berbew | 22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64e

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64eN.exe
Size

512KB
MD5

f307b54012b68a136f78f6a6acabb6b0
SHA1

819fe61a040d3c2a08fae29729b1033725eaee39
SHA256

22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64e
SHA512

91d14fc27f87139605c184981338a48a26b68fc9d1e55e9a42df73fa5bfce9d20a73b8ee0b02e409205498a1f8ac313696b372a04816c36fcecacb20584e2686
SSDEEP

6144:tncHMBJh2KUZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:tneMBJkUG5t1sI5yl48pArv8o4L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iifokh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imoneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3352	Flceckoj.exe
2016	Fdnjgmle.exe
2168	Gcojed32.exe
4740	Glhonj32.exe
4340	Gfpcgpae.exe
3604	Gkmlofol.exe
4892	Gfbploob.exe
4564	Ghaliknf.exe
4848	Gbiaapdf.exe
3860	Gkaejf32.exe
3260	Gblngpbd.exe
4548	Hmabdibj.exe
544	Hfifmnij.exe
2344	Hbpgbo32.exe
1808	Hflcbngh.exe
4912	Hijooifk.exe
4444	Hcpclbfa.exe
3376	Hfnphn32.exe
1948	Hfqlnm32.exe
1932	Hkmefd32.exe
3288	Hbgmcnhf.exe
2224	Hfcicmqp.exe
4864	Ikpaldog.exe
2596	Iehfdi32.exe
1856	Imoneg32.exe
2836	Iifokh32.exe
3244	Iihkpg32.exe
3704	Ieolehop.exe
1640	Ibcmom32.exe
4880	Jcbihpel.exe
2324	Jlnnmb32.exe
3824	Jefbfgig.exe
4456	Jmmjgejj.exe
3548	Jfeopj32.exe
1192	Jlbgha32.exe
1920	Jeklag32.exe
3872	Jifhaenk.exe
4004	Jpppnp32.exe
4140	Kemhff32.exe
2472	Klgqcqkl.exe
2680	Kpbmco32.exe
1652	Kfmepi32.exe
1028	Kmfmmcbo.exe
4996	Kpeiioac.exe
2460	Kfoafi32.exe
3048	Kimnbd32.exe
1472	Kpgfooop.exe
5060	Kfankifm.exe
2304	Kipkhdeq.exe
2924	Klngdpdd.exe
4244	Kbhoqj32.exe
3884	Kefkme32.exe
1304	Kplpjn32.exe
2164	Kdgljmcd.exe
4016	Lmppcbjd.exe
4436	Lpnlpnih.exe
2372	Lbmhlihl.exe
2424	Ligqhc32.exe
1060	Lpqiemge.exe
1204	Lfkaag32.exe
1480	Lmdina32.exe
4572	Lpcfkm32.exe
1616	Lbabgh32.exe
2992	Lmgfda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Fqplhmkl.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Gblngpbd.exe	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Hijooifk.exe	Hflcbngh.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	Jcbihpel.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gfpcgpae.exe	Glhonj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbiaapdf.exe	Ghaliknf.exe
File opened for modification	C:\Windows\SysWOW64\Hcpclbfa.exe	Hijooifk.exe
File created	C:\Windows\SysWOW64\Iehfdi32.exe	Ikpaldog.exe
File opened for modification	C:\Windows\SysWOW64\Hbpgbo32.exe	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ldjicq32.dll	Gfbploob.exe
File created	C:\Windows\SysWOW64\Hfnphn32.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Gjdlbifk.dll	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Adopjh32.dll	Iifokh32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kimnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Gcojed32.exe	Fdnjgmle.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6408	6280	WerFault.exe	281

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflcbngh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfcicmqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flceckoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfifmnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcojed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpclbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iihkpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfnphn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcbihpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkaedic.dll"	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll"	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lpebpm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3352	1620	22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64eN.exe	82
PID 1620 wrote to memory of 3352	1620	22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64eN.exe	82
PID 1620 wrote to memory of 3352	1620	22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64eN.exe	82
PID 3352 wrote to memory of 2016	3352	Flceckoj.exe	83
PID 3352 wrote to memory of 2016	3352	Flceckoj.exe	83
PID 3352 wrote to memory of 2016	3352	Flceckoj.exe	83
PID 2016 wrote to memory of 2168	2016	Fdnjgmle.exe	84
PID 2016 wrote to memory of 2168	2016	Fdnjgmle.exe	84
PID 2016 wrote to memory of 2168	2016	Fdnjgmle.exe	84
PID 2168 wrote to memory of 4740	2168	Gcojed32.exe	85
PID 2168 wrote to memory of 4740	2168	Gcojed32.exe	85
PID 2168 wrote to memory of 4740	2168	Gcojed32.exe	85
PID 4740 wrote to memory of 4340	4740	Glhonj32.exe	86
PID 4740 wrote to memory of 4340	4740	Glhonj32.exe	86
PID 4740 wrote to memory of 4340	4740	Glhonj32.exe	86
PID 4340 wrote to memory of 3604	4340	Gfpcgpae.exe	87
PID 4340 wrote to memory of 3604	4340	Gfpcgpae.exe	87
PID 4340 wrote to memory of 3604	4340	Gfpcgpae.exe	87
PID 3604 wrote to memory of 4892	3604	Gkmlofol.exe	88
PID 3604 wrote to memory of 4892	3604	Gkmlofol.exe	88
PID 3604 wrote to memory of 4892	3604	Gkmlofol.exe	88
PID 4892 wrote to memory of 4564	4892	Gfbploob.exe	89
PID 4892 wrote to memory of 4564	4892	Gfbploob.exe	89
PID 4892 wrote to memory of 4564	4892	Gfbploob.exe	89
PID 4564 wrote to memory of 4848	4564	Ghaliknf.exe	90
PID 4564 wrote to memory of 4848	4564	Ghaliknf.exe	90
PID 4564 wrote to memory of 4848	4564	Ghaliknf.exe	90
PID 4848 wrote to memory of 3860	4848	Gbiaapdf.exe	91
PID 4848 wrote to memory of 3860	4848	Gbiaapdf.exe	91
PID 4848 wrote to memory of 3860	4848	Gbiaapdf.exe	91
PID 3860 wrote to memory of 3260	3860	Gkaejf32.exe	92
PID 3860 wrote to memory of 3260	3860	Gkaejf32.exe	92
PID 3860 wrote to memory of 3260	3860	Gkaejf32.exe	92
PID 3260 wrote to memory of 4548	3260	Gblngpbd.exe	93
PID 3260 wrote to memory of 4548	3260	Gblngpbd.exe	93
PID 3260 wrote to memory of 4548	3260	Gblngpbd.exe	93
PID 4548 wrote to memory of 544	4548	Hmabdibj.exe	94
PID 4548 wrote to memory of 544	4548	Hmabdibj.exe	94
PID 4548 wrote to memory of 544	4548	Hmabdibj.exe	94
PID 544 wrote to memory of 2344	544	Hfifmnij.exe	95
PID 544 wrote to memory of 2344	544	Hfifmnij.exe	95
PID 544 wrote to memory of 2344	544	Hfifmnij.exe	95
PID 2344 wrote to memory of 1808	2344	Hbpgbo32.exe	96
PID 2344 wrote to memory of 1808	2344	Hbpgbo32.exe	96
PID 2344 wrote to memory of 1808	2344	Hbpgbo32.exe	96
PID 1808 wrote to memory of 4912	1808	Hflcbngh.exe	97
PID 1808 wrote to memory of 4912	1808	Hflcbngh.exe	97
PID 1808 wrote to memory of 4912	1808	Hflcbngh.exe	97
PID 4912 wrote to memory of 4444	4912	Hijooifk.exe	98
PID 4912 wrote to memory of 4444	4912	Hijooifk.exe	98
PID 4912 wrote to memory of 4444	4912	Hijooifk.exe	98
PID 4444 wrote to memory of 3376	4444	Hcpclbfa.exe	99
PID 4444 wrote to memory of 3376	4444	Hcpclbfa.exe	99
PID 4444 wrote to memory of 3376	4444	Hcpclbfa.exe	99
PID 3376 wrote to memory of 1948	3376	Hfnphn32.exe	100
PID 3376 wrote to memory of 1948	3376	Hfnphn32.exe	100
PID 3376 wrote to memory of 1948	3376	Hfnphn32.exe	100
PID 1948 wrote to memory of 1932	1948	Hfqlnm32.exe	101
PID 1948 wrote to memory of 1932	1948	Hfqlnm32.exe	101
PID 1948 wrote to memory of 1932	1948	Hfqlnm32.exe	101
PID 1932 wrote to memory of 3288	1932	Hkmefd32.exe	102
PID 1932 wrote to memory of 3288	1932	Hkmefd32.exe	102
PID 1932 wrote to memory of 3288	1932	Hkmefd32.exe	102
PID 3288 wrote to memory of 2224	3288	Hbgmcnhf.exe	103

C:\Users\Admin\AppData\Local\Temp\22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64eN.exe
"C:\Users\Admin\AppData\Local\Temp\22a635e31a9cfc21ae9cea24262c6dde5453426153e6554a1b7e83b8146ac64eN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Flceckoj.exe
  C:\Windows\system32\Flceckoj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\Fdnjgmle.exe
    C:\Windows\system32\Fdnjgmle.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\Gcojed32.exe
      C:\Windows\system32\Gcojed32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        25⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        30⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        36⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        40⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        43⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        45⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        46⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        60⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        61⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        64⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        65⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        66⤵
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        67⤵
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        68⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        69⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        70⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        72⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        74⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2780
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        78⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2024
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        83⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4220
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2756
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3436
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4900
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1752
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        93⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4044
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        97⤵
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        100⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        102⤵
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3632
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        110⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2064
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        113⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        114⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        115⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        117⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        123⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        124⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        127⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        130⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        132⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        133⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        135⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        137⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        139⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        141⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        147⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        149⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        152⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        157⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        162⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        163⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        164⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        165⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        167⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        168⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        170⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        171⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        172⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        175⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        176⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6212
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        180⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        184⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        185⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6608
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:6740
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        191⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        194⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        197⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        201⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 396
        202⤵
        Program crash
        
        PID:6408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6280 -ip 6280
1⤵
PID:6372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
512KB

MD5
6d394ac2e56c4db2f19ec729e7373861

SHA1
47efc9276bb1ad45ec18630abf3a414244626454

SHA256
d8c194c602d168f7c9d1fc6ea9114a38934ca34b39ec7c3ebd991f896cf02957

SHA512
7218073f4acb2a8f53a90debe88818fe0aed9b09b41ea23747f8e3e1095c82f6906cbcc0833f2e8823793b485db6a15359c310a416fb74f6497f3fa566986a9c

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
512KB

MD5
67715c23394c48602c4deee0ab55502d

SHA1
02c1fb58a366367dafa427981433080537a530bd

SHA256
0618ab0dea6b2f0640a2ae51b4776a9793c950f2bd040d7f8f7f0e6d411f5520

SHA512
5919e01c35037bdf62a65fa8c1ce1258485895d4519c6d8f0dddc273ec1bd7efe81c012dc8f276f93356a1862eeb01243fdc74632e9903d641f2c1fd595d1c6d

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
512KB

MD5
25d0f7336affb80bef191d163a97e13e

SHA1
746d9ddedc9773e96e88f02f8a487f9a9f105382

SHA256
d67344b1f26af6af845869d202a59ac9443249441e672699bd251bd50bf47c9d

SHA512
e2cab9d539bd52ec976dd84a80d89faa7c0255431e8cb6dc0060e1dae0252413090baf851322a0bb8d475f025371231b1fe7a00431b1e3fe5e2c67a720aa1fd7

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
512KB

MD5
d5160865c978055da4b8505292353e1f

SHA1
9c637a2939b3d072c02aa9cf8667e69ad73c6526

SHA256
f44e6be0bb1d8b32409780552b19351b6bacf70a1a07ff5c322e7f941bcf8bba

SHA512
f2beef1fe3e4021875e1a3f1d4c6d61f4fda9fb305bd66d688c89e8eb72286ff91135e2b068dc01154fdbba368a282871b5ef6ed06f0803d2bb7a62f978c27d4

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
512KB

MD5
0fd8dced8911cce452913eddc676b9d2

SHA1
f653c96ab947e594d067a75698a513484a76c8e0

SHA256
988bf65f214acff799f4534419499a8bb37f64d02650859a87d3a8425bf6f34a

SHA512
65f82d522656d61732fd5c576aa9168bd6d82c868490d4efe85cf2320059de801d2ed75a995b3d5efe7d2a0ea0257e88de4a15813f36c5a9aa59add413286e69

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
512KB

MD5
82dbbfa48050304aa35670c27049ba72

SHA1
345460c8fd8c327721089c155fb8b1c37c2919f7

SHA256
2c4d5ad81a9b5b4a8b9ab10604553b3849f38f7fabcc2ced131f5a730c6e96a3

SHA512
08e7f246580764f280d383fed28f03bbe3f563138bd0233785cc7068fc671c615001c873aee7a3045651b09371921f72c4e467a0c8b7235d90dc045c3bc14bc4

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
512KB

MD5
640f4d906ab9695839e16ef4ea9fdbd1

SHA1
f7274baffea012490d521991a30de7b787abad45

SHA256
97a77bc8951692211423a06ce07f24267e3a2a29aae45d128c0da310f839475a

SHA512
fda42928f795cb54f44b2b8418cdd2f208e6fe425b6555d72fe21e5f65e50a06e69c331a180191d8b84f72ef844b46f5b5a40a698ba366f238a3eef82dfbd9bd

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
512KB

MD5
ce37b234ae757d3ca59d19a581fdee32

SHA1
e21e7110c87f73a9d346c7d5c2ba379ab7f0384d

SHA256
e568d3eeee35d8500a373a098eee070748995bd9a73baaaf816bedae166145dc

SHA512
9088bdbef9e482f4ab0e97997e39d0b6a55f58b66d8b1009abe21be2c8632abc8b352aa857e78ab88c1476a39583aa071c83f6509c5bf8b2a9f5a211edc48a92

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
512KB

MD5
fae5281b104c13850311fa1d9e4694f5

SHA1
08f3ec69342fd7e23b929e96fafa43c2e3a19c0a

SHA256
9e9aa24eb8f294e1ffa765fccc2af95968e0c5f1ef699006db28177036c6771e

SHA512
d6d091b01d58dce2910298bae9b4c0a7a6dcfdd85bd5c9789bc1b0303b80452f7182c41a7b1cb61dc7b65dba765a339ba40116d996e07b908c31e5d748e1ca26

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
512KB

MD5
91c4e4ca16585deef30e97366bf891fa

SHA1
479eb0e00b5110a8b82dccfb87f85f6b58490a3d

SHA256
147b9ea5cf094f08ea346f7f5a8b3bb23de92844f4d1515c44c6f6b152e8f31b

SHA512
2b5a3ae806b8f4617da8e7aa7f661b5095ec5e8c5f2af09d9baad7905b77844a4d337fe11881219f7fc820296609f88298b75c4a2fb838e460020744774ce2d9

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
512KB

MD5
d6ec6456182c5d063c92b32ab81ee303

SHA1
830f4f83f47b89196cfa86cd287f8fcf6956bc38

SHA256
b24accecadfcb79f4e90419b34de1200a2b26af98bfa110d25366f76007e3fe4

SHA512
cc0b24f1659b3def3b1050b28187df453760a4c8d62bbd94e745f4e540f6c5e3a904b81ccc7313510cf0d23ba6608f0de1f48ee515cf55b4bd4b0dfe4ee52756

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
512KB

MD5
2bcd8c0f97cbd601053369d8fa7905d4

SHA1
a2ccc4ca1be248a247cea354f5930dd67126e7c2

SHA256
3008e1debb11a63e946dd1c171bf2187bdde45a25fc3c6bba15a04e9a386db0f

SHA512
2d9ff8d89dfa9616371709f326fac479dd6f034a9f5e87bb02c7d20e6e2e24f2bdfb718ebb7a9e03383f84700e3a3a48705de314b3c53367db71971a18ac35df

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
512KB

MD5
e7f2b80c78cad9e6e2b6305ab38d875b

SHA1
6307f09d2d1fca4a61cbc8cc5aad90d2f6dd5193

SHA256
2a8b95e1e6e0c2abb3efcd147a709995ddd47cc5a952eb7894712f27520060d3

SHA512
d636e2ea74ebffa539a0a46ddc1798f556748786741fb51c260e31a294aec44df71246e083c2f3b99dbfa50e8437662139a5732e374b656aa0dda8d218d2ec96

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
512KB

MD5
db570a72dee6ee3618b6497eeaf8de71

SHA1
67f0c77f2eb5c4e214998eb3c9ecd030ba6e3985

SHA256
0cad0dd8d466ccb207ebfdb34042714a4f8c7cf4606fb592a5b906d1f689a234

SHA512
6659a533fb60b900a89907ce9fec9560e0a5d61d8a837c36d98527fd78508086afe4f32be42257e15b92f28fb156501308f8b776ecf6f5304bdddecd28868da0

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
512KB

MD5
9dd7181a7f8a57cc5592243afea14980

SHA1
7ecb5cd1d033a830f88d4b295ee01c237373d596

SHA256
dffed7733c3aebe22685ae9a5ba94449e6abfbb2204447adfe983d6befd3699e

SHA512
b80b7d5a902eed7efd6eec3c70adee381908a21ccb8d75c6427c66a48c4fc714293aa711863bcb5fddf0b0529881bbe1ab055ae9a71e4dc2fc53afffbb33e1ec

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
512KB

MD5
42cd83d2ceb95ceda0c32aa64dcca4f4

SHA1
e1c0ec3ad8d0bb5c44710228ad9b981447cd9ddc

SHA256
cf7e4acf99e205da1a2f6f2915bf3fe7d7d49216c29876fe58532743df5debb6

SHA512
0d605600ffa21e85de7aec1e744c25678a67fdd0792128c07e23463f2623cae2dfae921673d4e60094e516d90c9b625755afaaee9b449661194ee9835ad930e0

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
512KB

MD5
9a47c7679e95be6ec9cf82a2d3f16264

SHA1
52553ca57e0cc48b9d969a338dd62536f5583a62

SHA256
e475b55305f4a18462df6cf643b12e29a7c8a1a0f887772efd8f128f30bc02a6

SHA512
f19548f732386f5517a68ba8e666dd456ad13a46d6278755905b35a9aa375cdc66a0db604828dab8920361a14c5b6f7f1b7b3124b7ef6dc313e0c58082ea12d1

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
512KB

MD5
2c3a0df3425fb5f078ee749623b6d38c

SHA1
f129ff5e976fc8e54c5738da74b2aecf7a5f2fe8

SHA256
12562fb59d19947e2c83267108c68438142dbbc8b3ed0c747dd3198b7d0b0dcf

SHA512
8e4752ce63697695b4df9ca172c61304c9d6c31377cd755c012c3a756e38de3149745aa34d25bc23a71362b40ac2d2aff12db0d00114f7c19c3b107d93aaff21

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
128KB

MD5
c98bf135e53e7d84d770b7c6f3e8b3e7

SHA1
69efe15e8557a24a2512a24f3d64f6b3e96d1407

SHA256
a41d24d9a9ceef3aa7aceb620e0e9b1d61d0934d3546ce13a3e26a9216a4ebb9

SHA512
d34f77a5f3cfc3ed9dd2605600897da80fb094c010468979fcb0bf85868542a045d46bf5ae73635cbe18e4bd91b6180a446fb2f3345a5650a0603a9b6296e66e

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
512KB

MD5
e0117962e6c3cee58156d381cd0e4df2

SHA1
ee123cc25ea8f9ea368a36e1fbdda27dbbd0b75f

SHA256
11b516eb8c2467e63893d0e6e1defae318b3fd0d91c3ae39478535d39ad64d25

SHA512
f70e4cc1c59a10f7272084113222696b8a7b46dc515ad98347fe1ad0317d5f551dd10dec008fffa318bbfedb2adba90e74d2b68453ee9db6e6478a386f794fde

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
512KB

MD5
15de44038e6b499a9398f117907dd249

SHA1
6e6dab3c09a190f7660f910218b134f2427b951b

SHA256
fe10f0e0170a3d3c859db5820836160526bb25ee307af14712f2cb11c03e0f9e

SHA512
dc61826a30f35a030051640de7449cc07dcb29525570c2acbd4c4fa482ff3092303e649f4692f3e89ae13c689cda7bc9e4c7605879b2fd3ae3969f3e10a3044b

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
512KB

MD5
efee8dca7a4c57b923978148014aaf8d

SHA1
f73e7bd43e38e6afc47bbf0195928ed9ba640e97

SHA256
8648091f6a2a017e764763b0ed140f4639935c101404ea1d422203aa49499644

SHA512
6677715826d2dfff5c1ba0affeb9bcc2fc5f8f5ce35494e450af415ac849469962a917083e64617e222a5a5ec639bc11a5a055bb8aa7f97e9e854b1a269f95f7

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
512KB

MD5
1ca1b978e309f663a605c42c780d4609

SHA1
47664dac341cc182c2d919751c5e8c9e7b337961

SHA256
ea041a587ccd86c3d4b69666c2f2101f8da1e5dc45c1ea075123286aacfd8d01

SHA512
913cec3d789aa0732df53e795d4fd6f11f5b4c93396b1e50ec4404eefe9e6020f1436bfd6bb5fed46a166808b8b6396b0247b11249f50eb81c8f3c884dcf7bb0

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
512KB

MD5
60451a24607142d79753cbb3abcb9ff1

SHA1
14e3d0c5d9b9adee492f2f93b1d2058126cd7a03

SHA256
c20c4095f25f4f115db82a5f7f80d1db92022677532a0aa510ad3e3b50d9618e

SHA512
65691ee97bfc6a0db0b910ffc28d43f474482716f775298314d634d73e698a717ae456835520a4182e7388bc773f06ea5ef32150e37c84f23a880824885e3794

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
512KB

MD5
7bbaac420c15b52d93650f71e82e1b22

SHA1
31c0da36ca0334a3ad709a435f1ad41ece28b30d

SHA256
9ad14e009bd2d4526ccab57f2ac0f6606d5255ec2c7570f275d2bb12aea15a9f

SHA512
7782fede7b93d130bfd816edff9e2a428ec29bfe72517a61df81e43d302b8fe259ba69884750056cf9a6d3731eeb959c8e3c6e39f31ce276cf24be68a24de4a4

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
512KB

MD5
3b8051f3ec24eba602cb1dbe693cfa2d

SHA1
9df204289ed1a793057db65e6434b7dc8016565a

SHA256
d6ee3077c35c9d7f9a6ab19a5d662ba316e5a4ebe51853b1e2aac35337e5d820

SHA512
99d0d5c418758502cb4660d1a990c6c54e429e1aca033d0186ab7a4653a334ceea7003507a10a39e0bc274519c3713533a413d049dd1756e20cf92aa05e1cc14

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
512KB

MD5
e186d9fa3c05ef0060bed4ea0c61c3ed

SHA1
0c5697a6eaf9922ef3d981143e4856996bbe1319

SHA256
7d1a2045e9b71ed2f6c93791c19e116a7e195f674c2249fd01c8e6ef83b334e1

SHA512
900c3d232bee1e57e521cf6c17138ff90c5907e674de116114dedfe59a1591a88d5e24dd1276eb04e9bde46790b0f48a195d59e305a063bfbbedecfe59731d86

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
512KB

MD5
e16506e9485a2127e81ed319179e9cbd

SHA1
a57bd647d5b4ced8b223812286980992f768aa24

SHA256
956252bb0418174abca2919948784d84e79e44d8fcf0ce54bbefe40fb9b5d0cd

SHA512
88fc4cb292ac084e8e074f41945b0f5057439080211d11869cd0360fd6756e5ba915f5e7b58ef144692858f026be46b4be39ef7d48f11fe8faf1d048a1832379

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
512KB

MD5
0de00a1698e3ba6a1444fb3f7f20bdcc

SHA1
9ea9a835d81ec3bcdb06fdc6f57a50307a098255

SHA256
94b7f949ad653c2e5e251d749535cd9c4f8cdc91f37284748e4c71ea80c10b9d

SHA512
c717112320e14897d2ef22c85809442421a48eed9ea51a71833b02a436d4e3a4d738813b4299b3c55a44e66af05cabb4bfe2972abe9af16a01eab7f0d3888dbd

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
512KB

MD5
79f978768b4e600f696163aa8287274a

SHA1
b9c5a374683d74d66ebd66dd2720d8bbde2538ef

SHA256
2f115f669c1a63315e3bbac9e04fdfca64228b574046133f3f380ba68ea6cd34

SHA512
dfb825643abbec344f9fab8d29400c8891be889554b940dadb0a2ff14d671907b7bff294e6132d929496d0c181f43e930f17d77836968bb92ccd54f552194548

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
512KB

MD5
1f39f5ce26cec777ba77fc12b36d4a37

SHA1
f66641c1476bfb714b9563825db8af846cfe3bf6

SHA256
48ec87814cd65439a6840380451986556cc8858d6630329562575bb87baca2f7

SHA512
41701cb6292263cb62f693664ffac0bd60a9ee5af1c994c95d6c0aaeb41bc7860d078456bee3190f43c89c547f44d620da1248d0ae0c05d5e0999c96b1a132af

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
512KB

MD5
5a8b2562d5c039af03dc5d070ccedf32

SHA1
0de4e09ec999e3d03aa830fab8a381fd18a1d64f

SHA256
36597dabc166ecc7a5fbf211949a7d2f86091f27b868c241142a018a549e3f01

SHA512
f2106cc6d09da1ec2c48012b76a6e9f34507a276e264abb73542b3df93e22ab9602876b6e6ab94fad4815f135981b8511b2ba6f14c9980ba4cbce35e9a5a0ed0

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
512KB

MD5
ab50980c46d23be7b96609251c62de11

SHA1
9e23995bb541514b5debd3b36cf10a3864a0f71a

SHA256
dd1fa8752201fbe6c5805d2b69b0e8b45a6abd6476d3e4647e08883cd95d419b

SHA512
8c259b9e34555f93019ad0100362ae2b543a6c393c2887d9c4ccaa37db5f288ae73ae23e47b7efc7d9b1f367ed3cefd094103618deb14b5d7b6137b09c66598a

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
512KB

MD5
82ffbadbc22883b47ce2cdcf909aa48a

SHA1
41fc6d0e1b830457ab96a6716e961aece3a5fb0d

SHA256
73100f9f92935650895590485a1cb4e7b725889a50d8e0342f4d46e2f3011e96

SHA512
b527776ecceaadc6443fffaedf36509b24a4cba4a17cbca22e5aa62253fbc4226476e61a4dc2092640cf1b41db416811ce4aebd02695cd07b60c639057cbbd71

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
512KB

MD5
b90cb7abc1d77d226f4fa02295776b73

SHA1
86aae8798cc22bf780bf0c005137ea8328e94735

SHA256
65ba0e6b456db60250b3e1d88be7abbe6ce6717b5a1a2621e57d80796c5e18f5

SHA512
40e0d8e7b925e4330692fa9633507102dbc31ac50a2e12599520bb09f01a2ebce5af1af4691bc9bccd00c32c4e7045e4c66a6d98235487c13cfec5c0e4d2bfcc

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
512KB

MD5
fdb0c032106f202ab1c8e16d5ea9726e

SHA1
23518c2c80886149c50f43f267a821f76d5529a6

SHA256
70fea8305adc11ca6e19e25558bfb014cbe84d3199f1f326547d5c364a20d666

SHA512
3b852d5ea1dce70bb666de370db60a138bcce77c45434feb98f500d3db90d858b3137317c2f62a2c96eabfd1799051b906cdd37449f53ef8ec2374cce2ca32b5

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
512KB

MD5
9d80e3eaa586fbd9330fc739b1d0c29f

SHA1
996945c775f13a0459ef46c604845ebfbf6d7639

SHA256
5d4f6da129d89905c5545c68b95f7a424f646dcd7061f2b9a814b1b181e3337c

SHA512
aa3a6653427d8949d7396e27c5c6cbbc63528e83e381c870f2375256f214dc9697ff348e568e5322a8f053348c278e55a79c3fe8cf9e05c8dd957cd8f2a950b8

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
512KB

MD5
8180f72454ef6c8f722e3f1e3417b9d7

SHA1
9524e6112879ae2e70609d2d17c4eec4220ae684

SHA256
afa7ca1b59d15e496133c1e9d6854fa9adba75db231c60bed09845155c2e578a

SHA512
ab1bb180d64b85b58cbb229a1e26b0c60084d1b2d7c1deb6da1891651fe34cf925e97041d14bc7e552009624721312732f8e40a6a3dbeef439d31fb4b03eb21b

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
512KB

MD5
a0763c67b7c895c389c8d02bee7f9a14

SHA1
6b98939963171d689e8f80ab6b60257ab9b40cfe

SHA256
68bdbf9c238dcacd6d8a2f4ef98d85457356842c52fc26c5112ff1851eaaadfb

SHA512
5996fe8ef62d920a960178cf20c6a6218f79d4b63e7f7d7b060fd6065af1c0ace5daf5b3b2b0a37cf078dc9cd6cdb1ff4bda31f4d29693c3ab2420e767510d00

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
512KB

MD5
a64c843e623c5815b678c6a9cfd4e6a8

SHA1
6a645adc9335349333366833f448ebbef2e1656e

SHA256
143f9d2f9fe6600eaa4e54f58bbff0325b37b74c88d0d716ca7aac363444ddef

SHA512
7ead5ab55d347cae42ca461052c8ba16ee7ea8e377c045c8afe5e20ab448afa76cd4ecd4021249da27eabbb5a8bec608d29788d9d59c1b60a925633c22d2163c

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
512KB

MD5
3613e4a757622493b007252665355c6d

SHA1
f9793b0ee101f939d7c8addc084fd9ef7e86a0f1

SHA256
394cd499e74b3785b44bff553a5e4bd0aa78a1b5a2f9d3ffcca6d5a0ae44d2f8

SHA512
ea5a7b30918bf71eed44a72b2906f005ce7090e6804603d5e6da31745ceb71a136b35324b8cf53685d56c315ec2360056a9ff5a1e7dbe946d819de315b66c48f

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
512KB

MD5
1706634b8cc9483a88bee24cd02e02d2

SHA1
65add5804ffb9cf976687a439a5f682b25b2211a

SHA256
9546af68230eb7ce09988116024700d63347177dd46dc889ca824a82b57e8f2f

SHA512
6b06457989200ae9cdebc3a033f37ff8d229788a366a351aa240697ff23c4e5f7d628bd44ea3b0e428b8a097dcc11bfe6dc74e511c8548a15674e21619a8c526

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
512KB

MD5
e6d6407ce95a299458ad9b1cc6b803ee

SHA1
0869dad156fa706f8a0d570640e4f6987fad25c3

SHA256
56db60bab98d9799a417a21dbfa738cc486e1434f6b53392bd24803f3c809d67

SHA512
b202e694709974b56328c149ecf58b9f052c608d71ed52304becce2115d44e13b8c4dcc4e58e0c7dfbb0bd91d625a534bcce14104e424b794cc61badf63c26ca

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
512KB

MD5
0293cf101675c07d921be6127d7aa2aa

SHA1
1b35183ccc3bec0a0256900bf83bd2cf74b9552b

SHA256
6d261c50c1ec5522333c0f58f0cb3052c4db2a51daf3a2dcec5e2cc6d3143d21

SHA512
9f72df9e9fd8283af03de7b3512012c6f23f0157ead6369abfeefce585b0c6ae24ac23668c4c26b8f227e324f4764386910fb748ea1165d0c40a9b953d9314b5

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
512KB

MD5
9697a6f8eac37289205395a0640c7340

SHA1
b043879cffbb9a20ffe14b107e7358a0dd17da03

SHA256
743d137e3b970a7918b9d809b848e5240011b756930abf593db52a12a603d0f1

SHA512
4cf0f52ddc8bf63ecd54dcd85dd0ea9df5979db18443447e2b25f3839a45e58ca7c5cb7505d487fadde14886170ccc5cda7c769a37edf931d16154e508cdd670

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
512KB

MD5
c134b480478b40996a8abb1a021ef4e7

SHA1
8332fa10cc0e7fc3e68c3ba75e47b393f937bc53

SHA256
af19cc6679685a67c32a53060b66edda3b562d66da219f84e1d4906322620489

SHA512
a377af40b4c69db50a2418ea4af12d04777886debf86d050cd175c52e40171cc2eafedf18df9c0a4a9ab8abd368ef3f6972e8b333c0065f9064d51062ec33e0b

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
512KB

MD5
214073364e090d6f65e8334b0a6dc380

SHA1
2ca88a0a0f63624e200e1f82b686fd7bfa04a836

SHA256
1fa18adce2523d5750cd67b835c0c621b4f2f05a7e6c9b46220793cc584156d1

SHA512
f7616871396a669b07374df47744a013c5c6ba47f8609f08d688f72bf1938afcdc16ae021df65f1a7d942e0d1f641a0d1058800e7097e9b4c6446612b894637c

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
512KB

MD5
1d94c53827fb1e3ce67942657439cfae

SHA1
c389b1dac07336f5f787df98cb019ed8606fbdf1

SHA256
0eb20229b7b15bf39aa0c91b1a7c0048e5d876de162c82b0f18d04aac3e85001

SHA512
257237f6b168c49a5381753353f5ccf8de5eca166cfc30e534e0fa6f42b9282fb6fc8d76dbda72bbfb98792b4aee09cb2ff76d46786f0c3eec67a231f268dbc1

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
384KB

MD5
975b23d247c5365acd1fcc80ab96a549

SHA1
34712d28e032ece72e4e866ec02dd6e6703e5ec2

SHA256
06b31483614f3bb59427d2a1d2f8549d8f6821bd074c3691af8febffe903c831

SHA512
28188a3ec935c59cef717668b7281c7c8287f37e96446c4a9cc5146ac3bb6f998a8a392d05a43765a412db64a94117e6c4a302dadecaf140c03ec9799a75c66a

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
512KB

MD5
bc8acc33ad497ee4fd5416410862152e

SHA1
c2dd7d9da96f2f477fc1adeb0cc21ad204a72923

SHA256
ed810ffae98283395e4d68ec043b1ea272b59d40f0b8cfa16d644f466376d2ce

SHA512
d1800557f53d014cb673ac64667841f17fbba6070e926d4c83e323c9d7eff779d7d834a5f98d5b19cce7067fe5b336d0c1e0afc43255ee256bb8c0af56c8fdad

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
512KB

MD5
17c5a2c23b7b941ddfcdd3d6a8cdef07

SHA1
f53bbe878f79aa35a4669454d81eb42b52adff2d

SHA256
23cb6219ecf1c74a44329a27df92b94e7f7937ca850b0ba1a627e6909d08ed41

SHA512
02a86249b6aff4b1286e65f69cef091726c6399dff94f8e2a4f4a5363fce75631779d79814b7e180f1b7ecbfe7f54ee8bbd5f8791f167ab10cdd73ce247e0f7b

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
512KB

MD5
63dd1e6218ea160cfe64ffd30b51229a

SHA1
f4019ee84390a72ad26669135100d6e9964ebe52

SHA256
d65d06df28de4bd7a6314c530a3d9635854fee815d7572f89cc6eac9d9178a88

SHA512
b9824814c67bd3bccca640d12c88ce8a0ed6bbe002831cb78f82f923eac4606d664b952c601b7116f98981f7ef1f98f6a20caa2925ac6aa320398d1b35d1c23d

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
512KB

MD5
bdf7d26a25b69a49d57070f9b71c9d8e

SHA1
6c479bf05d5a9023e670996be7abb6addcd03775

SHA256
4849d3bdc72fd74dbc93d8fafaf56a017c52e334b9722b466f68b246af51ac2e

SHA512
eaee2e3644cf3ef05965690a020da9f5dccf173ebd2e7dbb0d8e2b9990e322319a8d098df72b5428f7dbac78b137c33cdffb5b90b492420905f8f1426fdb4cfa

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
512KB

MD5
350b4a8a2b76d42f3b32d743ae9b7d27

SHA1
9d6a0a93ad1029a31b3b5f0595ecc03db231bee2

SHA256
d418152bdcef8fcdf23e8ebcedd7cd93462f5f1d96f402dbd1bb4ded302f958f

SHA512
2dedd626733dbaba90404985f3c4894be3ff28412043b8680883a4193974d24ea131684cdfbf90074ef48be03b8f1d0d1b16d46355e7609aee0ee78a1d135134

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
512KB

MD5
8e6cc61a8fbae32f72a4e0b753e10adb

SHA1
8453822a8e4799214505cd734b57e8f393374163

SHA256
9e15643effb6b6841f8765849ce154c7374b0cec9232c5ab64dfe087510370f3

SHA512
bcfb857e4f935f36ff758898a1b58240e460f7f08ff0b6d4f80036358bd5b5d7fcd213a40a626beaf6775a2ef0b0db885109897ae583ab9185abbdfa0001348e

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
512KB

MD5
d5d20c627e21c4d3b04d7cc5f1ca39fa

SHA1
1830bdc4b4771197dd6f340643e35353afff02b6

SHA256
b1c5b4da5103b1524c38b3ff64f2a42bb2f86a72d18c4544817b0addc8219a97

SHA512
d9bfc174e8e50df57706cb0da08332b4f9c837f831cda22030d14f7b7e5ee069f588ec01a2c089bb426133f88e9fb92615bf323e31c42e02d84e8f64b18a85d9

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
512KB

MD5
5816d38c67b22844dd3ed6cc55123357

SHA1
a53b01f7a570e8c5cf599c544246075ae0289959

SHA256
42bb5424971a46115afa966bc81d46a26c9b5e13ba967c9c3033c85583d4b1f0

SHA512
742bcf1f72597862283ab38a725e52404778c559adab14bd18f121c03c54c74cb9629ddf3a3e4d47e5099a2cf4bb2d3ab1cdfcf6a58a04a7e50b50964ae3fb37

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
448KB

MD5
0f7610db14d354f4abf5f3392bbb105c

SHA1
7726d3e054891cd5789277207e45a12ab61b00f0

SHA256
eb060a068421e15aef4f29ef25db9eafb438ed64d91b2958d0eae5a9197df03b

SHA512
cd04bee873342772901c83e2dc9d9d2fcea7eb8812e245ef105990d1fa88b1a5fe3cb37c1526780f9c43903c3e6e3fc0281d209a47feb5a9bbc4f8829cc25f84

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
512KB

MD5
2d1e30fb8d3d46604f1fd447c7b42ed0

SHA1
a2de3551dd8604c405a434c71ff02e494f94ca68

SHA256
e0adc2ceb55b455426b1882a6eaaf87062b2f65066c323fd48fc2ca61ea26a21

SHA512
65c4a572852a210a8381b9f0e7f76e35681033194a454af6523fd794c6cd2261b88226f3b2049a21bf1f20dd0ebb114046ea279efdb01322bcb6c3417d023c1d

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
512KB

MD5
5e6b9d027414b299dc436ef754342624

SHA1
47fcf00e1ad45993e426f3eecb73f79a5b0568f1

SHA256
180aae5f4fc7194b179301733426c82e9baa65c9b195d3c7fd8211bd4986e549

SHA512
4e411eefd1ade456af9156b16dafa87409156788ee53f193495542cce5ea27818d30119ce0f9baebf4d4b7b3144eb8816d80c1fd66de48323e36aae4500d4e4b

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
512KB

MD5
21ea3d2f4ebbf5fa15ccad8a85d3aa67

SHA1
38e3ae598367fb59bfb05dbe371ab7b7af3a931a

SHA256
65916ff3190dede442e0b86c0bce00ac73513e6df7c8e5d75b86a8ba98e57b02

SHA512
6185031281eee9bbf834da8aae2b88947d898f43ba09365b80a5ff6b36ae769e5107a522b1d421bc4c4005b67c6ed725e4b34ee3f001c10cad20f448e5fc5835

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
512KB

MD5
60ffea416f9f046960acb104fb226957

SHA1
177d447c5007767282ed5f3f12660a0f2bcbb73b

SHA256
584d1dbf9badc2621a19f9b3b2fccad7eb1882fa643a7021298d1534d835f13a

SHA512
0e4b498520abb0ff6f06d4b5ad63ad3ab736a066e9bab8612f2c37296a7a335ceae4f4d1330cd95268c113a3d58d5e1f2bbe62d035a2b17aa10a1f0b3a880876

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
512KB

MD5
949eb3ec9f657899d95d166f7a7e9e4f

SHA1
57f10b7a4a2ca1ba8225d99f00d8722dad5e48cd

SHA256
41bb015aaf03284bb086e4e001b6431a2b0c657a13b841dcba429b16ae9eb94f

SHA512
8a835bfe13b3925af52663d6a2fd33e42c567c693fe641e1a69125e286fcf45889aef15901a6b4bef98fb186d894463da834c0e39760687e0df308ac73d09302

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
512KB

MD5
615f0e4125a0eeff758452264ea653a6

SHA1
6608608b3ef0d97942ce3143c7d80d076f8912a2

SHA256
5c207915f239a847896e5daf2adccf366ad1bec07edf557a65f43bbc1ebbcce5

SHA512
9ff899e9dd68136746d290d6da59e1a38c172ba40692ce0d43bf2e2e1d72c2f20d9c14f4d87b4dc2f19a74a4b58f9c941363d7cd667bca0874df3da870e562a1

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
512KB

MD5
8b43e32eaa51fceb5ac58e1e374fc1c8

SHA1
c37e592b73896140f7a9ae410bd27ce265def8c9

SHA256
6ec0741fd3065f99835d405a113e310ce5fb4f49be01ec042d6929602f5af7de

SHA512
5da2ab93f9c2a672f65b16530cb599cf74d52587eae149477c77c1ddd11d1470bc883c8a81e36d99a4cb15e8112b90138c90538c4eeb21e714a1c1eb3f0cc3c8

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
512KB

MD5
ab171aa15a0cf588731e50804669fce7

SHA1
89a6a5920128fa6747ee8a6f41c7fa0d84172e21

SHA256
b0a26d6a8dd44a77e2335224103bed5bef5515385437e9cbb8904a16695bc4d5

SHA512
9f4e5930aa98fa1dc619fe9480a57f547b3543f7cd5688bb3af61c0b5ab435f663011d8a42eaed5f49fd7d7368ddaacaba67fba4a694832c6111b674c120f6a1

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
512KB

MD5
40761d8d07c39e4d6afcf31ccea42643

SHA1
757a7b2b7da9497ef47131fc5928ede3fb964339

SHA256
10cc5acda129ded92a12d2048f80628e466e3a8b65e7b12e14bf1d8e72c8e83e

SHA512
724e63837f7672a4001f8250d38c7311dbdc19c0de5deb3f4eeccb2d5a9fbb3f20bab2c5641051288b153afdc14408af3535b24eeb0d917f6babe9decfc9e3ad

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
512KB

MD5
218876187cb324b2b21fff2258427589

SHA1
f06c7186a28ebc896fbe8c37230e5ab8a1b0f177

SHA256
d4095183c1acfc15b9881cccc628f076a0d6f7070f2b2c8a0349123288ac2cf9

SHA512
ec2623f9fde109c16dfec3eb8ed4b7223c5c1e285521462642ccb99778fd2a2a98a4fcda996b416690f10dada419ce1c4d98c4c57bd633254155cc792137cce2

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
512KB

MD5
09a6130afb75861a04d49d43a2d0c292

SHA1
17298a3fbd9ada491bdeab0302401e223f5e438b

SHA256
692dc2896913ee6bd8e22e0618923db5c80148824a7056c71ac8ac360bcace30

SHA512
324584f072a9b8fb0b8cfa8269424fcf34889be33a5d4dbe2636177d44a3a5d7e9d07b50e4810746f4f86fa1a2d6b941786b95e9488adf358d42e338c673ae38

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
512KB

MD5
08c17d77e765d92129f4524e96a6d5ed

SHA1
0a8ec84940021b036a1ca8e51eeb0c323b3a2bbe

SHA256
d939781fc2a23939b1ba7f660a8914035e93c3c78549cb7fe3ec24b7fec28ba7

SHA512
fcba9dbc5f1a65fb10179fe00dd0f3d91b3a3aff3a6e3fb1e575e272ff1acb0b69eba5cc75b21b16e25a637be7d30324606b60bfb5ef26c9d6a96efcca3f7af4

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
512KB

MD5
851475c6fb409e996279aa45110ddadf

SHA1
2d25d0716ec9ece5d5fe0ab7a8dd3657a82c746e

SHA256
4ddcf25866d7e256d1cd58a4dc37d229851de095cac8c2d716d6e95fe2615dde

SHA512
9b9d74dc6f08db5d0ea8fb8c0c5bd6af67940a81e1030ae842c95d890df4f83e3694f502a82d9305c8303b2b894fc2d7ecb4841bfd121687d971aaec9493a986

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
512KB

MD5
db0198eb6d85dcf5c1b637f51828ff91

SHA1
827455f761c8544b33de9f7d2d093e817e38c8a6

SHA256
39a02d29c2e2d04b7e8ced05ab84ca2f177f024b12dab7c71a87a63518dff75a

SHA512
d4885e10e58eaeedcd7eabd968a4cf72154ce1aac62c50d771d9437a425286def4a0268e9a2db3bd62f0888194c10da6a8d56c5f539622134a76dde42d9b3c01

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
512KB

MD5
96de825b9967971f14917702bab69907

SHA1
938937e814cd04f2ed37d12abe1b487a825aafbb

SHA256
746b8fe516b26e82f256865d7607349533e76473db1732af527ef7275d24b35b

SHA512
fea326f26942c5ffdcba87bbe031246ec21baf19040a8c83e709c402227258f76e9512fe3b356a24e322950b0806e1cde4a93ecbd857b677d012e3f8a7858ef3

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
512KB

MD5
d6461a9331128c53d23dcd66a41ca4a1

SHA1
c6ddfda8b2283f99233a64d081e46c39123a0ed6

SHA256
5039d46ffe2378f6c3851962778e69e8c3c6f5841afa3d6afdd448f9f0c738ed

SHA512
de904d5c8fa60d30ea06010dd5141c83bf27aef86c6335bea3bb2feac824be804f0b5e0258754e0b24a0ec09d4af949bc01f46c5b567460890d928d8a579324d

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
512KB

MD5
827fd60700e8a84b189e0bdf1ddeb4a2

SHA1
79cf9969cf7d41ee052d603a53cc7ced8659fc20

SHA256
78b4ea51c320d946967af0126d5b763c83a7ea3b5ed5ab826589ae201beaa86c

SHA512
3af8101703ea43916e5095bbb37a5c50268089b4d80ae357c24013402f6ebae7cc4eae0bd9b05c22c08ff0f015a05cb69f51d6e0bb8e371a87401858041e32bc

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
320KB

MD5
41b0a27fffa23debe3cbd3fa8b8de619

SHA1
473b6c3996d94074786a34e48aae60612db4f275

SHA256
b786ca4d84592c80eeabaecc65470debd47fbe41ab60d8254bdf1fec20080798

SHA512
c133f3d72eb0566db1d48b47e91cf786c49e19a169fb1cf15f172032638ae289227ce3ce97e11f95b0f92689951d46adea7f281854d6495dcc1475f9a2ba3ee0

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
512KB

MD5
936830553ebf5eda50f646b6bb46c343

SHA1
481862600778c5ee462ec0f6f74aef3d161b6224

SHA256
c5bc888c6a766222cd58ae123d8d797ca45b919b87754a0f9967076cd040e83a

SHA512
b4e0d01de7303dceed30198cc31d61c74c2edf9b80a1c2a065af71685a471128df22457a46481694b22f69dcb172bab1db9f3a15317f10fefaffc6aa6fd3eeb0

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
512KB

MD5
df0f05baee5eab1ac121c947e8941fb5

SHA1
52d3bde871fe539f97f4e3cc92fccdd197b37e23

SHA256
e7d09dd9c81842283ed985c235da59c03e945093abf17e1cf6ac12887908cd10

SHA512
182607cc5b9fa20f7bfb8bca7128fcb076018b48cc1a3deccc3837ab1288af441190675c269a60579725e8890152c3ec389c5fea5f20ccb43e08cd03231e83d8

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
512KB

MD5
f7d17a0c5b92a82e06de2a89acece285

SHA1
84b6ca3c45e197ce77822c37ca4b822ebae039a8

SHA256
e2c431bb35df949200a1ded5be77b99d70c4ecf9dfb8b170bb4732165d3c2e4f

SHA512
d93e6069f7edf3cd1a2ec84c9ea9bbf369379d77f93bc31b309f03696a067e26cbc526c0415f02b5623fa44cb598a8e0930acd9c817cbd3448e833380e7fa0ee

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
512KB

MD5
146a0ca3fd011d482b8d53f4b05fc935

SHA1
f46939659bca22504a8f8219698d7a494e734c80

SHA256
640584740a999c404de5a9210a77fcf59bb07c198d17959e4eeb56e1318ebb4e

SHA512
e4a8290e4f06112d600b7e32c34a1fe406b6da277d3ef7564d7e0c72951a8d9023e64190211e4ece195b050e605fcdfebe22f1b64158dcb76b2b882dcff02729

Download Submit
memory/216-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/544-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3376-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4340-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5348-1469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5360-1429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5828-1431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6132-1472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6168-1424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6520-1409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads