berbew | 49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe
Size

64KB
MD5

b915748bcc64a47fd28e11c706d2936f
SHA1

7f0425f2cd1603760214cd57ba3790c15decf2bf
SHA256

49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a
SHA512

708e68be55b5f6767ff497413da0b8472d873955a6c41995f9ffc65bab1378596342e1b410c48006d89f1a04be41190297ae00c1a239d638db2611c86b2a3a38
SSDEEP

1536:OSL9RuPhOvmjdtjTtLlAEBhWboYg74e4Z:OSLKJOatjTtxAEjWboy

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kflide32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcldb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjgaoqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddligq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feoodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chglab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akglloai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaobnio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndeii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckqbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoclopne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jljbeali.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndeii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doaneiop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnbakghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imiehfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemqih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmafajfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomqcjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpcapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llmhaold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkgje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgifbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnegbp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4564	Akqfkp32.exe
4540	Aajohjon.exe
1980	Ahdged32.exe
544	Anaomkdb.exe
4456	Adkgje32.exe
3096	Akepfpcl.exe
4000	Aaohcj32.exe
2884	Aekddhcb.exe
4252	Ahippdbe.exe
4824	Akglloai.exe
3444	Bemqih32.exe
3456	Blgifbil.exe
2692	Bnhenj32.exe
2444	Bdbnjdfg.exe
1724	Bklfgo32.exe
2072	Bohbhmfm.exe
2368	Bafndi32.exe
2508	Bojomm32.exe
1788	Bahkih32.exe
2424	Bdgged32.exe
3620	Bkaobnio.exe
2112	Bakgoh32.exe
1956	Bdickcpo.exe
3056	Blqllqqa.exe
1580	Coohhlpe.exe
2084	Chglab32.exe
2940	Clchbqoo.exe
1456	Coadnlnb.exe
4080	Cndeii32.exe
1652	Cfkmkf32.exe
720	Cleegp32.exe
4996	Cnfaohbj.exe
1600	Cbbnpg32.exe
3676	Cdpjlb32.exe
1756	Ckjbhmad.exe
4356	Cnindhpg.exe
4568	Cdbfab32.exe
4692	Cohkokgj.exe
2228	Cfbcke32.exe
552	Dmlkhofd.exe
3568	Dnmhpg32.exe
3012	Dmohno32.exe
4316	Domdjj32.exe
3284	Dfglfdkb.exe
4676	Dheibpje.exe
4964	Dnbakghm.exe
3796	Ddligq32.exe
4592	Dkfadkgf.exe
1044	Doaneiop.exe
4372	Dflfac32.exe
2540	Dodjjimm.exe
1720	Dfnbgc32.exe
1692	Emhkdmlg.exe
4072	Eoideh32.exe
3384	Efblbbqd.exe
4808	Eiahnnph.exe
372	Ekodjiol.exe
2808	Eehicoel.exe
3484	Enpmld32.exe
2800	Enbjad32.exe
1120	Ebnfbcbc.exe
2192	Fihnomjp.exe
1872	Fneggdhg.exe
4840	Feoodn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jenmcggo.exe	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Dkfadkgf.exe	Ddligq32.exe
File created	C:\Windows\SysWOW64\Chflphjh.dll	Iomoenej.exe
File created	C:\Windows\SysWOW64\Jnlkedai.exe	Jokkgl32.exe
File created	C:\Windows\SysWOW64\Mqafhl32.exe	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Bdickcpo.exe	Bakgoh32.exe
File created	C:\Windows\SysWOW64\Coohhlpe.exe	Blqllqqa.exe
File created	C:\Windows\SysWOW64\Fimgpahk.dll	Dnmhpg32.exe
File created	C:\Windows\SysWOW64\Jdblhj32.dll	Fngcmcfe.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Bakgoh32.exe	Bkaobnio.exe
File opened for modification	C:\Windows\SysWOW64\Coadnlnb.exe	Clchbqoo.exe
File created	C:\Windows\SysWOW64\Cohkokgj.exe	Cdbfab32.exe
File opened for modification	C:\Windows\SysWOW64\Hfaajnfb.exe	Gpgind32.exe
File created	C:\Windows\SysWOW64\Lpfgmnfp.exe	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Mbibld32.dll	Ckjbhmad.exe
File created	C:\Windows\SysWOW64\Ddligq32.exe	Dnbakghm.exe
File opened for modification	C:\Windows\SysWOW64\Eehicoel.exe	Ekodjiol.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Eiahnnph.exe	Efblbbqd.exe
File created	C:\Windows\SysWOW64\Dddjmo32.dll	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Ombcji32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Dgmchiim.dll	Gpnfge32.exe
File created	C:\Windows\SysWOW64\Afakoidm.dll	Ickglm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfgmnfp.exe	Kgnbdh32.exe
File created	C:\Windows\SysWOW64\Jmbhoeid.exe	Jekqmhia.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Mqafhl32.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Mqafhl32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Bafndi32.exe	Bohbhmfm.exe
File opened for modification	C:\Windows\SysWOW64\Bakgoh32.exe	Bkaobnio.exe
File opened for modification	C:\Windows\SysWOW64\Emhkdmlg.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Lcdciiec.exe	Lpfgmnfp.exe
File created	C:\Windows\SysWOW64\Qmgelf32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Dejncidp.dll	Dflfac32.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Iomoenej.exe
File created	C:\Windows\SysWOW64\Kncaec32.exe	Kflide32.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Mjfmcmai.dll	Cohkokgj.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Kodnmkap.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Njmqnobn.exe	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Bahkih32.exe	Bojomm32.exe
File created	C:\Windows\SysWOW64\Iidphgcn.exe	Ieidhh32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjgaoqm.exe	Jnlkedai.exe
File created	C:\Windows\SysWOW64\Ahdged32.exe	Aajohjon.exe
File created	C:\Windows\SysWOW64\Gfodeohd.exe	Gbalopbn.exe
File opened for modification	C:\Windows\SysWOW64\Llodgnja.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Imnocf32.exe	Iomoenej.exe
File opened for modification	C:\Windows\SysWOW64\Ickglm32.exe	Ilqoobdd.exe
File created	C:\Windows\SysWOW64\Gbfnjgdn.dll	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Clchbqoo.exe	Chglab32.exe
File created	C:\Windows\SysWOW64\Cndeii32.exe	Coadnlnb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7220	7060	WerFault.exe	307

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbelcblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnnjmbpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoclopne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llmhaold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbfab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnegbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efblbbqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpcbhji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbcke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmojkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncjlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkfadkgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqoobdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kodnmkap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgnbdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhmnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhenj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickglm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aekddhcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monjjgkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmhpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feoodn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hemdlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kflide32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjjbjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnbgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbbnpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmafajfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahippdbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgifbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enpmld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgged32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enbjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebnfbcbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kncaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahkih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiahnnph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbakghm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gejopl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnldla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdged32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bohbhmfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doaneiop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmojkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll"	Flmqlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jljbeali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbbnpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdbnjdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdgged32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilqoobdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahippdbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll"	Bkaobnio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cohkokgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll"	Gpnfge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmafajfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejncidp.dll"	Dflfac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knqepc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imiehfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll"	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gncchb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difebl32.dll"	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklfgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkbnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndeii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll"	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll"	Cleegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll"	Domdjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnadil32.dll"	Efblbbqd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4564	1388	49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe	83
PID 1388 wrote to memory of 4564	1388	49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe	83
PID 1388 wrote to memory of 4564	1388	49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe	83
PID 4564 wrote to memory of 4540	4564	Akqfkp32.exe	84
PID 4564 wrote to memory of 4540	4564	Akqfkp32.exe	84
PID 4564 wrote to memory of 4540	4564	Akqfkp32.exe	84
PID 4540 wrote to memory of 1980	4540	Aajohjon.exe	85
PID 4540 wrote to memory of 1980	4540	Aajohjon.exe	85
PID 4540 wrote to memory of 1980	4540	Aajohjon.exe	85
PID 1980 wrote to memory of 544	1980	Ahdged32.exe	86
PID 1980 wrote to memory of 544	1980	Ahdged32.exe	86
PID 1980 wrote to memory of 544	1980	Ahdged32.exe	86
PID 544 wrote to memory of 4456	544	Anaomkdb.exe	87
PID 544 wrote to memory of 4456	544	Anaomkdb.exe	87
PID 544 wrote to memory of 4456	544	Anaomkdb.exe	87
PID 4456 wrote to memory of 3096	4456	Adkgje32.exe	88
PID 4456 wrote to memory of 3096	4456	Adkgje32.exe	88
PID 4456 wrote to memory of 3096	4456	Adkgje32.exe	88
PID 3096 wrote to memory of 4000	3096	Akepfpcl.exe	89
PID 3096 wrote to memory of 4000	3096	Akepfpcl.exe	89
PID 3096 wrote to memory of 4000	3096	Akepfpcl.exe	89
PID 4000 wrote to memory of 2884	4000	Aaohcj32.exe	90
PID 4000 wrote to memory of 2884	4000	Aaohcj32.exe	90
PID 4000 wrote to memory of 2884	4000	Aaohcj32.exe	90
PID 2884 wrote to memory of 4252	2884	Aekddhcb.exe	91
PID 2884 wrote to memory of 4252	2884	Aekddhcb.exe	91
PID 2884 wrote to memory of 4252	2884	Aekddhcb.exe	91
PID 4252 wrote to memory of 4824	4252	Ahippdbe.exe	92
PID 4252 wrote to memory of 4824	4252	Ahippdbe.exe	92
PID 4252 wrote to memory of 4824	4252	Ahippdbe.exe	92
PID 4824 wrote to memory of 3444	4824	Akglloai.exe	93
PID 4824 wrote to memory of 3444	4824	Akglloai.exe	93
PID 4824 wrote to memory of 3444	4824	Akglloai.exe	93
PID 3444 wrote to memory of 3456	3444	Bemqih32.exe	94
PID 3444 wrote to memory of 3456	3444	Bemqih32.exe	94
PID 3444 wrote to memory of 3456	3444	Bemqih32.exe	94
PID 3456 wrote to memory of 2692	3456	Blgifbil.exe	95
PID 3456 wrote to memory of 2692	3456	Blgifbil.exe	95
PID 3456 wrote to memory of 2692	3456	Blgifbil.exe	95
PID 2692 wrote to memory of 2444	2692	Bnhenj32.exe	96
PID 2692 wrote to memory of 2444	2692	Bnhenj32.exe	96
PID 2692 wrote to memory of 2444	2692	Bnhenj32.exe	96
PID 2444 wrote to memory of 1724	2444	Bdbnjdfg.exe	97
PID 2444 wrote to memory of 1724	2444	Bdbnjdfg.exe	97
PID 2444 wrote to memory of 1724	2444	Bdbnjdfg.exe	97
PID 1724 wrote to memory of 2072	1724	Bklfgo32.exe	98
PID 1724 wrote to memory of 2072	1724	Bklfgo32.exe	98
PID 1724 wrote to memory of 2072	1724	Bklfgo32.exe	98
PID 2072 wrote to memory of 2368	2072	Bohbhmfm.exe	99
PID 2072 wrote to memory of 2368	2072	Bohbhmfm.exe	99
PID 2072 wrote to memory of 2368	2072	Bohbhmfm.exe	99
PID 2368 wrote to memory of 2508	2368	Bafndi32.exe	100
PID 2368 wrote to memory of 2508	2368	Bafndi32.exe	100
PID 2368 wrote to memory of 2508	2368	Bafndi32.exe	100
PID 2508 wrote to memory of 1788	2508	Bojomm32.exe	101
PID 2508 wrote to memory of 1788	2508	Bojomm32.exe	101
PID 2508 wrote to memory of 1788	2508	Bojomm32.exe	101
PID 1788 wrote to memory of 2424	1788	Bahkih32.exe	102
PID 1788 wrote to memory of 2424	1788	Bahkih32.exe	102
PID 1788 wrote to memory of 2424	1788	Bahkih32.exe	102
PID 2424 wrote to memory of 3620	2424	Bdgged32.exe	103
PID 2424 wrote to memory of 3620	2424	Bdgged32.exe	103
PID 2424 wrote to memory of 3620	2424	Bdgged32.exe	103
PID 3620 wrote to memory of 2112	3620	Bkaobnio.exe	104

C:\Users\Admin\AppData\Local\Temp\49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe
"C:\Users\Admin\AppData\Local\Temp\49ce5be667047f5a962f901e071f618b80ef0bcaf95ed74b0d9f1d6b66194d7a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\Akqfkp32.exe
  C:\Windows\system32\Akqfkp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Aajohjon.exe
    C:\Windows\system32\Aajohjon.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\Ahdged32.exe
      C:\Windows\system32\Ahdged32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        24⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        26⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        31⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        33⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Dmlkhofd.exe
        
        C:\Windows\system32\Dmlkhofd.exe
        41⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        46⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        52⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        55⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        59⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        63⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        66⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        68⤵
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        69⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        75⤵
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        76⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        77⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        78⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        80⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        81⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        82⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        84⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        86⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        88⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        90⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        91⤵
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        93⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        97⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4308
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        99⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        100⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        101⤵
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        102⤵
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        103⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        105⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        106⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3016
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        110⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        112⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        113⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        115⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        121⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        123⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        125⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        128⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        131⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        134⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        135⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        136⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        137⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        141⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        144⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        145⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        146⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        151⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        152⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        154⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        156⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        157⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        161⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        162⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6420
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        165⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        167⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        170⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        176⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        178⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        179⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        181⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        182⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        183⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        185⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6520
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        187⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        189⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        190⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        191⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        193⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        196⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        198⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        200⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        201⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        203⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        206⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        209⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        210⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        212⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        213⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        214⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        215⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        216⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        217⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        218⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        219⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 400
        220⤵
        Program crash
        
        PID:7220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7060 -ip 7060
1⤵
PID:6204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajohjon.exe

Filesize
64KB

MD5
c5a6bab7f612b2e13d59f888fc51adfe

SHA1
960ef5ec366c0c36db6cfefd603ce7396f1ad241

SHA256
c838fac591b4df5d4fdd5784bd4a4c0632e945c2483b1a56f1e988f64a558c21

SHA512
3dbd5bf5d31dbbde66b28efab9d0b0d06bc58fff202dbec5b2a9969dc1b17c0f3fa3bfdc78bf372bfdef23d289a420cfa1c226d77ce920f983f8ea5c94286b59

Download Submit
C:\Windows\SysWOW64\Aaohcj32.exe

Filesize
64KB

MD5
ac9a5d1d8274f35520aa0c775bebecfd

SHA1
1e4a3f1d2c100f188ec7b8160e3bf2ec6721fca1

SHA256
4993440231dbcdee124a567da6054d87025cbdbd883166a0540291d2764f056f

SHA512
3e140e1549244b3614e7d61df5cfd3b35f26a50f0978f4ce462202bc57fc8202fec7d926726780da3dbe616eb8109deb00eec031863843cccd8ced5d8788af8b

Download Submit
C:\Windows\SysWOW64\Adkgje32.exe

Filesize
64KB

MD5
85ff36b8f54f57bf22a9baee01ead3c8

SHA1
99afa5905c6e3a3166b9edf8ffd572788dd83222

SHA256
bcf18af0be4b0fd0c47f98cba7ef3ce06295c48c2c337fea81517ba52d737453

SHA512
a53a68ac9dd998163263db32f48b550caea41235dfe20a3ee0b8f15c4c4992b34f457f3fa675b191dc4b6522261fbf6edbb3cbdc7bf5c4c96350429fb0664684

Download Submit
C:\Windows\SysWOW64\Aekddhcb.exe

Filesize
64KB

MD5
2a6c9b9f2efa00b310f58be0e060ea5b

SHA1
7dcbc6ebddc78cbe2a8b2a0494a890503afbced1

SHA256
32adcd6d6226c36e4203b776db9e77c420b3417b6612ed82d1e3ba795abee482

SHA512
873d53c101661a260cedb446c5659f9f5aee79e216a797f2668962f210167e86fc3016228e03a42b47d8349e0659b2f446c8747f4acd4d7d3421c7c4246899bd

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
64KB

MD5
3e86770676211a6022aa965c011764ae

SHA1
6e1217f4734c38c2e877510f3bd401e34d7103e9

SHA256
08a908225e5c13919740ef0f4d3a64f4a7c1d4f6abb2165bc687d2826f06ec92

SHA512
2ba6e603f041bd2dfa8e5f8d92a88ba0b8552cb97165f52debe4829e32ff68b5a4f73b723555b59053e2a5f84e4cb811545211d0ed807d59251452f6e3b06685

Download Submit
C:\Windows\SysWOW64\Ahdged32.exe

Filesize
64KB

MD5
e969ed9f61ba09c02e84abe9f4af8931

SHA1
038e2daa74eb5e7f786557da140c78d7b84d1d7d

SHA256
6df74fff856f067bdc5f2e828aaa6d18c9c65062784847a9f6f1f18d47ee3d89

SHA512
afdf7b4e74524e7b1d5d7e0d051325d79d3f2b255db3738e1594e9a953e94b0a406414a15aa0104d06472ef13f56e4f1c4324f7f6b221fd4fe4fa8fd3f8b3edf

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
64KB

MD5
a19142dbe24b3587ac82fac18c423622

SHA1
948788535bbc1f88b1617c5f698812f9b17bc1b8

SHA256
c9122705799945a06dc50a48a3c7abafafad74a61821a0b061984ac9b61edb25

SHA512
a10f031b4bac168bcfece4ac0ba1d21af011d5b827bbdff0759b0691e8eb40bbe3033ed3752ca11cca2d24e7d3a5e55c97ee4033d1fe0b4df4d901e2c999203f

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
64KB

MD5
f1bbc983ab9a4393aac7ec96783fa982

SHA1
5ae0893896fa2f0bafce6b2cb1a95ac0946b086a

SHA256
3ea901aa5808c390edf8b9bf2bb62a7fb65aceeb66ff2a5ce64b2053a243d39d

SHA512
68d7fea67ef3fa346ad84da96e70c801538485ac95d7582e6d813f4dc671a888fff395ab9cff78825b27d83aa91114bf14b74d94ab531674a5053e4c7cf46c99

Download Submit
C:\Windows\SysWOW64\Akepfpcl.exe

Filesize
64KB

MD5
a6d22ab9a231bab681cde1a1e0466957

SHA1
82102d226a08108697c894ca79c856f9aad215b5

SHA256
eadd286cded8ad2db60371d73b0203b1b6c74b0e529d073570040a95444f6573

SHA512
df86643e5baab9922672ae4cd9fc67e0d89e238df64226c33416c8e4235db5f1f99e01af2c67249b39fb27088c92d007cfcf97e6690a86aece133aa25a1231ea

Download Submit
C:\Windows\SysWOW64\Akglloai.exe

Filesize
64KB

MD5
1635dac8ea946707cbceba73204dbac5

SHA1
48c081a19da0b108c3df3923e83b15e22cecdbc4

SHA256
da45ac3b45c3c2dc21f86d85e76876aa25e741a90daa87e6bd0d341d7f2b31be

SHA512
cec926b42d25d6dd8cf8ada1370f7e9337acbe63044e5e18c648f4783849de86af50082fdb619a88dd48f4841cdaf1232a7dfc096c61ec46048ae6a0e339d567

Download Submit
C:\Windows\SysWOW64\Akqfkp32.exe

Filesize
64KB

MD5
c1ff468cb3d64fd498611575a8397a8d

SHA1
e27cdf7a3a5d811d8c4fa801f1df3ccfabde98a1

SHA256
b2341f21e939e5d8afd90bc7fd39dab12ff17bdba2f34ddb50b4b16c4846f6eb

SHA512
2dbd2e6b01a45980d1ffedaa87a797244c296465ef352c4ea59c24413a374c7008870475b8d550d43a99251a201a088070af7a025deca4b49205d37c1481acca

Download Submit
C:\Windows\SysWOW64\Anaomkdb.exe

Filesize
64KB

MD5
9b826b46c37593c08af94672257a8e93

SHA1
d646f3111fcd7977b07f77a62f659e3f86e45a37

SHA256
1f39caec10458ec31eb9f0046137ab690951cf118ac579ed953a57029de17972

SHA512
fd91f5bff2ea0aa9e22d3de3a8eb87108db3921e20cccc6029b1f4cb23a4417e2d771a4938022bb453bf51c9c7cf03b09414038d5be7958f23db105e68e959f8

Download Submit
C:\Windows\SysWOW64\Bafndi32.exe

Filesize
64KB

MD5
66ecbb58ff2946a3e2c3c58a028cbc74

SHA1
44501a668746f5844d603f0ac3304eb565fc47d0

SHA256
a8d125858cc70468579dedfa062f142c7cee18895f1caaf8f33d130095835bc3

SHA512
3671a6d6fd8b60ac37dbadc481ca9cb07888c78afbb90929b245c00093f752199638f9c7e01abac3b460c2206b893a37aa0fa1d0d46345c7fe722521189ee2b4

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
64KB

MD5
6779b8d1dbe03b4bfc431fd810659ac5

SHA1
5594d9069254794daa860aed0b60d954a65d8ef6

SHA256
486c8eb1b5faf4661e7c4c02b7303116de629d0e938108477d7e94b04eabbf3d

SHA512
7b738060c7a54756c380370ed7cea594223fe56a2c70735298d1f31ce7ba8b8a19143e1f8763ac4fae6612ef6b4a48ce8591ae71319c2208119790f7c803e97e

Download Submit
C:\Windows\SysWOW64\Bahkih32.exe

Filesize
64KB

MD5
6cc47300b93aeff0d119b3fa5335ab34

SHA1
b49f1093e4bcb4417ffcadf43b4f92cbeb35a98d

SHA256
9bcb5e6ba7931f1d6d27189e8d530d46b65ed3b19ec1641f0a8449cb27a12c17

SHA512
e12e258bc0c5369e55d243fba0a9435388fd39c832c3ad3881e2c01f62b0e7a4a8d0aece4b74c9e216a5f78b61c49711441f25c8a2d1575c04df256f86a15a1f

Download Submit
C:\Windows\SysWOW64\Bakgoh32.exe

Filesize
64KB

MD5
0d5ccf793bd667361b53cc722fe6088d

SHA1
3fe1a22a96b26af88b857819154f49a842465435

SHA256
350c86f3cb47c2c9fc553395d78aa36b441975ec387d355495b50a4aba2cd2c5

SHA512
5c139aab9330d5ebee532d33be3730f4549c718284588a326ecc8f3ee2ed5b24913823d793b3dabaf5859f7516f1748528055bcf99367e24a586230e13207bda

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
64KB

MD5
9899c67eb9a4c4464eeaad9148e94e13

SHA1
657e49ae22c9d8a096c8298444722bcddaf45f1d

SHA256
37654aced7a9041658c132b12a45e01b4bb1129cad22eeb37c99a775c7444703

SHA512
f5bcdd2057e7321c65305d3fd4accae4943dfc363e3c5eca99fe1249b8e902fe8d2aeca425291cc9e120ad2cc112e6de514e14d7266782ace63a55ef206341ac

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
64KB

MD5
c8cf396edf948cb1e6754ef38de3be54

SHA1
1eb6d39190198324673226736132888dc64ee70b

SHA256
b4f3d8aa64f634ffaa6ca2528e685a5655b4167cb743d71745ad7e15bb98f92b

SHA512
18bd597fd75ebf22bed230bad8242824748d7044b7c2dd7d81d1feaaa71ab09aa5e69420f6e98a0c96cf11b319857e55e8e9459ad43ba657d6f1ae7977ded34b

Download Submit
C:\Windows\SysWOW64\Bdickcpo.exe

Filesize
64KB

MD5
de405969f2234185897e2687ffce8377

SHA1
7f7ae9896842e6c32af4b06db8adc15ffa735d15

SHA256
c4edf29b0cf1a34c048d6d723f98525709da66f6cdc481c0adcba3af90800644

SHA512
5a843ee00b1819e00f29df3be4aedb65d00bd3d3e31ff36890f01ee8f311cce8941e935629c60ecbf25386cdd57dd7d905356a363a824cc4b5bcbb7ef5ec0507

Download Submit
C:\Windows\SysWOW64\Bemqih32.exe

Filesize
64KB

MD5
f3f88e56db97bac73e89831db1cecac3

SHA1
e2c635102c0a7a52528c1f4d998ae4233f9255de

SHA256
7171e0328955c914ff0a5f23ba6261ca5a9459d049e6d50b596770865fd60768

SHA512
606dc9ba3c1929276347e03dac66e9d11bb9288dfd87447e8fbb25eb05240e7bf8816c27c4010f28f32edbaaa7c7a8c1bff13bc619b37f74d0274045554781ca

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
64KB

MD5
411214d654e114cbec62b9a0d63ada81

SHA1
eaac1e71793355c882dd878f6f9d9bd682b22fcf

SHA256
42ab66dbd791b58427d5d23e9e7131458c2ba6f13cd31cafddff7a6bf6356d35

SHA512
5b6557dda56ac41435dc70758810de1471b48a97721a9a5d87d92b2a0d19a9015cec095c9aaa205c3cc7b932676cb833ee498095985393e7a7ea6980c7d6eb60

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
64KB

MD5
ebe8996b848946c48b528af20c7c4960

SHA1
a833932bc790d6b0ebb7179347c4b33982eecae8

SHA256
59708349d864e7433a5f6588cf447320cc070560aa01918e879e3dfd9fd60c3f

SHA512
595bb242cbf64f488693ee2f6c0894a09a94ef69f8dd5f99a4871de77f0013a7568438c5f069239174468316afe03858869e05166f076af165f3d77e863038b5

Download Submit
C:\Windows\SysWOW64\Bklfgo32.exe

Filesize
64KB

MD5
923f478e402408ac1fcd41f1bdea1f77

SHA1
6fa2a119acbea96bf37fda84d59785c12807c8a7

SHA256
770b4c7a3f79db868f523ba00bb5bbe168326e506e863de666b3ac8ec4dbfc85

SHA512
1151e3b7e96786d358c213abf61dbbd5e8517afea9e25b9c6d6b736585afa2d6fd30094dade9fd3aadea5b9c0190ef72acf33a36d4c0974b928f6eda24df037a

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
64KB

MD5
5a8fb4e44d2aa5f919dba37b675b5ba3

SHA1
f1ecf166cc30ecf6de9bad798a41ce41bbd5c425

SHA256
8d6d9b2e185e4ce0cc67733d7d679d1d08191664f9f7311089c8cb906718e437

SHA512
602a0047a1f43d01ffe1bdcc9abd1ccfbdb3ce7297edb9776d6a53607cc1bcd39121f70921697dbbe77fd4982aa972080c5e6dc529779e8388ab1f2fd1eac5dc

Download Submit
C:\Windows\SysWOW64\Blqllqqa.exe

Filesize
64KB

MD5
6e9cb5dc29d43074946ee0d9969f8efa

SHA1
30d17bf9531a5d5ac05347021d527c64c78c1192

SHA256
238d43ec8d3c0f1d8cf959a79c14ebb2c827433910b7d9273d1e0c17dad09208

SHA512
8ca777d5adf3438e552bdd9000606e77fe06395d03170ed1b7dbf0115fb1764f77143f3ae87a78b716d17715a28f5ba9fc550afd36c76d7eff8b56f9fddde523

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
64KB

MD5
b13a0a42e54309786220580c5128b430

SHA1
f7e3b7f5ba2d180f9de2abb9c1d071a3403a0509

SHA256
de1ee333a14f19b10dc3091e8ce13f8c110e3fb0b4fbc2da5947510475c3a17e

SHA512
85d4f1bce4024881971c4efeb99f1ce0b442973cbfcda21b1eb3b47e5127a5d8bbccadd58c9b67ba4229857660650f957e8acd473ee3e0cf0dbdc1aff858b0a0

Download Submit
C:\Windows\SysWOW64\Bohbhmfm.exe

Filesize
64KB

MD5
59682cf09afcd735c46c72feabdaf4fe

SHA1
b82de58f63dc70b47a02d0c97c7918e013efd5a4

SHA256
6b06d8ff8ecb20772183650fd38dce4b78be3ed29dcd53013322e02982b0aa64

SHA512
fd137b9b65aea0a9f31f9f76cee10e2163da822e503c929e18315497d1f9d41c9aae93064e969fc5af4a21a484892fef45ab160505f3d60be5d4dd19a07992a2

Download Submit
C:\Windows\SysWOW64\Bojomm32.exe

Filesize
64KB

MD5
ae667ee03fe6d44c99ade749f4640210

SHA1
0807a2803db44835a39d378cffd46a04b88abce6

SHA256
d17faa08966cbc7cad56e96680e232b170b8aa81f53adb5c3ee3bc7d075149c4

SHA512
22a36626c1abe61000992ce4e5f5888b6ef3d0322424da30807902f5823cd9270a6618ac6d4c8e184a0cf7064510b032dab707d6fff3ccca1000a41a24564b34

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
64KB

MD5
0982cfcf600b94c2582db70f2580ee14

SHA1
a001eb143fbbb169b184627223d473ffd39b6552

SHA256
1f180066a41575c2f758d316209537da67d67f5d5df5874f31b9c1af1019c38c

SHA512
ed674f99b4df1a8ffbc1a61f907327086caa1edbc7341421b366f589677a1180c753ecbeba8f79d85b2697f09e563260a156e6be15eca79a219d3bfae1e278b5

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
64KB

MD5
144c9a93385778183825cf8b5864a3cd

SHA1
80a28222e64601a775714965e24752822908b165

SHA256
32cda39eeff00ae838da3ffc470a2982dcc85c3b5afc7d12a9abbbc0393fc3da

SHA512
5981cf330758f3755829959333ef9e01d357b9aadb8fb89eb6c2015f09d8b82cd5b26172a4b351aad46c202a1a9c5712b657c020cc8503045c949ac6b014e400

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
64KB

MD5
c6301ff87f0ee8b6823e5db9a0387bc5

SHA1
1ad98e68bba3ea4c8cc4f90e09224082468a2a69

SHA256
a7ed48f2ff7a1fb7c962a200bb95be8430b73c5b1da12903b982768ae91c3e04

SHA512
b8daa2f60b1e9050ccde926d9fce2facd9e7a8811f400abd01f6b7e8537d4699a2ba8f1f925e2f3726da08c5511355c9a0851c892789b9e9769d6472e2626581

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
64KB

MD5
fd8c00b7eb7e62ea1cdb05c81dacfec7

SHA1
0f8223225d4fe08cb20983c6585fedf6f1658aa4

SHA256
e7a91b797874d958b659be3786a20742ddd7a87c8e36d738c65c9d22bc58638f

SHA512
a79fdd65242fc5e31ea6b388a6efb4c053c1ec7fcc5332cea77ed527c5f3d8cfc050c8f965048d1b00748272ad3c7ed858915a001f36f1617ace44b31b6e9cde

Download Submit
C:\Windows\SysWOW64\Chglab32.exe

Filesize
64KB

MD5
cd8108ecef5caaf2487b4c516d458e48

SHA1
d00238012b72ab7292a188787c03a4c323e09629

SHA256
b47832aa2a6ec66de2536962e086c6bbd0e5053e11147049faea1ef38e10f79a

SHA512
c59788c1dc9dc0753f53a7e19bdc3ac8ab885d3950027b7c6ddcb2c231405f99198ea8904ff8c0449e3dccd8fb1024785988798a69de56b1cbdf904572ced0dc

Download Submit
C:\Windows\SysWOW64\Clchbqoo.exe

Filesize
64KB

MD5
0f4f52750adaf3b7cb60a5177914b107

SHA1
8fc48b4f4be67258e384a655b54c0c4323bfeace

SHA256
c442cb03a1db77061e8897c5e2f3177f80fd583b637ed8b1c87828e67b789f80

SHA512
2bad164b240011c64d405fe7dcee87f7ae30ac2bd2f2865f6f2f0d8171fb2eb22ba52fcca7997f2158ac5649a0d37beca90a5b2c37ab2be15045304bdfe28b77

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
64KB

MD5
2c1cb14223333c84c28fa899d21ae59b

SHA1
cd1cb969fee8fc2e1e9fbfa530f18f33bc367350

SHA256
55ce762e357d26b69657d0cc737c7e2583f8b843c058e704f294e870d10bffdc

SHA512
c6184f3175a87d995a823fd6822491bed44416a898fe323082ec03911ca55bce1f6ee103a804c5c861e44e1d376550268482c0b5b474311bfe92465de434a183

Download Submit
C:\Windows\SysWOW64\Cndeii32.exe

Filesize
64KB

MD5
f154f6d4b79d0d2c39156e5afc236797

SHA1
6a9ace5da73b8d74755b68fbfcd00ecf3aa82401

SHA256
6860cc68fe295940ff8a6e4475344dc4d0accf98eff1b4fe4c3fbf45f59a8449

SHA512
cb10616c42e4990ec37d3853e379e88f8872041514c6e9604772b28a7bf0e659c3f5e8ac78f73b3e85065f7dd51477ea836fd30b10707668d376024143c95441

Download Submit
C:\Windows\SysWOW64\Cnfaohbj.exe

Filesize
64KB

MD5
01a5c2a98e6568d1fadac5aabea141b5

SHA1
3adde5495d975bc8ca23c1438c68ebc32146d374

SHA256
00e6dbb212ce3294105e4593e22c355dc549adecf368fa02e3727851d967dc2e

SHA512
4a2ea936cfd4826d793c86e67ec85f5eeefaa921eed04b2f6add8e26a3e757dfcc7770187db0247dca66e084bf6a32dd24b13987c789c99c4bfbb8cd7c3b4a0e

Download Submit
C:\Windows\SysWOW64\Coadnlnb.exe

Filesize
64KB

MD5
e7a9dcbe545c8b0b8daadd9fe3d20434

SHA1
82b8abd76a6e547e16581b0fd5ced8abb8926c9e

SHA256
b4765072a3654e04c8bb8e750fa931a0824c18cd8ecfc75f743712be238d80ee

SHA512
d0e189f8de5dd7914a84c59f52f15985664ef31103cf4dee8290c136112248612cd0235682e716e1f44770d054a4d9774b3d6fb9eff9f403e0e0921c66f90645

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
64KB

MD5
cdf708fbddf6ca47cf931346f986ad42

SHA1
1e0824a299544dcf10eb8eec24192e35a594a36a

SHA256
e637b1d7e9b90394a16679bf4b3178a555ad7088df7dc1c23d3ae40752c4688a

SHA512
2b634709a10c1ed49428a45118e76c7ea5395448f3aaebd9799f78ad78ea6d0d058ccd629c5c7844c3b1472ce5fc03af870ca556708e1105a4e8e7a25166c274

Download Submit
C:\Windows\SysWOW64\Coohhlpe.exe

Filesize
64KB

MD5
aa133a544caed90966c965482db84839

SHA1
255e7618e0b99540d0b986b4cc83d17e63337355

SHA256
a5b14c77d8e5fa1895c421d8838459043e06e7257f0e8d4ea85ba1955bc53fb5

SHA512
76458bceaf13a6ccafc9dec5b8d2385f4f8d84ca40945b18012744d9b19e90c8468d4d22e03debab484cf45cf0424a90d27a556b91434104952df234fc8c76c8

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
64KB

MD5
40c8b2ac97152ec9d4a4cac5ebc459a9

SHA1
b71bf2bb88f6df365fce8cef3cd578567edca7e0

SHA256
bb4d3b3276256580a2b969d1012b25c18b8ed108ddf9c77039c125be9ea0a811

SHA512
c2b058c758058958d133cdb36865e22a75bf845279aa670e008e3cf77c36764f5e5d66847da240d6980881b6ba69fc90d925b2a5e17fceffe448632c147e1fd7

Download Submit
C:\Windows\SysWOW64\Dnmhpg32.exe

Filesize
64KB

MD5
97bea921beef7105edd4fc5b53bdc6b0

SHA1
46165431af4b64b6777fc057fe227b8fc6badc9b

SHA256
589270813f55879093b220a9c77baf3808c7e75cf1af559482bee7b086e39bee

SHA512
4b75c0af337eebc429cc262884fba61ef9879a2a5852ce170bac5c15072183394b64f27aff953c65c61f39aeac70bb39d951de20bec31887ce024f96390fa7eb

Download Submit
C:\Windows\SysWOW64\Ekodjiol.exe

Filesize
64KB

MD5
3b613dc9ca167b35e2da89afedefe058

SHA1
56aeef07bf7f20ab6f247a4222581e29f8c809f4

SHA256
908616154fb0d830195c2e15a86bf1427997482f695e755ed9e6cb63ca53904a

SHA512
6b878aaa73c9a9596d82d2042b2f5c2701d4dabd052b394a2b760fb9f1d11d78f3241b86c059dedd3a01bb3ba340ea7dce52f9e67550e70114e0d7ad3ecb8bb9

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
64KB

MD5
fff1b9d1b8e27ae8372f758668b2227c

SHA1
ecaa0dde2924d904c8a3dcc44a76761da9fbf173

SHA256
22e5153cd99cb6c54e77c4ed33de42020a1c27ec99420d24f47373588a385cd3

SHA512
0c132a1452f76a57a61a1fcc4c1310e073748b0967b34332e9db434af827fa2ce305f1a8495a6ec7b61ee5d8f3b83835423ed7f063ff5b29c9e4f85792f9a562

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
64KB

MD5
cef142376b9a10ae0792d290f561236c

SHA1
3ec04a5e03086e5ba3592dc66817ee4a69280cf2

SHA256
b87e7a7be3fd323e1d53220966dfeaed490084bd2f643905db6f4b3bba9e7288

SHA512
a72aaaf99093a3ce3d48cebd1fb350f2cef9d9529bf66e380b2dcd828df74f1922f49e9ff0d5eaaddfef440d32f73dd071df7db0d289ee95423651623c9f856d

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
64KB

MD5
8dc6be2926916c019a27a4a54b575691

SHA1
96f19c0c12e717f0ed3c1189ef61785640e9f19d

SHA256
6a9917bb603f3788d8ff49a7e93b27bb62b481b7396d510be57269e8fb1dcf5e

SHA512
6539adc06cebd9103274b39115add612d094ea31a4c61df138f74eeadbdff81142fad03e538b2ca1bcb75e0cbd19347c6f0a9707b9e56426b53b6f2362ccc268

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe

Filesize
64KB

MD5
2478b1681035f6ab35a92b588a00768c

SHA1
f3a34bbd8e7bb5c90bcf2b0592aa472389141db5

SHA256
ad79a406aa0a7c3386cfef4d5e17a202d5882e0eb266ae02c3ad9bc0a5336c4a

SHA512
8aad1b45a3e9c23181132d922c8b6fd17f82b8598aef880c8930b09f0651ba66fff0b5ce42b4591435cd66ad32e68777add2a5c7092fa0169287cc92195dd835

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
64KB

MD5
6e10944f46c049cb9a60f5b555023d51

SHA1
bf8007f6f89065795143d854c3af52e9e43389cd

SHA256
0d491d12ecfd132b07020d0b761d36a03f719a1cf1a290922cd4d510a83c0bd8

SHA512
e5d8e6df416f58f5b88506ffc588525d1946bb5e241624663745db5d274b16ba47932611a55256874194e868d5ee5d324a2607925940169059a6aea258d6ace1

Download Submit
C:\Windows\SysWOW64\Hoaojp32.exe

Filesize
64KB

MD5
d4ffc60d50396f8eec20896df71c740c

SHA1
08f7225610347747aa50236cdddb235206a4f4a1

SHA256
00543ef99e9074dd389ab1d448e05af075ef557251fb752c8d3697e80b6e504f

SHA512
9c3cd532469956bda0a4d80dfb7742d2faccf809ebeab83c5047b0d34747b0cf6d102fb0c43f05877ebc2651cdd50bd82775a205f8a17af37a995eb2ad05667b

Download Submit
C:\Windows\SysWOW64\Jljbeali.exe

Filesize
64KB

MD5
33e65b74796c1631d20ddd63715f5665

SHA1
ba984f9dffc70803679b74cbbb2269001ce1b9e8

SHA256
69303fb2a8ae38f5e20fbf8addeee358ed7296c430a4db7e7e1cd9a73c7cfa30

SHA512
ef634d4846e94f43a168cf2c8bc4bebfb59720873dfaad21efdae578240910e2b74415cf5bfbaf69dc8193c5f996ea3002645c76f9c8b956d73974d3e2948ceb

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
64KB

MD5
dbbc9ae26590438272782057a2e7dfcc

SHA1
c5095c9d0ded3dc01fd654464ca838351d064ef9

SHA256
71c500cda3497510efef04e43d6197bc5f0484ef2427267e9c5eb284663123b5

SHA512
a45eb8f022285bec0a1e9a43ba4ee3fd378705cea631b001f6f0064f6570745edff97e0ac186fe0c24342f1e29b9b113f4db577f5842e586bd7ed85e3682fd44

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
64KB

MD5
d5141eea55c3994732547611141e19e5

SHA1
8e0fbb4c11ec0f15d9936e9d786a958150a7be4a

SHA256
0f28ccf1bc867513d9aa66ae21f68df7535b9d22b34274c7b00ce0ee5eff05ae

SHA512
5ab4313fbac1f3a9d0ce3371cb62fc7e8e8c3cfe68b19ffc90df3dc600414e43ec822eac96671dabb6d1a172cac0380bc40f5ff146caadcf68e387ee977bbc91

Download Submit
C:\Windows\SysWOW64\Knqepc32.exe

Filesize
64KB

MD5
bce1d5278616a194ecbc9b285133f0c6

SHA1
223e73e90acf9414b3542ffb3ce841837cc68356

SHA256
f839c6e4e2ce17d78104caa7678b13f90d04aa424eddee37c754e64a0af1bf33

SHA512
f7dc23958a5fdb8ce73d38505869d97d8128a05628f593c6b53452258c054b6c498d9af7d287f897fb50d0fff25bf1e24af1aa2b37fbdd4201b4b15baf4429e2

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
64KB

MD5
88cd0f8759a2017065c4fc76c4109f73

SHA1
2e79f9fe0d162dae651f899a2244c5c739580b65

SHA256
d5fda009f58e545cdf4016c6456b5fb4ada50e4845a93732771d838dce820fd5

SHA512
d781ac06ab80d1d349fc7afbf7ab069c83cd1ee8b7ad808e80715d8948886eb038b54ab16ecf5979a2533eb0ba9ee0f72ecae96e7e276128a81fba6493818323

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
64KB

MD5
16ce74868b2352ee7280bb2a346893b7

SHA1
57e1caf418282ee154ca5c94646323593866e979

SHA256
4b2c6603799df10fcc1af835af1a6aca41288df6efc0422be15a01ce3d6386f4

SHA512
7a29c4c06e014be7cb099bc463e599c286cdf0fee222da339991dda36f0d96e84a594a5edfadb1e6e2bf27f47cc622e0adacb5ba10971bc8cdc78e86fbb4d6f9

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
64KB

MD5
cc91b3ca4efd06fcf881b3dd929d0659

SHA1
9063604fd5962664e15fc2c8765c93f4732f10a1

SHA256
47b6f3afb48a48b10233e1ec3a3d84ed2df66713417c390fdec1cc899cc5593d

SHA512
d670c5045047324c9080364c4b21ac07d32d601d2fd57362a8756164aea95dfb0890c2e3b42d89cbee88977fbc95e5b0f701ec09e09bcda06b05ba2bceda8ab4

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
64KB

MD5
529424bf41521cdb04f449cc614f8df2

SHA1
741c33063eb829065623b8f4111021965288ef6c

SHA256
dca66732eed0b45cfaf59dd66b1c0896b35d26989f8a34a0e816cfb39c71c88f

SHA512
8b1529ee4785a898b345a3535abf3a578288b62228ae42dd6c5eb4171c218a09183e6196dbf4d6275e2224f3fa33ba379657d3ea9bd34cb9439f7732fc5b3373

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
64KB

MD5
52d4d6db7c7063aeea2232112cc01e26

SHA1
087142506e0a077ed6dd05a42fbe232ed1fe0b5a

SHA256
7ab2fd0563a53f3103d8be361be360a127dede3a760ade84762b6a19c9c3cafe

SHA512
a251c16925dc79722daca50c41ed90bb79a272aaee64a23141eeec9641cdfd53bcdaaaa404735b8b925c1394207f95ba811d1cbdd4a6ca1075860e1fcc9c42d5

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
64KB

MD5
0ed9eb8c2aaf5d248a9d47bea3e3d8e1

SHA1
668c8197cc467ee14383d6bf7e591a7d92768d8a

SHA256
4a91f78051685ca1a49c9e92a1688fc0071fe02944d54857e55b660aa95b7a54

SHA512
d584f3fa848e0bfd04bdaa803bc36a0805f3ad6d699cd16d469833fce908d7195a89a5f18477d0cde758402ffa2f7f01533eeb66a7b2a34be593380038217fef

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
64KB

MD5
c1b542ed534f7e8a5ee422903ee56f08

SHA1
4c96da5d32daa527bfe1d8aafcb97fee28fa8e4b

SHA256
6f73eb25a4f50b2db59bb2babd7fd9ff11b063d66c916926c904c0944d94cf4a

SHA512
29f225e32eab487a07366e7fd3094d2ee48d93dd1c714a2f013a1de4f753dbb94bbd3a4208f8ae60835d96006a8d0b0848473440024aec77f13c0f4f1b5b257d

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
64KB

MD5
6236e7fd069f21725cbb607ddfc03ac3

SHA1
e71506037b072d4548a282dd608f557d3dbb6805

SHA256
5b9596144f83c21379d299854fb259af0cf9362007dcbe191c7e167c39096e20

SHA512
9f73ca90e9f6ad4bb06f29166086d84a22343dca99a8c938c6bf23be54278ef438193b0f74e0c2c2faf7a40389dd6ad8061691d49a97cceac7b1dbcc94a06c62

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
64KB

MD5
b0236c64162f207dd00d1f2cf19dc60b

SHA1
05df2b5c1af3ea312e2775b2734d21037215cd66

SHA256
86d0f0d31e500a50ab30ed3c9c134ed547f9787b29dc4c626f65973dcd339e65

SHA512
567d2ba589a8f0f867ebbf53162e997f82d63a78d07731fee8755f5db472dc28098c0c5bd4f576d298679898cc4ab3c0db842f18cee3d0eda3f6b8ecc34c05e0

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
64KB

MD5
00679b37baf68b70694fefd1fac085d2

SHA1
d2e10b5553cca8029157f25ba332f65ef380791b

SHA256
8b5629dc3ff4b25b8bdbf23c89f16eb99be6b594f48b3eb891ad90bce9e13efa

SHA512
0695a5989e4865138b5b35f10e77e99010c4242fad0893f11a1a857358cc62ba9f5b82d8179ba8cdbe22a729e2d39b335b3d1b39d4a67b90b0de0d357b086782

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
64KB

MD5
a17a033cf784f82dec1efae79808bc1d

SHA1
a956b02893214e08f9b4057b2e94358dbddb6d68

SHA256
533cfc2b5b69d6a695bd3c6d72017d07a8f85846a20c34eb71aa4d63a5bd0f43

SHA512
0c0f9e282d603bc7b38c255d8f623f1e72e741b3477e7213338160d6dd6fda9daaf9456bdb73c89c3e7b1f842f20536f0788bdee23aa983b898e60819ce1e4ea

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
64KB

MD5
081b19f57ca087555af12c7e3a0ccb5d

SHA1
d615494dff85548babf5364e9a9ba4fa2a02c84f

SHA256
6144c170accfe433d8ab34f1908d655d25c3f49575b84d54049d1ccb2f3329ff

SHA512
965cb4188c99cc4d7b5c2baa08c209a54c7a7529faac22d685e4470d1fe0a37e604112c883610230d881b243e6245d93d8005f81441a3dd7613811ebb9d938c9

Download Submit
memory/8-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1388-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7004-1541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7060-1538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads