bf5c92605c

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
512KB

MD5
c7b676c1bd53515b34d02e2a5e2b1695

SHA1
e83af8c7b4e7581986c0adcfdc820112228d1ff4

SHA256
920a2a734b05f9d65ef77187909b9230c857156924d6227afe5bdd38557827ea

SHA512
a4fe7cdcd2f2df1cec62b2f2bb02511c1a2531d82c49c8adc169a5f34f1d52ed9a5cbf038fe5e076e8891701fd6f0d7e503c2339410177cb55c0a81a1933598a

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
512KB

MD5
ddb39fd308aee7ded956feaeb8624685

SHA1
3b44c22859f6711a5d782c6990ab05d4a41b555b

SHA256
018cb289cd3b4d1828e8baf194436d5546e400f8b365d1636ab289faada2a786

SHA512
d66308048c3247344efb7f2a655e63b878d221ca2dbb1477b4108770df993689570ab3def7e604de1dc95325d976ad3ad95f0d0724ae77094d36bd67164f3fe7

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
512KB

MD5
8a3c91686ba0df4a95042186a1b17c06

SHA1
0ecdf5b70bb7d2948a74288eeec344c60209aba6

SHA256
aafd78975a4d04be35931465aac2e56c68e5b5fb97309fdb5234d8312ae9e7c8

SHA512
c6563c3d8d0114bbe99353fc2f0d96754b2e82d0f2b556c81ff6671e49f3bbf48e7c1242813adf20818ce02fa75c579a2afa53a0ffb4831dac1b20cf6f7945bd

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
512KB

MD5
5a230a457d1d8c8e2b704f02c16f672d

SHA1
5da6e467286b42bf1df1258eb6b33a342331e5d5

SHA256
ac9310b860c5af106192ce43a7bf0618db39070f026a093454a3bdccc3c6d3f1

SHA512
22a8fd88f553385317c85b1feffada0d4f8a1a52e28e64a760b3079d5cb045902efd58aaa209adb218967cc4b64594def3282d68d8957defba4d9bb1c86a78a7

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
512KB

MD5
a9490c0b2c005fab14a8ed744cd5d4c6

SHA1
6ed7e7c13f75acec2fa4846094272adcf370f0cb

SHA256
31ceeed058638cc6b6ab47e349f63daabc633849b5fcf591ec59075047737bac

SHA512
565d7f5d987914891b28f0ad0cc875513945623679c289252e0aabfb3e7658f80fd89b8efc150a09e812fc5fcb6a029626ac908533fbeac27453ab6589112e3f

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
128KB

MD5
c09de07c5a2c39f1d0985dfade0dc40f

SHA1
c22601d10e923535868c3995425f3a246dabb446

SHA256
523df3ba13849174ae76440b98cc5ec075367bb8ca464e74539a84fa29c29ba0

SHA512
932fb991087ed92e5e53db7481924ef3e4fc720d334a9869a0853c05daf6366a60cc259a660815a885ea09011b63668156236292751f9a3b502438aae1857022

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
512KB

MD5
1f4f1e0280c048a4e3e1fccef565d352

SHA1
345aba2db0019ea92907ff1b3be3d100a7085851

SHA256
86f10c9802939e59d5ffe904186004c41065b5c33b32822117088b0df6ad47db

SHA512
f0eb2cc6d0d577366855c01bc2cff4f72b3f9a70d256305924e637085309a85a369f2dfab112f89b84380fbdfb4e44ec91c8289e8a469d8d2df289ee328138d3

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
512KB

MD5
50994e756100283c80292a1a8499b96d

SHA1
e833421cd23c87b10c437255da61026e18ca31e8

SHA256
27707cf47d09e7e2a23022b903dbb2c1d0d7610e6ac2052e62a930f163d2ec74

SHA512
447b2b869e6ac3e3e937c3d4bc089f8564419b6a77134e4a28e5c0513caac85934627cb873661c959e701ad6c18a2ff967cb208502fba7eb6c57eca2d45acc32

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
512KB

MD5
46666c6ac1e62bff1d5de853b794c80a

SHA1
6e470651ce84912cffef1d21c6256b084267dca3

SHA256
ab3a7d2fb7200579d86266044bbac26c714658632a3a5bac9c2046fa605c4c5a

SHA512
d6a3c970b597bf75ac4bc95ab3a69bf321ed79f57cabfa90622d7042462c032e91786710aa3604c8cf3dcd3ebcc8532edee8bebf154a46c344655d087d95a806

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
512KB

MD5
a1d97c6d45ba49f398fff23fd37a6776

SHA1
9742f5f7f989db20701928304ff25f5c2605cd57

SHA256
3a2a48a2bd354a798241c54ae74b3e9e3b7c618821e873c6a34940efcfd98a19

SHA512
d2e9d5671cf5b7a710ae5f60624bc845bf67447eb9e7f721928c1f50f85585be26fa69b8260828111b82c7d711b35c59f6bc734cd3f0736bcae06ac44da6be1f

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
512KB

MD5
24a47228d07c8ccf84bc42a877f9c304

SHA1
b1907ecc57386f739d72d88f8aa1ffb1ca67feb4

SHA256
dda099e824da8d33a2d1543c92aaff9ef7f3c294f9da57970b88d5197ab3ffde

SHA512
c670e5f10d37d9f134031856d2efd0c462cb03800390d8d0229bfcff65db24e9ee48480e1525e66b9fbf37d1c26f5858ea07aafd5064b31d05e3bf8d3f3e9c26

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
512KB

MD5
86c48b3a0b88d80316fab7d9a825f6dd

SHA1
bdc8a05bf7bda157d176054b61706ea9cb0ec9d3

SHA256
775a7dd61678f01ea3a2ec1f5368739f618966a73ec45cd58ca51d62974a4f76

SHA512
1ebd683a5ff65853d97313115a78d5faab18b12ca61d19368417b7b944d63c8be3b85b2d50016213ab25f3af33cf59b83344d9988e7095bc2941a70eb1a1b1c1

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
512KB

MD5
3831588866c031bdfc10808a5217cd80

SHA1
d96a26cef6a5f932b2ce8b11989acdf018d10c2e

SHA256
e998f8183fa94391022cb97208677013eca6eb03346014fdf92760bc9644cba9

SHA512
54f2823ca0c7a5f250eaae98f6803b49615dd6dd1b164dd5f4cfb25036c188c3cc6979c423921b238f23fb93aebe3171f7a02f41156c440dfbfd198393d4bc09

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
512KB

MD5
db0198eb6d85dcf5c1b637f51828ff91

SHA1
827455f761c8544b33de9f7d2d093e817e38c8a6

SHA256
39a02d29c2e2d04b7e8ced05ab84ca2f177f024b12dab7c71a87a63518dff75a

SHA512
d4885e10e58eaeedcd7eabd968a4cf72154ce1aac62c50d771d9437a425286def4a0268e9a2db3bd62f0888194c10da6a8d56c5f539622134a76dde42d9b3c01

Download Submit
memory/372-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/432-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3656-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3804-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3908-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3948-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4304-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5160-1417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5368-1433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5824-1410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5976-1428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6848-1367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads