berbew | 5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1.exe
Size

64KB
MD5

d769f4c6974a1a778847253690f541d7
SHA1

d652abc4b3e20b7f93d4ee4eb0df76540a325846
SHA256

5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1
SHA512

c90bad98499460d741d8e4f00396470de50de73b0a76512a40d39e9f376daed116a30df225ee5fcc05f91d7d971cac016ef623b24af4902e17d9cc89286d7dbf
SSDEEP

768:1qOJFcJtLct5ZzJqbolHSf3Q+kdTbw2n3/qDsufLAspw7q3w2p/1H5hEXdnh7L4U:5JanUZztyf3Q7dTk23wsKUug2LK7RZL

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jepjhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomqcjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkokcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flkdfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chqogq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgplado.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eokqkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hehkajig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkokcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eokqkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emanjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoobdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfng32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4328	Cfpffeaj.exe
2376	Ckmonl32.exe
5084	Cbfgkffn.exe
4516	Cdecgbfa.exe
3044	Chqogq32.exe
4132	Dkokcl32.exe
2232	Ddgplado.exe
1676	Dmohno32.exe
4960	Dnpdegjp.exe
4532	Dfglfdkb.exe
2600	Dheibpje.exe
4156	Dooaoj32.exe
4992	Dfiildio.exe
1908	Dmcain32.exe
2816	Doaneiop.exe
3652	Ddnfmqng.exe
844	Dodjjimm.exe
452	Dfnbgc32.exe
2348	Emhkdmlg.exe
2640	Ebdcld32.exe
208	Emjgim32.exe
1432	Enkdaepb.exe
3048	Eiahnnph.exe
1092	Eokqkh32.exe
4320	Efeihb32.exe
4436	Emoadlfo.exe
1980	Enpmld32.exe
860	Eejeiocj.exe
4784	Emanjldl.exe
4260	Enbjad32.exe
2188	Felbnn32.exe
3856	Fmcjpl32.exe
1648	Flfkkhid.exe
4512	Fneggdhg.exe
4820	Fijkdmhn.exe
3080	Fpdcag32.exe
2908	Fbbpmb32.exe
4352	Flkdfh32.exe
3508	Fmkqpkla.exe
4852	Fnlmhc32.exe
4500	Fefedmil.exe
1652	Fmmmfj32.exe
404	Fnnjmbpm.exe
2964	Gehbjm32.exe
4804	Gpnfge32.exe
3844	Gfhndpol.exe
4848	Gifkpknp.exe
4644	Gncchb32.exe
1128	Gihgfk32.exe
3908	Glgcbf32.exe
2184	Gbalopbn.exe
4016	Gikdkj32.exe
2220	Gbchdp32.exe
1748	Geaepk32.exe
228	Glkmmefl.exe
4764	Hfaajnfb.exe
372	Hpiecd32.exe
1592	Hfcnpn32.exe
4772	Hoobdp32.exe
1384	Hehkajig.exe
3412	Hmpcbhji.exe
748	Hpnoncim.exe
2196	Hfhgkmpj.exe
952	Hifcgion.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgkfnh32.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Npbceggm.exe	Nfjola32.exe
File created	C:\Windows\SysWOW64\Pmlfqh32.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Enbjad32.exe	Emanjldl.exe
File created	C:\Windows\SysWOW64\Ffiipfmi.dll	Emanjldl.exe
File opened for modification	C:\Windows\SysWOW64\Lokdnjkg.exe	Llmhaold.exe
File created	C:\Windows\SysWOW64\Lflbkcll.exe	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Enbjad32.exe	Emanjldl.exe
File created	C:\Windows\SysWOW64\Fbbpmb32.exe	Fpdcag32.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Modgdicm.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Chkobkod.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Hmpcbhji.exe	Hehkajig.exe
File opened for modification	C:\Windows\SysWOW64\Lflbkcll.exe	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Nfaemp32.exe	Ncchae32.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Fefedmil.exe	Fnlmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Klcekpdo.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Oonnoglh.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Ngqagcag.exe	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Pjbcplpe.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Dfnbgc32.exe	Dodjjimm.exe
File opened for modification	C:\Windows\SysWOW64\Fmkqpkla.exe	Flkdfh32.exe
File created	C:\Windows\SysWOW64\Cfiedd32.dll	Kpcjgnhb.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Fdllgpbm.dll	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Baegibae.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Efeihb32.exe	Eokqkh32.exe
File created	C:\Windows\SysWOW64\Ekfjcc32.dll	Iliinc32.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Ficlfj32.dll	Glkmmefl.exe
File opened for modification	C:\Windows\SysWOW64\Ibhkfm32.exe	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Npdopj32.dll	Ibhkfm32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Chqogq32.exe	Cdecgbfa.exe
File opened for modification	C:\Windows\SysWOW64\Dooaoj32.exe	Dheibpje.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Hfaajnfb.exe	Glkmmefl.exe
File created	C:\Windows\SysWOW64\Ifmqfm32.exe	Hoeieolb.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Hhlpmmgb.dll	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Kkbfan32.dll	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Npepkf32.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Galdglpd.dll	Glgcbf32.exe
File created	C:\Windows\SysWOW64\Fihgkk32.dll	Lqojclne.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Ojajin32.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Kgflcifg.exe	Kjblje32.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Ojajin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6992	6672	WerFault.exe	289

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjodla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmmboed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gncchb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpcbhji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgflcifg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmqfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpfgmnfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpdegjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eokqkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbalopbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefedmil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnnjmbpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgkfnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifomll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjblje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llmhaold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomqcjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dooaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doaneiop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifkpknp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmonl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efeihb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfhndpol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddnfmqng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gehbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqdcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbfgkffn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpdcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Impliekg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcjgnhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifcgion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhkfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jniood32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfohgqlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpffeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eejeiocj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iliinc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enpmld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcjpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll"	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkokcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihgkk32.dll"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll"	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmdpjg.dll"	Jepjhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll"	Gpnfge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkalh32.dll"	Fijkdmhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcnpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakoidm.dll"	Ickglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcimdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll"	Fmkqpkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hehkajig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flkdfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll"	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolcq32.dll"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll"	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pmlfqh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4328	2156	5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1.exe	83
PID 2156 wrote to memory of 4328	2156	5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1.exe	83
PID 2156 wrote to memory of 4328	2156	5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1.exe	83
PID 4328 wrote to memory of 2376	4328	Cfpffeaj.exe	84
PID 4328 wrote to memory of 2376	4328	Cfpffeaj.exe	84
PID 4328 wrote to memory of 2376	4328	Cfpffeaj.exe	84
PID 2376 wrote to memory of 5084	2376	Ckmonl32.exe	85
PID 2376 wrote to memory of 5084	2376	Ckmonl32.exe	85
PID 2376 wrote to memory of 5084	2376	Ckmonl32.exe	85
PID 5084 wrote to memory of 4516	5084	Cbfgkffn.exe	86
PID 5084 wrote to memory of 4516	5084	Cbfgkffn.exe	86
PID 5084 wrote to memory of 4516	5084	Cbfgkffn.exe	86
PID 4516 wrote to memory of 3044	4516	Cdecgbfa.exe	87
PID 4516 wrote to memory of 3044	4516	Cdecgbfa.exe	87
PID 4516 wrote to memory of 3044	4516	Cdecgbfa.exe	87
PID 3044 wrote to memory of 4132	3044	Chqogq32.exe	88
PID 3044 wrote to memory of 4132	3044	Chqogq32.exe	88
PID 3044 wrote to memory of 4132	3044	Chqogq32.exe	88
PID 4132 wrote to memory of 2232	4132	Dkokcl32.exe	89
PID 4132 wrote to memory of 2232	4132	Dkokcl32.exe	89
PID 4132 wrote to memory of 2232	4132	Dkokcl32.exe	89
PID 2232 wrote to memory of 1676	2232	Ddgplado.exe	90
PID 2232 wrote to memory of 1676	2232	Ddgplado.exe	90
PID 2232 wrote to memory of 1676	2232	Ddgplado.exe	90
PID 1676 wrote to memory of 4960	1676	Dmohno32.exe	91
PID 1676 wrote to memory of 4960	1676	Dmohno32.exe	91
PID 1676 wrote to memory of 4960	1676	Dmohno32.exe	91
PID 4960 wrote to memory of 4532	4960	Dnpdegjp.exe	92
PID 4960 wrote to memory of 4532	4960	Dnpdegjp.exe	92
PID 4960 wrote to memory of 4532	4960	Dnpdegjp.exe	92
PID 4532 wrote to memory of 2600	4532	Dfglfdkb.exe	93
PID 4532 wrote to memory of 2600	4532	Dfglfdkb.exe	93
PID 4532 wrote to memory of 2600	4532	Dfglfdkb.exe	93
PID 2600 wrote to memory of 4156	2600	Dheibpje.exe	94
PID 2600 wrote to memory of 4156	2600	Dheibpje.exe	94
PID 2600 wrote to memory of 4156	2600	Dheibpje.exe	94
PID 4156 wrote to memory of 4992	4156	Dooaoj32.exe	95
PID 4156 wrote to memory of 4992	4156	Dooaoj32.exe	95
PID 4156 wrote to memory of 4992	4156	Dooaoj32.exe	95
PID 4992 wrote to memory of 1908	4992	Dfiildio.exe	96
PID 4992 wrote to memory of 1908	4992	Dfiildio.exe	96
PID 4992 wrote to memory of 1908	4992	Dfiildio.exe	96
PID 1908 wrote to memory of 2816	1908	Dmcain32.exe	97
PID 1908 wrote to memory of 2816	1908	Dmcain32.exe	97
PID 1908 wrote to memory of 2816	1908	Dmcain32.exe	97
PID 2816 wrote to memory of 3652	2816	Doaneiop.exe	98
PID 2816 wrote to memory of 3652	2816	Doaneiop.exe	98
PID 2816 wrote to memory of 3652	2816	Doaneiop.exe	98
PID 3652 wrote to memory of 844	3652	Ddnfmqng.exe	99
PID 3652 wrote to memory of 844	3652	Ddnfmqng.exe	99
PID 3652 wrote to memory of 844	3652	Ddnfmqng.exe	99
PID 844 wrote to memory of 452	844	Dodjjimm.exe	100
PID 844 wrote to memory of 452	844	Dodjjimm.exe	100
PID 844 wrote to memory of 452	844	Dodjjimm.exe	100
PID 452 wrote to memory of 2348	452	Dfnbgc32.exe	101
PID 452 wrote to memory of 2348	452	Dfnbgc32.exe	101
PID 452 wrote to memory of 2348	452	Dfnbgc32.exe	101
PID 2348 wrote to memory of 2640	2348	Emhkdmlg.exe	102
PID 2348 wrote to memory of 2640	2348	Emhkdmlg.exe	102
PID 2348 wrote to memory of 2640	2348	Emhkdmlg.exe	102
PID 2640 wrote to memory of 208	2640	Ebdcld32.exe	103
PID 2640 wrote to memory of 208	2640	Ebdcld32.exe	103
PID 2640 wrote to memory of 208	2640	Ebdcld32.exe	103
PID 208 wrote to memory of 1432	208	Emjgim32.exe	104

C:\Users\Admin\AppData\Local\Temp\5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1.exe
"C:\Users\Admin\AppData\Local\Temp\5055e5bef1edc947438c661c882eb14d09d92361ada23cbe14a1990c1f06afd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Cfpffeaj.exe
  C:\Windows\system32\Cfpffeaj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\Ckmonl32.exe
    C:\Windows\system32\Ckmonl32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\Cbfgkffn.exe
      C:\Windows\system32\Cbfgkffn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Dodjjimm.exe
        
        C:\Windows\system32\Dodjjimm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        27⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        31⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        32⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        38⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        43⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        50⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        53⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        54⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        55⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        57⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        58⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        63⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        66⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        67⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        71⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        72⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        74⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        77⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        78⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3960
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2972
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        86⤵
        
        PID:788
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4908
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        88⤵
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        90⤵
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        92⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        93⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        96⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        97⤵
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4588
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        105⤵
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        106⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        108⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        111⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        115⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        117⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        119⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        124⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        125⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        127⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        129⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        137⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        139⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4552
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        143⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        144⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        149⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        152⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        153⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        154⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        155⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        156⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        158⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        162⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        163⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        165⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        173⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        174⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        179⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        180⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        181⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        182⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        184⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        185⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        187⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        188⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6772
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        192⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        194⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        196⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        201⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        202⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:6428
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        204⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        205⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        206⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 408
        207⤵
        Program crash
        
        PID:6992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6672 -ip 6672
1⤵
PID:6824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
64KB

MD5
503a438e3a622fb79544eebe73b9a33f

SHA1
33ce29e2cd6853952ae92abe85743ff59769e31a

SHA256
3d2be5b10c3936f16eb4f2bfd612bff63658317496566c611625c3b7b3158b93

SHA512
374b61b67d01ddf1e8f8ad4ccd171b9bc71f454286b8aa24342ea2d63c1b7b88d2c8bea0d4a5602a9f891dc52cb1af350b43d2087941c9cccdd4cfd300c122ce

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
64KB

MD5
4edbebec944c8d9aa67f846577671d4a

SHA1
7c5255d49f8f2cb7ebc4dfe25692db25b9be0321

SHA256
2f37c9a7305d01d0772873d874d39e05db4219ac9e6a68d44d74e762c1f373fc

SHA512
e6e3d0a6e72c88dd1e91df6aad0dbed89d64ebaca9bade16f1d00160669bfbc51da9f7aa1270cc0ddd6647e4d1d48cac2f73b6ee6cf0f413f75459a4bc26269c

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
64KB

MD5
2ba6b4c393e6e36ae178037d0971fe79

SHA1
652905cb423607b90f6e46e356423af6f4a20c38

SHA256
0a7606d75d1729c6d0bfface3616e4045afcc5be685c265eb5a805e38105c216

SHA512
056a16ed7a06da2370e2eacab495728ded73ad60f396fa4a33fdd27784e98510638ae9db69012ac5e7b21b80c70d09ff2b43e6d689cfd38c4cfe7cf5e6e7953a

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
64KB

MD5
2f1434eb7d6261209d34310fffb48e23

SHA1
edddb9c20feafa4b1c724452b9dd0fa61faf4883

SHA256
1b858fdaacb25994042bc2fe7191f3de73605cb049aed0398ef0589133114e2f

SHA512
ca4eedce09a8bf26d7ecf56a9c3778dec27e48f714b56721454fa661c89361ed0c8db0fe7f8d3bb60998ac84b87e0b2e43a0006145f7ee6a92bfc091456ec58a

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
64KB

MD5
0a4bb7f8d451dcbb258fa727c5936aae

SHA1
52128bc3a991c880c3eaadc41edb35a5f8daf172

SHA256
5cf30b3ec075936a09ae0b147404e5d4b1c6675c4d4bfbf722c5de5e31e6cada

SHA512
f2994f65d6876b7a74e76b5af870eb044c188fef4db785c3ad4c6bc3f1e1f618a00e89bf4781d0856a51eba487ac71a00f444486a64d46ae5a50d9049b6ae4b8

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
64KB

MD5
dff8583cf92d1717680937fc13547813

SHA1
19b0ef8873f17bed6c472cdc739c53b1ae5b3e2c

SHA256
2e920a8c14726f81177ad679b0d004534af61cffa477d6f1a72e775892dcbe3f

SHA512
e00d5e656ef40beb31d5542f9f0316deba6d0a29f82d0eaa66ecbd87a2897cecfe666b9c1d7e4161763d8cdb9067c387d5bef32a5f35ee9d18670de572b4eab1

Download Submit
C:\Windows\SysWOW64\Cdecgbfa.exe

Filesize
64KB

MD5
dd05857b1f9ea951e563179da32f701c

SHA1
cbdb2fef54c8e56e05277ee81eedca268933e2bb

SHA256
dfe244f228cc9e6d004e46afef1fefc5d46e3a942fe56e580b8adda4af9f16ec

SHA512
96d1f55866fef06f6f44b62f1dc228d427f02d5dccd5861bc5d2e3d399360edc780d9eb20ed86ef61adc750bde5eb11ba7802ff44232c78c9d4c5c2156d4f5a1

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
64KB

MD5
a352edc86abff261fd0216f8f7ae7439

SHA1
4ced03f953c86541b300c7f09f0ffe442ace201d

SHA256
3f68ed142480c7884938367db761ea661a6af4bc2cf8f6d74cc13791a0f02375

SHA512
9950070803293f5d835a75a190dc93902550a0a26975a3ce53000bb3fa195b2935ba1e2ac3d9970321407961fde60fa5ef36cc9e1cfd94028c6327d3a57a4d60

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
64KB

MD5
9d182d0a9eda05cb763d1fb6951b99e4

SHA1
8a79e1c5164b19dcac3e6555c5380ddd2b41957b

SHA256
f7a209f9a331fa8b7b1fea77fc7cbdfd32110be7d2ce098440fa326cc0529ca8

SHA512
657783a595eb04f3dd6e78485233a5ec074be7968b877d338551ac5e6bfd368c50578b2030c0a7958081fd5a15d2277a1a498c49dbd762c7cb7c8a6ca7079f05

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
64KB

MD5
719fbf35d96385c15ed50e76f20db0fc

SHA1
8706196bd863ea66f4efd853adab14136632ea8e

SHA256
09bacceb0551607f34a73449528b368e85cbfd94d736580b2b3b0e3589d054d9

SHA512
2f833927f3a15c2c0936947e5674d22872e10010faba3022c2b014395f8e2132ba39fe5dc137e85e31a7fadc7999126dfd2fd6a03e2ab5d01b24f5addd236098

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
64KB

MD5
a8c60cb4cd31bc5a7c63fc348b3266f1

SHA1
7f2a0251c8acf53ce541f2c294d34e1bd706acb9

SHA256
422f15491c7a595c106f99dbfd980d966e4def70405f9ee546558ff8f76788b8

SHA512
6e682993d7e8ec17365c9229cdc22b68d2e73d2322092eaa117f9975bcba682a57075da3fec336796848b1dca9e27bfe6dd49fba5fc1747c5eb98c25d21023d0

Download Submit
C:\Windows\SysWOW64\Ckmonl32.exe

Filesize
64KB

MD5
df6da5694d7ea0890c06126a1008e03d

SHA1
a6384da985bcf4575c2de8f9c3b8c810732e2f04

SHA256
2e3a971a9e5a327926afb79a4c133a3c4574d2a9b56fdc669e32c76bf537565e

SHA512
ae3e8024b67d288dd91a575b1ec348d0af94e331dc8ea10479c0e041445e228da9724ae594c4e9c04eb0eaf1f663b60ce1727fe110c995b90f7a268c7a686aba

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
64KB

MD5
2226b292e68fbea863af68715f4d9a7a

SHA1
7571271c4e00eece4cb7ad0e41305499faef6527

SHA256
1b3dd839e30ab9fd33642cb199fb0e0fe4e0409106f13021db4c3d3d8b3bc244

SHA512
45e8fd66a6b5077ec16b2a99b20a4b374c4245338376bfa26a88ec82834d778a512dc2fd1cc7569b8a209dd9b5964e93f6b9ede9d1f6e0605b84315d4dc23602

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
64KB

MD5
feb783d09b49355ce915f44c1aa916be

SHA1
d1dae7d8dc0950eefcdf7283ae95627e2953de2d

SHA256
f4dc872a701455d7e6db2177791a93d7ab2bea6e4373f7cdf91b64f56d527263

SHA512
cd0151c5bbed59761498c00aeb4f1ac167fd4cfaca3cac8cdb861c3e131b302893f2e623bc60887c3dd5d114ababdb8c9a22a78aeeda46d512ee03ec683cb8dd

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
64KB

MD5
87ed08b70c092d18a47434c93d00db84

SHA1
449b4a79e1065ae8e0f6aacbc57027ccaac5b02a

SHA256
897740e6f0fe434e64f635e6dbfa46ff3102708e58e2303a1d47016ca8b710b3

SHA512
fe39af412bbccf7f50afea0df851665c26aef0b61254178ea85a03f9c251235e0c78d9d278aacdde4c914b5aa6900be1d2f84e62280110d78b7186408e614588

Download Submit
C:\Windows\SysWOW64\Ddgplado.exe

Filesize
64KB

MD5
4d9e78934ad0c35256a0c69d2dc15390

SHA1
d4c4dd038a94c66adc9817a674b6493c2a3fabd2

SHA256
ae2c7d4c7344b0ed377636f12c70dcb6005601ed94da5c9df00e8865b10ef1b7

SHA512
3b67eaf3dee9d18ee5c69199a3a701986edd7db84862f65cc8d1b320d266c9849bdf719eb4684ad99d1ddcde452850fb90035cbb6885996778cdda30649319f7

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
64KB

MD5
4af8ee2eb96e998261f95c8911a9b004

SHA1
a068a977367e7744a7da126c50e4df4051e95a27

SHA256
b3ae8689def92ac6d85d02f5c5440a1c3c6de4d892ab416f7b8f29afd7943c9f

SHA512
9ed936c8e5e5cc765e02f84570db2737bbae069d817ff79713f0f080b4adcfe5056f5b2beb55c7d50d970d66636b1da2c022e580363bf6d16d7fd1c3d983bf54

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
64KB

MD5
e1afd8d01fcbef1cda99459b9c54824c

SHA1
ceb78ebaed17cce819299875261d5538b863db52

SHA256
db423e8805051962def71defe5e78e5ba9b99985d0ab5967e2526147ecd00f0e

SHA512
3ca869844c0fe1f0420b59b2a9af6a9e039512b4c22673d98f96a506f57482c24bbd77380d288960264b2e9ddecf8a1273a15b35f7939ba30c79bebc3f906c71

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
64KB

MD5
ff2af43b58a5ed7fa07095788753f519

SHA1
3604b269efcc2eb1f75ef10a9e9765acaa386387

SHA256
c3ddab2171607dbb10940fd47cdd299430521ecd01e6e7df1740decf1af8953b

SHA512
7170bfa23a9a29fc3bba5ff8bb7c614ea6fc4246ceb67f08afc1972c837b50613907ce39cc7f6a9d1359f539eed9346c25561233d284d883b1762048ad02fdcb

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
64KB

MD5
84fbbd63967ba93487d5ef8c202d8fa7

SHA1
6890f322f93a0c217ca7bea0b734fa57a13ef91e

SHA256
6ba492b5da07e2bfacc320f0f260713dca78df50e90a729f53b88a5ed35941c3

SHA512
40a1b768cbc6a64c041bb54ab456a37bb9fd957642eed8d42d8aae026ad065dcf46e9ec81c66d431d5141382d223a37a6bd8128d456be6c401d65497072553df

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
64KB

MD5
5a1808266d337789f094fc2a03d30238

SHA1
42505cb8590c527666dc31b1803430bbac3a95df

SHA256
39593958b8ba858551bcc4d98fd0bbf6d25186f38d87a807215142638a51a88b

SHA512
b10815436502a5257ec93d580072fb396d6d40cee883d2ff3663f08b2871f77e9528a0311ed08a23e65df481ddaed183d817bcd2398365e444bfb9583410d7c5

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
64KB

MD5
df314a317bd77be901a9e61b462b047d

SHA1
956fad004fdf050f9aa86f02a4b131c9ceb2a777

SHA256
312d0b8ae8ac90c04beecdb06098e34af5087963d73844ef47bd00f756d77d8e

SHA512
d426068e6b92a0173a6afd51efca9f335e21415024246926ca3627b2ce1c844835ae7fa180ceb74e3196289cc6b65055cd7972174e1d1a962768b3ce46b61b03

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
64KB

MD5
9daa62b341c11300402e0f6b19fc8629

SHA1
c1bfc4b8819a53ad4620c1f2e72ec63932112678

SHA256
b805d81ffd79b672af39d515aded9083e5c2690f829e1e30cd41603a86f5474f

SHA512
3677936ae0483825bdd987263d101f9b1cfb9cdb0d085792a86848275b6311f113bd7886173c7b67ca34ee7fa0578514d3934fc19ce5ed4975ed94b7de1a8d1e

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
64KB

MD5
ae346b05af11f3c1a226aff9d76745ce

SHA1
48b26dbe2ff94ed10a356f13c4d98c5423222530

SHA256
c28266e3a7cf4771af510e8d096ca2f0c2c8e6d72810b6ec6a49b030f5388657

SHA512
bb4deaf71703ea0fb487a71acc8cf0329655ed79d82d003ff0af0b7d0c1e0340006b074a23f4e08667732f9d952ddcf8591e51a71f9285ad2d244d5a84f889e3

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
64KB

MD5
94af09057e7045881b3b5b5c6c1c8398

SHA1
e3bfdd20c442f5d2e3c18ae23f3d2e020a03d6f2

SHA256
b01f55345ad73ed7d4abab30c3d3e8c9eecf4f962752dab953bff8cd04311101

SHA512
6c3b154eca95c04e1eb3ff272c5317c9fabf2414cdf51da8f7ccc5f6fcfc9c5fcbf5bc96941a6d32e7c54ca58c54b305d2a846936b5c7366c181417c5436cdda

Download Submit
C:\Windows\SysWOW64\Doaneiop.exe

Filesize
64KB

MD5
da6fc06cbd79453537f329c4377a4ee1

SHA1
e2237de7eff5000f8e2e51c322e497d6b36c98d6

SHA256
f7bd9482945cd996f08d9bd148c3f8e8fee0908f02b353383f0eda123cc17cc0

SHA512
58f69953ea99aa3c1fae9f3005bda1dc2f3c80f58745ce95d17e47d4b9e4499a7a92893040ec65c3690981e82c84cd854145fe2c1aeeea2ba7fe01df5a46e774

Download Submit
C:\Windows\SysWOW64\Dodjjimm.exe

Filesize
64KB

MD5
e3b734be9fb2d746ad9b4382924fdbf5

SHA1
5f4a5aa61d493df5cb537263957f49daaeba7c6f

SHA256
7ed2cf5a6debeb5334bab201d01e87c65500f27e847cfae40e009aed1f2bec87

SHA512
8e913eca88c681c9cb9e8e7d92e8ad13314717d166bd179bf5709bf7f4db0c718e513cbb06026417f63d9c57f091f519596e6ea7e27bd31a3c3bcf660f019235

Download Submit
C:\Windows\SysWOW64\Dooaoj32.exe

Filesize
64KB

MD5
b4ac49a428ce1f2c35997819d47fa70b

SHA1
5e4ea02028802ef592a369fc4a32c7b13ee167d2

SHA256
a044c21726ba409df69208a2fd70ec6d84a4bf7305c2682ca156d24b79399f26

SHA512
ce769baa4962bf32f74a888040d7235e785901e8f6b19a10eb7f7b7a92b0bccf087f0f7c8f7771a933fb5c2966de37c7da0596cb3335c6c4ea70652d8e740065

Download Submit
C:\Windows\SysWOW64\Ebdcld32.exe

Filesize
64KB

MD5
92ea942156048fdcd780a1c9426c63f7

SHA1
529bff5ecfc937f3ee9059084b6d0179533ad212

SHA256
0573993d3ca31ab945202f1de702e67880d5d7b73f522120b010ffd95c74ba3f

SHA512
c0bf2768891830f10f69c65cb8a99ec3978ca1dfe6fdd3928a20b52bb02f108fcea491548bb3fe7d35015cc8c1db03fa79e0d0a1d5a12b8dc764ed7f33c1ec23

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
64KB

MD5
3d00f360a8ac87d37ae148c7769f34c8

SHA1
514d4c78a372eddea443a1d2041f810aba4a621f

SHA256
b194bd7c7781ff1bc39d538ba99e90175e6a8f648db75597db6e06a1548f6859

SHA512
8393c392dc3f276e85ce41ca0b7efd0e81c356c093a4ceef06b4595f3350dc628547f82ea95a6e0f98f39fb9504e494eeae1181ef60c95e740c1e188cf4c2b71

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
64KB

MD5
9708783b7919fa9250c76e93d9be6e21

SHA1
e1fb516f82aba6f532a4953127ee69cc2fd65979

SHA256
0450f91f7d5678f733ad1d3bcbc1d963016fb90d14cd8ddeabe0572d6afad657

SHA512
fba5e90fb6e545c97aae6edb9af454ca8f54b478f8ba2f70ed38b75aba9d26c9a2899875e1a4b4dac1e2cad52277c4b5407f374edaba48d2da8e35870b86117c

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
64KB

MD5
85d00a4c38dcd57cbe20247d92defe87

SHA1
1295283a9f150abd1775f51c3b29dff3c18becf2

SHA256
38feaccd2c6105819a0f53925e99f00e23eab1df500a3b9e4e30fdd4b2d40645

SHA512
6790212e7935a7cb8cb9481b570d91a1b7fab5b4ae9b63150701d4785fa28fa8840457d0dc016355bf0ef1b682024fa8cbe7cdff337eadaa5f09f6022bd75148

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
64KB

MD5
a63a08799ab9519e6593e7468b77e5fd

SHA1
9e7ee798f400b69e6c1be9467dedea55036c430d

SHA256
1431ef00c03a8076ecbf9b786dbad715c54699af69b27e7f443ba414ad84504c

SHA512
d2b91d22681e5ec29f6fb404180de439ca7f0ed0d35f44559120eefd77b5d0400426c163383d5154c322efae438769df8ad1a9ba1b930e83f12e39a450c5f7e4

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
64KB

MD5
a69f6a8a91cf82de67b5271b0fe3a2a5

SHA1
1f48521d31ee047b378ba6b42d948c5c75567c52

SHA256
18a9ab36c980f7b3a3bcf50e945384eea739a31a0b3f07a63002276a65446337

SHA512
8405443ebc086c9a2a8cff54944b37d78aee4c0becb015592161b62dd94467e6a44927649bcc1cb850d41a0b2928278d96cdaa9dcd3e1b90024479aba8624acd

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
64KB

MD5
2ae5ca1549f54f3d13be356c58cddc21

SHA1
30d4f75ba065dfae8140b246c98ea9f1b929528a

SHA256
cad35f1e7807ce8be8014fd65fe3ed464f5f963bc7c1b5958e5f43d0e19dcce2

SHA512
6b0cbbe3b5d8d9e75fc166c7e2a770e7c0f5e9b14332f4e4cf59888e8bf7def5f6653557414bebe496e43eec73478419ab9e3d6f25afdd06500e983c19fb64e2

Download Submit
C:\Windows\SysWOW64\Emoadlfo.exe

Filesize
64KB

MD5
7e4aa574011df7a3cd109d26fe21270a

SHA1
07b6b2188984d8b258386a6c10d76c6636b314d6

SHA256
9c9ee8bb4b192f5b8f385f330c6f5c0e5d550dfa8ba92b055ccd654508b364de

SHA512
b77a5a4b175578098437878da9a9573f78f277c47e9d36561c36fb46c5f09933278177afa1e6ce01631f54b7bb5b6236374cb0dbeda3d867a44289b5ce334223

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
64KB

MD5
9d91cae568253a75a81d1f612cfac72c

SHA1
eca83fe7bc959507ddef599d73afc96823439c79

SHA256
5c14c101f6ef46b5b41068a2428f5830b33450f69f82f9966c0645985be8b00a

SHA512
583a00ca985771a7917366f02d2aaf290c9a690843dc3f6ab2cbed7877c72e31f5ffe76901e18a31daa60dd10a68af5f5ae84ec62eb486ec5f764e7e5c3da8bb

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
64KB

MD5
a599cbd3678bd2c8fad43b03cb323ccb

SHA1
0e37d0115b883c1d629371a7c58c7c8c2afb9335

SHA256
003f9e05dc07ac7c4c868a841fc46a577ec2c9c1209f83a3f6ab44c481e62bc7

SHA512
eeb305b22d21a9ec0f705d69b36bae7e3d35ae9488d60a36bf70757b89bb4f3fb28f2f63aca9fff5da53623db62814fdf090dc5020c34adaea185941028d85fd

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
64KB

MD5
810c777cb8a58c0ae6882d9a49660557

SHA1
3a7af4b4cb5df38c855f6d1515687f50581fadbe

SHA256
884d37ef95d517c92dbd8ea2bbf7eab0050570c149b393d3aea4641207afc931

SHA512
ed4009f38c4e4a2acf35243d53b397fd6bd7620471871b00915dc2048291aa9bff71960831b09524ce2ef53fdc182e43730e50de04b4eddebf88df65fe262cc9

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
64KB

MD5
d2c31c83a2fb50a5184dae61a38a34d7

SHA1
be5c58f76f6518cc18e04c4b6288dad4f08c16bb

SHA256
825e7c494a8db95c64dc8a10965664029c29795061e26971a427490aed93afa8

SHA512
9c8f4c24fb8cc8d1eb7b43dca6c1afd50a709e6aa2010f29de637a4ebf9b67ba02a9e170fddcd08be722b728c5e3a8bb9469c28c835e0ec3140fb20051cb82c8

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
64KB

MD5
7c01a3416244c22dc624c87585452f80

SHA1
e6e5c88d74a647f30a97a99d4580d16ca3bac3e5

SHA256
a0d0a2bbaffb1928862290a0e2527672ef6a368f533084b8319218965928e3d1

SHA512
4926e06a89655d76ea6b9c7f7c247566e310462516f4ed4c9aaa4afbc700ad1a1e421099d11b81d8f1936b00bb52a5892ad0ffc77c8816f278ca0fe1cc11e335

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
64KB

MD5
8d3c4505ab010b4e127d1fcee5ba87c9

SHA1
02a57089a7af7eb85f801fac7d57a0dac90628d2

SHA256
680c01ce194e185da9a4c6fea3f0b8aa4c49c50e8ce362effd9c9e9a703f2d21

SHA512
70ce4f2137213a36df568f702341d0ea0842dcfb5ff8511181229b017d346b9e32c605a9de8ee19608261f0a1b9a0e51b1cc15a114fda3c38dce03c2aa5f79ca

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
64KB

MD5
4ca1a03c2585bb8148a36d789f89c6d4

SHA1
49ad006b08d638f7155a82ce842fd14fb6ad4da0

SHA256
475ff4b64e7922064d895913cc6efcbd17b303cd2b2bea036a7428bab2d3f8c3

SHA512
1fabb7eb1547f762ab49a8a8f8be9fe468ccedc428c20836645cc5274b6a00725f03dc07d6ab9c553ea6b6b24cff6ce65a7a9eceb3b3801edb6c1ceba34ff2e5

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
64KB

MD5
efd0609d29b7406d8769b6438a5fd17f

SHA1
bd5d47961ebe86732bad9321b43df9386a495cd2

SHA256
271745abf9ca503fad7eb5ef36630c6687395c8c7addd5e3aaf756bc48253614

SHA512
4ea723be00a5848e7692b05497e41f2c9e2568187aead31dc0441a8c7f5dae028c63e58ee3777ce17ac84fdf0ca77764d24bd322d8a989f3e5508103ad90c1c3

Download Submit
C:\Windows\SysWOW64\Glkmmefl.exe

Filesize
64KB

MD5
357b5776b1602612b656511b45db65f4

SHA1
bd6683003c04fdabef3902f672c93685e303f2fb

SHA256
77847971f5d78812f01ddcdbf8a0eeb59c152e4605848479c5ec1a28d593905d

SHA512
2b0802bc067098d5fb2166ec313755a8534fa5d84b722cbbff46845136e25f821934b8faa41ce5ff3ff7d891c0575a9041d8a65d87fde1e85e7117fc103c4645

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
64KB

MD5
e8e6b204f66d2cdc30b71873a7309ebb

SHA1
cba0e6359b5fedb388d46e1ad2230267fcff5df8

SHA256
23272c43f6bb08e5955339cc57c14592700c167901fbc6900a4488f6a06792ea

SHA512
8913d1cfa90ce3badd3c3d0212e15048cb259f166fe0c037da40129b18652a2f1db9f9d06ce8b17a1ecfbaff9b3e2d04ea9d33e88bfbc41b925b8e6e07c19012

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
64KB

MD5
c3caaed76e6a9548c32c6ccf84d10101

SHA1
b7a2988ce49404f3c79f4d83898e783354037719

SHA256
294a69fe484d771f9d444c8f315243cc643ce16dfc2d0f12e22dd99e5faed9fe

SHA512
287f1ec8de6c4e2760d65b2fc1093420dbd2c9302a08e3498bc64c462fec0f4931a8a17d0affbc4ed1a5dcbd6e960fe1cf861301610b678f658fa685b5e07d38

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
64KB

MD5
0f7a639084c693cc73f99343a7c2cec1

SHA1
3d27f3105c98f7846ef7d12a2db1ba711e8cd183

SHA256
df4b61872be06664264f288e1c275a4d4b8a3a1b95b37edaa92b7e455a2ebba4

SHA512
5f0c7de81a7f765aff2bb5dc52bdcd58f4bb26e63f9e38af934b9638c287522e106f37a7753108b94c7732b6efea39c8800cf2918751efb7d31dfec693426324

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
64KB

MD5
b61834ed446fe0e73c9b3fd4235d9034

SHA1
84912252a308bf5ecb51acce73dc4bc7578762c5

SHA256
2ec72a769ff43da0dee28a4bf99234e5018042540a5ba93e996960f95554ac4e

SHA512
c3aa418751e76d4db84c88930a3cfdbbad1845954d1136cfe7a5ecc6a8f3e3fb877eb0a9cd056932765cce4cb4eae1aa64a87831d01813dea7f9d10eb97a3bea

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
64KB

MD5
0111fbef553e6640b1cbba199364624e

SHA1
e9bfbe631a1782c46cd8f503923da7d14b5abbb8

SHA256
bf94ad6cf3e73027a10878a8846d1799f3addcd47d88736ccdfde7d07aa11c14

SHA512
6e735b59ab963a1da375c7efd21b7160654e09df9961a757f405f891605a0f6cd98253911694904ef89fd76b2424259c9c46a2ed0d4fae33926cf9bd1ee8b3a7

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
64KB

MD5
c3a93d6d856154f838de467d61c76d23

SHA1
4caaa3655f81c533524e1b742a00bbedda19f3b9

SHA256
c929a2f290c9a7a84df3485be773fc87603298a6c522f47487dd4a172e73989d

SHA512
08f703de822cfac49d4d77dc25aa3c573b67fd21304f008740a3b153bba5ef96bef7bc915e793dd9dafbff034485cd24844e0a98ce538f381031e52724da40aa

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
64KB

MD5
996c7ca0e9ee672c36a5e96dea7e5ad9

SHA1
1a10c6070b02b5df8049549f4efb284239ff389f

SHA256
0f20047d11b5e265a264fe15db829d34726559231a2715fccec84c15e84de54a

SHA512
c4752822469e4b62ae23b4c19ad86219cb3a1b1c98581bb14def0cefdd0c683157b8af786a9670fd74d799acf36e0d78ee8808b0477c9e5fff6454d54e237523

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
64KB

MD5
63370e7a54d1040b735a0fae163889b6

SHA1
e849342c8679ceb6b2971d9819cad3e89041270c

SHA256
e5eddf8101486e2aa3f1ca24770dda3f17b9fe7fb8d34ecec1f9d0f709c794b9

SHA512
6b0e42adbfdb04ab4ebb2ec1121f64e3178465695337d44e5d85dd09580a78de9e8d0f16bfda80a212f63f7b8da11d6ed7b01ed2db6df4eec43567e909e9aa0b

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
64KB

MD5
7e169781bcd664aba15e94052dcd38d0

SHA1
b1d5c79fa0ac7241f29a6f8bed8e49d52ddcb507

SHA256
d364b194b48203cc81c182e38394565d1e15d566adafc3664710ec554d5252b7

SHA512
d956b787df0fa19648baf5022cdf208f464e18204d5983bc75adac48de96c2ff2e50e82dc1e26af003691cdaab651041affce1ecb20792cc19a22127f2892340

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
64KB

MD5
58c09e84bcc7988bd16c6a405035371b

SHA1
5acb985ea7ef0779abb90c9dd19996201521ffe0

SHA256
397d9257639d40543bb3c79fce0efa19625fe22c4e2b4f761b75bd99376c97e4

SHA512
41a7c3a1c168d704e28cc87d01bf2b0217030ab38d5e104d643d828848ec2138afea8440713effde49416d10ba48725711a85a8a28228231bb0ae48d4abf6a3d

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
64KB

MD5
4df7da613a8e9b9170152da456f1e0d2

SHA1
286b29a12010b27fac98aa03aabf10b6af30dfc9

SHA256
ed73970856ed71161584be5d0a2e0db7d1789f24a5ed76c006279c378071ac80

SHA512
bfaa6ac54920c2cfa1514b1863041f8d417213e2ac133cb992d9abfff6a263a5fe3c5390424022dd19bb960ee9effbb75be1117b07a00a0481952dfe95524eaf

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
64KB

MD5
0588e071e2a40c967dfe1ca4e6d3cb8b

SHA1
09482f28b5dc19cd8b83ea32beb285e8824db52a

SHA256
5a59e38d2b4f10c93709bf0b2a2f94ddf225c878293e57655677a70613a34e41

SHA512
75e2e3192f8811eb6c16e494a3fcddc5a96630cd8bf252119b76acfc8ea243f999165246c5f21073b9411c329dca433771517980f21511537b2dc4ecb0b5bbf5

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
64KB

MD5
b67056f8dfcd20d35aaf526fcf07103d

SHA1
1d94941149dba4aa40fe3659e50c4b42e4d2de1a

SHA256
e8ed44ee08370c9ce271a562e755fe1dd861561dd7ed0103eb141d39559271be

SHA512
1328304a1feefa21c344ad36703aa4121adc0dec1d7d776c1d3cb995cf96b06a8d62dbcf9ba12eb719bb918d0bf8a326ba426b8b48ea0f042744c7e250b5f41e

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
64KB

MD5
858e56fe1a52e6cdd94d483140a72520

SHA1
cefdc3a1c87994e4fd42556b18748dd9a1974fe3

SHA256
51ccc3b3c1cdc4740a96d537dc48f8169de484cce35d3dc29ae1cc42a48e737a

SHA512
29b6b0362a43e1b1b3633ba9844c81e6d93c05526fa67b19e0ae8324b3000cff93a8bf7b8b448aaf444b7b7623b334a27ad4229ac91ddfd960d89d95cae0f5db

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
64KB

MD5
fe5d0c4243fd68f6470e8a6a6883162a

SHA1
e7a73aebe13454550e22800f858bbec3521f991b

SHA256
4508999b9ce67fe50f41b28769635e962d76db1c32554516858841413aaa86d2

SHA512
c715bee26fe566db0885f8b9b54875b40ff42750d0de6a486a7be88d65072357ef05d8b8ef1afd046a729a7ee1bdc3816174e1aea1cd9339b65d670b5adbe53d

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
64KB

MD5
154fd0eb4f7db1f494bf7cc99c339b02

SHA1
ddfe2f5ed754c793745d873ea1a20f95b4cd0ac8

SHA256
fcca7e82b3b7973bce0d4644132d26f6ab3626a68ba3d63e5feddfd8953245b2

SHA512
fa1cd9e348c50fdfdb1739304d7b3f7efcca635ffbc68509ccfc76576aa24281ef07cf5f2234f5893a90498dd69e63cc520515899be6b418587f5e725d29c777

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
64KB

MD5
51280135064cf76246a1718aa7a12214

SHA1
d2f206d1d296c652640cada0520e93d638c042f2

SHA256
8e7471ebaca9df1927bb2782429c8cf301ee9d38a4c440e6aaa38f4d6dc820e0

SHA512
c62d0c1752f653945bc1a9eb86c565cdfaff557ab67bb7fdd6753d2cfb60ba03674c18e3b062c501c0fce4f1f7919908ef91538aa875cc0f5a8b3b75a8d72767

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
64KB

MD5
9bb22a2282f63226d849c67888a03e45

SHA1
637d99bc198d5d960913adc57a438295778f0e99

SHA256
b004d1daf8b16340b500b3da96a2e5bb93370288fbe4a11f57b27470e33a0f9c

SHA512
410fab11093cc0316f5c1d9b77cf15dfb64a477231dce88227e422b50ce6377de4fe31888f06d9176ad90fca58f22775f7efc7c5ed671f429cc6a1a23cd40271

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
64KB

MD5
9118ccaef0a3f56ec0820f07545a052f

SHA1
9ced4bdabe1700c1f2b10c138a1f0d47c48f5192

SHA256
ea32e57eab92e37243b78b7fd58f485724f77a12485b5f9a7ba3296a087915c2

SHA512
74d1ee4558ac9619df9cae56b70f8dce9c0f30631557847bd13b8105d699a15feb0302d35e2cc412db797aaf1c89a392c24dca61935178c69ef55deab4cf0e3a

Download Submit
memory/208-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2184-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-1511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-1506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5956-1496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6904-1454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads