berbew | 84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe
Size

320KB
MD5

33bf5980049fe0e1002d857e8b94c5d0
SHA1

bd346942bc88c98ac7ec8d05c01a88cdf0d0c73b
SHA256

84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3
SHA512

821dc1e1e029cb783eb9f4bb01d39f6f2d33804cf83096b9ca4d7373245177f3a89a494be2c2e3bc798f76f6c9ede2814a9f7bb1bf8557a597beed22aa046533
SSDEEP

6144:K+uzscS8JJJFAeCDtDyB8LoedCFJ369BJ369vpui6yYPaIGckvNP8:K6NPtyWUedCv2EpV6yYPaN0

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkobmnka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfjkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaohcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gblbca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glgcbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnfmqng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eecphp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fligqhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbalopbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohkokgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domdjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blgifbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emjgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bheplb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbfab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gifkpknp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbeejp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Coadnlnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkhnjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjgim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnknafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bafndi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klahfp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1596	Aolblopj.exe
2356	Akccap32.exe
1844	Adkgje32.exe
3600	Aaohcj32.exe
4256	Ahippdbe.exe
2052	Blgifbil.exe
1396	Bdbnjdfg.exe
2524	Bafndi32.exe
4220	Bkobmnka.exe
5000	Bahkih32.exe
1836	Bheplb32.exe
2968	Camddhoi.exe
2860	Ckeimm32.exe
1368	Coadnlnb.exe
1952	Cdnmfclj.exe
1552	Chiigadc.exe
2032	Ckhecmcf.exe
2508	Cocacl32.exe
3640	Cbbnpg32.exe
2424	Cfnjpfcl.exe
1692	Cdpjlb32.exe
4784	Chlflabp.exe
220	Ckjbhmad.exe
4752	Cofnik32.exe
1676	Cbdjeg32.exe
4952	Cfpffeaj.exe
3904	Cdbfab32.exe
1384	Chnbbqpn.exe
2276	Cljobphg.exe
2836	Cohkokgj.exe
1112	Cnkkjh32.exe
1512	Cbfgkffn.exe
4468	Cdecgbfa.exe
4524	Chqogq32.exe
2480	Dkokcl32.exe
1612	Dokgdkeh.exe
4444	Dbicpfdk.exe
3968	Dfdpad32.exe
3240	Dhclmp32.exe
5096	Dmohno32.exe
4484	Domdjj32.exe
3576	Dnpdegjp.exe
1224	Dfglfdkb.exe
4552	Ddjmba32.exe
3284	Dmadco32.exe
3480	Dooaoj32.exe
3596	Dbnmke32.exe
3752	Dfiildio.exe
3580	Digehphc.exe
1044	Dkfadkgf.exe
2776	Doaneiop.exe
2352	Dbpjaeoc.exe
1140	Ddnfmqng.exe
1820	Dijbno32.exe
3828	Dkhnjk32.exe
1000	Dbbffdlq.exe
2408	Dfnbgc32.exe
1716	Eiloco32.exe
392	Ekkkoj32.exe
4888	Enigke32.exe
4116	Ebdcld32.exe
2832	Eecphp32.exe
1048	Emjgim32.exe
4692	Eoideh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Angdnk32.dll	Dmohno32.exe
File created	C:\Windows\SysWOW64\Ddnfmqng.exe	Dbpjaeoc.exe
File created	C:\Windows\SysWOW64\Ebmenh32.dll	Ddnfmqng.exe
File opened for modification	C:\Windows\SysWOW64\Ebdcld32.exe	Enigke32.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Cljobphg.exe	Chnbbqpn.exe
File opened for modification	C:\Windows\SysWOW64\Cfnjpfcl.exe	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Oqadgkdb.dll	Chqogq32.exe
File created	C:\Windows\SysWOW64\Flkdfh32.exe	Fimhjl32.exe
File created	C:\Windows\SysWOW64\Gkjdipap.dll	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Dnbdlf32.dll	Lfgipd32.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Hmlephen.dll	Coadnlnb.exe
File created	C:\Windows\SysWOW64\Dnpdegjp.exe	Domdjj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnlkfal.exe	Mogcihaj.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Oabhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Nohffe32.dll	Dokgdkeh.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Pbbmemif.dll	Bahkih32.exe
File created	C:\Windows\SysWOW64\Dkokcl32.exe	Chqogq32.exe
File created	C:\Windows\SysWOW64\Dfnbgc32.exe	Dbbffdlq.exe
File created	C:\Windows\SysWOW64\Gpbpbecj.exe	Glgcbf32.exe
File created	C:\Windows\SysWOW64\Kmhjapnj.dll	Hoobdp32.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Oclkgccf.exe	Ofhknodl.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Ckjbhmad.exe	Chlflabp.exe
File created	C:\Windows\SysWOW64\Klkfenfk.dll	Glkmmefl.exe
File created	C:\Windows\SysWOW64\Hlnjbedi.exe	Hmkigh32.exe
File opened for modification	C:\Windows\SysWOW64\Jepjhg32.exe	Jpcapp32.exe
File created	C:\Windows\SysWOW64\Ocgeag32.dll	Ofhknodl.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Fechomko.exe
File opened for modification	C:\Windows\SysWOW64\Cnkkjh32.exe	Cohkokgj.exe
File created	C:\Windows\SysWOW64\Jeciaina.dll	Dfglfdkb.exe
File created	C:\Windows\SysWOW64\Fnlmhc32.exe	Flmqlg32.exe
File opened for modification	C:\Windows\SysWOW64\Jedccfqg.exe	Jgbchj32.exe
File created	C:\Windows\SysWOW64\Ogjembbd.dll	Lqkqhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ogcnmc32.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Bacjdbch.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Mqpdko32.dll	Cfpffeaj.exe
File opened for modification	C:\Windows\SysWOW64\Fligqhga.exe	Fijkdmhn.exe
File opened for modification	C:\Windows\SysWOW64\Hmkigh32.exe	Hedafk32.exe
File created	C:\Windows\SysWOW64\Fenhjedb.dll	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Accimdgp.dll	Jghpbk32.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Dokgdkeh.exe	Dkokcl32.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Ndoell32.dll	Goglcahb.exe
File created	C:\Windows\SysWOW64\Dmadco32.exe	Ddjmba32.exe
File created	C:\Windows\SysWOW64\Eecphp32.exe	Ebdcld32.exe
File created	C:\Windows\SysWOW64\Kaofbcjo.dll	Eiahnnph.exe
File opened for modification	C:\Windows\SysWOW64\Eejeiocj.exe	Eblimcdf.exe
File created	C:\Windows\SysWOW64\Polalahi.dll	Jleijb32.exe
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Npefkf32.dll	Bheplb32.exe
File created	C:\Windows\SysWOW64\Lnldla32.exe	Lfeljd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7772	7536	WerFault.exe	338

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbfgkffn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Felbnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbchdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hedafk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgifbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gidnkkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiiicf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klahfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fneggdhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnipbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbalopbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glipgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iepaaico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgmeigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiigadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofnik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iomoenej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgpoihnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjmba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeelnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfjkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibaeen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cljobphg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkfadkgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doaneiop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkhnjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimhjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbelcblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gejopl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gldglf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbeejp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epmmqheb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffnknafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbjena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfjfecno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqdcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjbhmad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdecgbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiildio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbbnpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiloco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekodjiol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpchib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgbchj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnlecmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnoaaaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkobmnka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camddhoi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll"	Emoadlfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cohkokgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkokcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll"	Dbpjaeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Emjgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodbhp32.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnbgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enigke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll"	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gldglf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll"	Gbeejp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chnbbqpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoideh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnadil32.dll"	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppihoe32.dll"	Gpgind32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll"	Dmohno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll"	Enbjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jllokajf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebgpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaohcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdbfab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll"	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fnlmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbgihaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckeimm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll"	Cocacl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjmpfcl.dll"	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll"	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdomd32.dll"	Cdecgbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmadco32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 1596	3788	84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe	83
PID 3788 wrote to memory of 1596	3788	84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe	83
PID 3788 wrote to memory of 1596	3788	84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe	83
PID 1596 wrote to memory of 2356	1596	Aolblopj.exe	84
PID 1596 wrote to memory of 2356	1596	Aolblopj.exe	84
PID 1596 wrote to memory of 2356	1596	Aolblopj.exe	84
PID 2356 wrote to memory of 1844	2356	Akccap32.exe	85
PID 2356 wrote to memory of 1844	2356	Akccap32.exe	85
PID 2356 wrote to memory of 1844	2356	Akccap32.exe	85
PID 1844 wrote to memory of 3600	1844	Adkgje32.exe	86
PID 1844 wrote to memory of 3600	1844	Adkgje32.exe	86
PID 1844 wrote to memory of 3600	1844	Adkgje32.exe	86
PID 3600 wrote to memory of 4256	3600	Aaohcj32.exe	87
PID 3600 wrote to memory of 4256	3600	Aaohcj32.exe	87
PID 3600 wrote to memory of 4256	3600	Aaohcj32.exe	87
PID 4256 wrote to memory of 2052	4256	Ahippdbe.exe	88
PID 4256 wrote to memory of 2052	4256	Ahippdbe.exe	88
PID 4256 wrote to memory of 2052	4256	Ahippdbe.exe	88
PID 2052 wrote to memory of 1396	2052	Blgifbil.exe	89
PID 2052 wrote to memory of 1396	2052	Blgifbil.exe	89
PID 2052 wrote to memory of 1396	2052	Blgifbil.exe	89
PID 1396 wrote to memory of 2524	1396	Bdbnjdfg.exe	90
PID 1396 wrote to memory of 2524	1396	Bdbnjdfg.exe	90
PID 1396 wrote to memory of 2524	1396	Bdbnjdfg.exe	90
PID 2524 wrote to memory of 4220	2524	Bafndi32.exe	91
PID 2524 wrote to memory of 4220	2524	Bafndi32.exe	91
PID 2524 wrote to memory of 4220	2524	Bafndi32.exe	91
PID 4220 wrote to memory of 5000	4220	Bkobmnka.exe	92
PID 4220 wrote to memory of 5000	4220	Bkobmnka.exe	92
PID 4220 wrote to memory of 5000	4220	Bkobmnka.exe	92
PID 5000 wrote to memory of 1836	5000	Bahkih32.exe	93
PID 5000 wrote to memory of 1836	5000	Bahkih32.exe	93
PID 5000 wrote to memory of 1836	5000	Bahkih32.exe	93
PID 1836 wrote to memory of 2968	1836	Bheplb32.exe	94
PID 1836 wrote to memory of 2968	1836	Bheplb32.exe	94
PID 1836 wrote to memory of 2968	1836	Bheplb32.exe	94
PID 2968 wrote to memory of 2860	2968	Camddhoi.exe	95
PID 2968 wrote to memory of 2860	2968	Camddhoi.exe	95
PID 2968 wrote to memory of 2860	2968	Camddhoi.exe	95
PID 2860 wrote to memory of 1368	2860	Ckeimm32.exe	96
PID 2860 wrote to memory of 1368	2860	Ckeimm32.exe	96
PID 2860 wrote to memory of 1368	2860	Ckeimm32.exe	96
PID 1368 wrote to memory of 1952	1368	Coadnlnb.exe	97
PID 1368 wrote to memory of 1952	1368	Coadnlnb.exe	97
PID 1368 wrote to memory of 1952	1368	Coadnlnb.exe	97
PID 1952 wrote to memory of 1552	1952	Cdnmfclj.exe	98
PID 1952 wrote to memory of 1552	1952	Cdnmfclj.exe	98
PID 1952 wrote to memory of 1552	1952	Cdnmfclj.exe	98
PID 1552 wrote to memory of 2032	1552	Chiigadc.exe	99
PID 1552 wrote to memory of 2032	1552	Chiigadc.exe	99
PID 1552 wrote to memory of 2032	1552	Chiigadc.exe	99
PID 2032 wrote to memory of 2508	2032	Ckhecmcf.exe	100
PID 2032 wrote to memory of 2508	2032	Ckhecmcf.exe	100
PID 2032 wrote to memory of 2508	2032	Ckhecmcf.exe	100
PID 2508 wrote to memory of 3640	2508	Cocacl32.exe	101
PID 2508 wrote to memory of 3640	2508	Cocacl32.exe	101
PID 2508 wrote to memory of 3640	2508	Cocacl32.exe	101
PID 3640 wrote to memory of 2424	3640	Cbbnpg32.exe	102
PID 3640 wrote to memory of 2424	3640	Cbbnpg32.exe	102
PID 3640 wrote to memory of 2424	3640	Cbbnpg32.exe	102
PID 2424 wrote to memory of 1692	2424	Cfnjpfcl.exe	103
PID 2424 wrote to memory of 1692	2424	Cfnjpfcl.exe	103
PID 2424 wrote to memory of 1692	2424	Cfnjpfcl.exe	103
PID 1692 wrote to memory of 4784	1692	Cdpjlb32.exe	104

C:\Users\Admin\AppData\Local\Temp\84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe
"C:\Users\Admin\AppData\Local\Temp\84efe4659fc9a92ac43a6f62f16fccd6c4cae26bf0300851879969d449f159f3N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\Aolblopj.exe
  C:\Windows\system32\Aolblopj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\Akccap32.exe
    C:\Windows\system32\Akccap32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\Adkgje32.exe
      C:\Windows\system32\Adkgje32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Bafndi32.exe
        
        C:\Windows\system32\Bafndi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Bkobmnka.exe
        
        C:\Windows\system32\Bkobmnka.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        26⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        32⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        43⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        47⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        48⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        50⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        55⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        60⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        66⤵
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        68⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        70⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        71⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        72⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        73⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        76⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        77⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        78⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        79⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        80⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        82⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        83⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        85⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        86⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        88⤵
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        89⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        92⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        96⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        98⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        99⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        100⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        101⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        102⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        104⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        107⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        114⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        118⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:400
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        121⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        123⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        125⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        131⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        133⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        134⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        137⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        139⤵
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        141⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        145⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        147⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        148⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        149⤵
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        151⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        152⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        153⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        158⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        160⤵
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        161⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        163⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        164⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        165⤵
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        166⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        167⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        168⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        169⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        170⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        173⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        175⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        180⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        182⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        183⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        184⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        188⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        191⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        192⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        196⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        197⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        199⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        200⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        202⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        203⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        204⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        205⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        206⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        207⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        208⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        209⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        210⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        211⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        214⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        215⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        216⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        217⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        218⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        220⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        222⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        224⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        225⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        226⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        227⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        228⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        229⤵
        Drops file in System32 directory
        
        PID:7256
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7320
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        231⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        232⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        233⤵
        Drops file in System32 directory
        
        PID:7452
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        234⤵
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        235⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        236⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        237⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        238⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7676
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        239⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        240⤵
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:7828
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        242⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        243⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8008
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        245⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8072
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7244
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        249⤵
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:7400
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7472
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:7536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 232
        253⤵
        Program crash
        
        PID:7772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7536 -ip 7536
1⤵
PID:7672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaohcj32.exe

Filesize
320KB

MD5
bb60b129933ce1a15152f127ead45f4d

SHA1
da0419c14b851ff421ac1f1d7d5d7ddb91c02cc2

SHA256
d575816a51fc823f1d88f8dca64e90b3a5e685709607be7f9e10ba862fa4d3a8

SHA512
2849f5a71ed5a1a35475cedf1fd7dd8147603b2946e4b6d775ff0c62141b24c4683c89367c7487bc8812cbc04b97cf0f3ee6e60e6078b4908be09a7f53951ef3

Download Submit
C:\Windows\SysWOW64\Adkgje32.exe

Filesize
320KB

MD5
fc5fe2b0bc3e21557d538658f8522f49

SHA1
4bc35523f36a3bcb3eee39573b4eb445ed1f18f2

SHA256
ba20c1fbe25450c6a3b43402edaed21890d291a741dfb2700e0febbb44de2fc6

SHA512
aae59c9a765dac1e9f4004e4702b32e8f6abc35dd83548a7903b6256f3fe25356b4a1315d3b4e1fa697702816a89ceb2c233865dce61da086ffa7dabf8b23904

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
320KB

MD5
31ce4a52733aeb33780f0723c3659fa8

SHA1
0396f110bb761a6cd7dc3d29eee4aef8c5d03214

SHA256
6f6ea4cc2bd1ddbd6abae136abf0ca7b6fa91f1c1e413650c0aded604434ed71

SHA512
95975aca62e87790fb595f0ebf0c947c1f8abb69f07b71954fe3a0b1963b7ec0aa72163d167d30f308bd14e54125d95847b2e242e2eae74ad775ea85bb2ebfca

Download Submit
C:\Windows\SysWOW64\Akccap32.exe

Filesize
320KB

MD5
bdd60ded7203e708a83a0b88829ade6b

SHA1
e475bc972f9635e013d02d4f16876ea51c5ca2d8

SHA256
ea3f9a5f4db27e751384c357b403f187724d2c617b41b06e7a5cffa69567dda5

SHA512
8f0a495e55d2ead0a302103191d7ed53c70f90f005aaa1f3f8ef83a4683a6880c29fc33b3ac54d00c0c7313b4be68dd8f8e1b3e1eca32215a5e008782018d7a1

Download Submit
C:\Windows\SysWOW64\Aolblopj.exe

Filesize
320KB

MD5
510f0156086bff9b78229a6193dcbec0

SHA1
3ba1185c8ab8b62a083c86678a5f966d7194183e

SHA256
634e855bbd87c7580a5dc5081d86f7ca4e65424d32bec5077d2569d99b2e7edb

SHA512
8fb6b1f895c83f49a984fc5124c7bab866a693fea26e05b1b67240cd37b8acfa2e4dc90883cacd216205054562d795eaf52262974adba2e419604e23c51e1031

Download Submit
C:\Windows\SysWOW64\Bafndi32.exe

Filesize
320KB

MD5
0fc821c7801fbfaf36a7c5997770b451

SHA1
63d9a8ca703468825f75d4ecf12d67151e1a1a7c

SHA256
7e2ac5a38fc130dee391b4140577761509667dbc8d99ec35810c6831d3426bca

SHA512
6c5138d94eb05ec35dc3292a80bb1dcf77099640048cda88ed4d5306369266716a96ef31d5de53f9aea885351f88ce7cba2684715c3f4c5ed0256016ad86de15

Download Submit
C:\Windows\SysWOW64\Bahkih32.exe

Filesize
320KB

MD5
f59a54b37429a60df098974aab06593f

SHA1
9b0e7745b08c977fceb24b6643e3026221f11dba

SHA256
b37f33d2f40d40296d2433c87d0f8b37b089bbb243c82e43123cd054db8f55a9

SHA512
e8e53b5b1b1e412f00192d2245a56d84f33cfc3c4f06501c403760f052cc6f5e2d2e827fccbfec32068a34f0139adf869f5ac2807c8bfc35f67a692011b88603

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
320KB

MD5
89305608b2b3e7355dd83c20a55b526c

SHA1
c4fef0cc29c8d703692a5cb1482867141f914eb9

SHA256
17f1411d34fb39d2f0c68d8986f29e5f4d588551c622d4644870331b4c2d4527

SHA512
8fea58b7f2b81fa6a2d390e998201a16e315bcd5a6732abeaf9d5f414e93c746b06346615e0056868d0ee7450ed1dba33350f8a3c60c8fb7bc9b30d82e0dca57

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
320KB

MD5
b78e60992e1bfacf50b2ff6285034b77

SHA1
b866f5f2cd4d3903e42a8e3da93b48de08c8170a

SHA256
11fbe27db7294061c8e035608628134f37739f805e433e744acb1753a5771720

SHA512
f620ba564735d9934f0dc3a0daea19c5f53770e7ce98dd9fed427e36c4576a99281d3a931d21ec229a2450d551c4255482ec02a8f9e5ae4da3e5b5f8a45edb1c

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
320KB

MD5
f2fddfdf0fec1eca11b446c3c94705e4

SHA1
7d5df9f51d5cae4c077b423ec16619ca81a4dad2

SHA256
79a8c665c2083bf572b5858306f9820f884424a6412bc755401f1e39cb9417e7

SHA512
180716051c8539def7d2296d62194aa1575ec8cd15b07f4302c1c91d703e8912bde215a28102f3d2f751fd892d0d990f2fab501d8a0ba7c9e63d216e2f747659

Download Submit
C:\Windows\SysWOW64\Bkobmnka.exe

Filesize
320KB

MD5
a717fd0b0c4ba1375c33c1d62ca5f6db

SHA1
48e3477fc36e7ea4111f097448c3f6d2c7a7bc18

SHA256
b4c9395bf58f8ff7b66ddaca7de3c3ac1ff201a26c8f2f75c0419d48959f15de

SHA512
9a211fd4be50c40502070ff5a57679b430a52622aa8ef85382b9012a9373327cc241a784fdc370cee1a3a4b483cc6f4ca1fba24992c464d26b34ac64b059ff3b

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
320KB

MD5
707f1b40a085386008ab5a1d054e8d89

SHA1
c5353957c91b306e2b855d5a905d69218ec8334c

SHA256
34f6c4e90425b80f36329872110319946290eaceaa04c8abb87342099097e42e

SHA512
c5ea58cea68e92b8f2103d3c2b5a03969ab759238edb4df9475fb71f28e348dcc51e309c24fa1ed855d8f610661027a12c03c1c9f07235fef9faac1ff324a6e2

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
320KB

MD5
5e2b3ab64069f314a6c596290a35ca26

SHA1
087cc28b54c01930f0de554f96fee8502d2ff4f2

SHA256
7e52e2a52c1525f55c6852dc063b6ec510ad9bc644a7a0ae8d391e8193e59581

SHA512
d8488d84002b81fb6359e0a9475034fa0bb7b3ac0042e8751fccd4d112483445563b09ddfc10960ea86b312267f5ca0117049e012c1d4f3efe2bb9933758c26f

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
320KB

MD5
17db315d4c80fc9d3eda153e6fa3e77a

SHA1
7499b4d7f6ee8803a5fe59e3f6f5142ed234ad1e

SHA256
2019c1b815071b0c08fe88522b8ccd054668ea2c495085e2611c4477e648cb67

SHA512
1f4a1a940ebe5fbe45d126f66397d5effc393f6a6e3d6e0a487d8aec3c0ea2d8ea34bd1f6d5e573127e43db278df7a181d8eda45a3a1add5d68c9485b6a68fb3

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
320KB

MD5
d1c7c709fe2d7fa39f3653f7d7266625

SHA1
2875d78d2ddca1cfcf992efa4279386195878b57

SHA256
27b36db4531d3b19d1be8d1787651c57436b09abae3610d8366303995b5d5284

SHA512
d435ee2c2ee90a3f0622e0117435be34e7b4fa41a88fd6e60ee8c2f36d457a73decc26edcd8ff2fab8cbf54a0eab1f04e34fdfab6ae0f81887a24b66c4631edd

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
320KB

MD5
ec18da14a68263e9020f1b3dbb10dbb1

SHA1
75dbfee991163e2042fb9e0fc64e79a01c95065b

SHA256
ccebc710961c28dad1f1f997fb98b5b07e2a7f5f4658fe79e0899e4bcc1de797

SHA512
df528308322c58ae171b8c9db12e1d7bebcf476a319c0e5f842382becd4cebb1a6f0bc1d69d3441dcd3c0661902e04476c785dc1a8295f92964d4501f179e8e6

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
320KB

MD5
c75562c91ca86382a3907720bb5ce1c2

SHA1
437306c0e12efd6d5d13c6d614a6040edf46cf1e

SHA256
1379e13e3a34e8d93bfc71a8290cf00284aaa40206ed60a05f262edb7382b734

SHA512
0d7e2502bbe93ab00a355c3449a8d40fdae59ef9d211efeb6ec38154cb8f39c0e6f2c715955bffb14be88b09ee2f5ccc31f3b000bc845d0a4958eeed75d2181c

Download Submit
C:\Windows\SysWOW64\Cdbfab32.exe

Filesize
320KB

MD5
e9f8810bd52c2535773adbd8d0812da7

SHA1
0346f157c6501a7b2c53920f642708d3562c892a

SHA256
6fae5ab6cc4525a6e8547074b1c22d07a91611fa42164c9c8372a55a0a2f113d

SHA512
6e71e15a15c2a1f1e464a169aa8ed2c6d6fa4ce5cd07ba2c3ec2d8ce9df9b884bba52ef44d2f1aed413271e55ca57d9718ed4693f595ccce4da41aa359502807

Download Submit
C:\Windows\SysWOW64\Cdnmfclj.exe

Filesize
320KB

MD5
abb6fca6fc984739e6f939cdb91a16be

SHA1
8aec5b6593ba8ffb7f0dd5edb3fe36afa32a60a5

SHA256
898a2b89cacb8410e5e9fd6c03eb1e85455916d93eb62b8b9de1e69a385bd87c

SHA512
bd360a47b28dea6e69a40c085263145eb42c0b006ee10eb764fa4c18d28b404b00381c1fbfa4c66236546c01ec9aa72b2e2376930ff7c7dbb9a2707150721e3b

Download Submit
C:\Windows\SysWOW64\Cdpjlb32.exe

Filesize
320KB

MD5
8ad840cdd1d0e1cb248923d574ac80ae

SHA1
494bcddb7cbc6d955d830af301b28b35da682269

SHA256
b9b15b0df00d534fc17307660d959d2be222a09e0406d546a50b846098126396

SHA512
8df98a641195f72a83664ddfd0f3413e07dfc4ac9049dd31ee01cb09bdded4471df0998eddf9e8a4a7dc95505375204fdfaba7493d26553c6a30225991c41add

Download Submit
C:\Windows\SysWOW64\Cfnjpfcl.exe

Filesize
320KB

MD5
79a9e1c7351eee3d87d0f285f8c016e6

SHA1
673b65959e91011e6c303e2d2ec1b2b55a111c4f

SHA256
9f43917a819632a6e69c0345d0bb12b6c74cb4a9ded1fccdc7ad86a3b4919d84

SHA512
c819f969e06bda72cf8e735add062444e51aaa42775173705f5f3c6834e531def8eab6ac32136a567e13f262404e50c486f504d9b1cb68e49775666126565706

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
320KB

MD5
8bf9a26a080bd15c0140b9172d4e5b9c

SHA1
bcabd116c923f9df30eaa8f6089c2f03aa3eb591

SHA256
ce1f2e49d4d612a65bfdf8a8477e06eff2b6a9f8b1ec89f91dd03c60553e8102

SHA512
634a7b0a2f50ee17b4f2e1f408ef7701fcf7da37aa0da2f3fcaf657776c05b8bf8954d31659257fd49fe0b2bfd591a089b974f28192797ff24434106036ca91b

Download Submit
C:\Windows\SysWOW64\Chiigadc.exe

Filesize
320KB

MD5
4783e395139f6e222a968288e1f827c4

SHA1
eb0a40208e0ad821cfd73570aba2e44414a9b058

SHA256
923f25aa9b6b7094bf10cb12b41816352153ab886a0aec6d2f3852a93ea63a2b

SHA512
501bd9b3150c0e180a3934be8485fc36d8a81152324904fce97a5487a642f3ef0505297cffab4f9e2e80c3f4f89f1564a08d8fcec6bf7d39d221071347a0e485

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
320KB

MD5
5dd3119b42ca9d5a71725803806576fb

SHA1
42aaf0bf754490b6bc01c0728558a76ddfc339bd

SHA256
157d2ea1841629b3700d3c75f22529d9c6a0ece806c6d13ccb26fd973cde0072

SHA512
d047042eb2ac7bb2fdd2be93b748bf623cce871c9867d277b00797415f3e883d7fe6907af74c218c08b773add6d0af5925a8044ea43e09754c13da8e274e81b4

Download Submit
C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
320KB

MD5
23ff73debe61a4b0531808e51bd744ec

SHA1
754a4fcd114dd46559175011923e48122b937c04

SHA256
0da68bbf6f71eb58479954febd9a9fef13e2a766f1ca77b777861a08f76f03b9

SHA512
7f7cd4420b20be06b0ba58ae2fcf6455b53ae76b670b0e4caa100f4d290fae88d3e3b6cb1ae6e669ec0f3f688ac86d6c8718b9ca77ab6d5e2b479128795f78fa

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
320KB

MD5
b8c7a1906b5daffc7c8444abaeab32cd

SHA1
79d69f4185ad0454b338aae307ee4dac4949f759

SHA256
d9152b975ecb81babd20fb6f0b529e8ece34f40ca4b84790988f67f4786b93ae

SHA512
2fa098177b3a15f19e7f547b84b07e08c5907598629b307245faa3b3af9905ffb414a74badbc55ef346ee22005312c24e2796e6f20dd66b5aaa9e8fded2ea35a

Download Submit
C:\Windows\SysWOW64\Ckhecmcf.exe

Filesize
320KB

MD5
335a6cfff5696b5980ca43ceac5ddd56

SHA1
d8850162444a71a7d15fb0c2cb4017f8f6a5e835

SHA256
f4db43b137bc6416d1340250a6b888f00e8dcc202285460602e836cd1b06f628

SHA512
9e1d37b4c146c0ee4a0e7d3bcc0f88a2f604918990d0baf88472b9a3ca01fb80e1fe562c6e1bd627645cfb972f7c2dd0f47c5b0fd556cdfda983dcf329ba918c

Download Submit
C:\Windows\SysWOW64\Ckjbhmad.exe

Filesize
320KB

MD5
c417f40550dcfe19a52c698b11e11176

SHA1
7213376bf212d92460c488775a39812c8185c77e

SHA256
29919f1edf732d8d26b521d3bfce23a8468b8cd08f6610ac0b415003388ce769

SHA512
a0b5a174407dd23a1d4b01e86846615ee65270083b170d6cbd609d56dac866808d17deb44cd23373cd472b926ab7be0968da59e56ac2003f4dc242e6a2b6f598

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
320KB

MD5
084dd4716d1d02c2291ffdbdaff3f28f

SHA1
acc09d7120b1ab5df9257636772ab1eb790547f1

SHA256
8c35ecc15f73f1cb6c99fa32db92d300ba28a1d7b12e18a534fac041516d4875

SHA512
90866884c6989435b2edb7949054a05abe91187b7e126582bdd507939f816a5ca4c741c351c9dec6ddc728222e0890894caf232228a8e358a7e5e658b7c21287

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
320KB

MD5
ffec65bf7e3c16812e3427057e413204

SHA1
c663bc79697bb9cfbbe027516a740a462c19f1dd

SHA256
0279a3841cb70c6c996b0c75dbf5140a8a8b6f8788791af0da9887a33b4497fd

SHA512
0dc5f40fad4e74ec12fc883f3aba35211ac03a288788e00ef3c565668e42adcaa186a8ae589d56325a5736d2837b2fb7cafaf60a4933a7501dfa26844a9195b3

Download Submit
C:\Windows\SysWOW64\Cnkkjh32.exe

Filesize
320KB

MD5
c56c2794e6b5f3e3d5488a247add5ddd

SHA1
5143efe438ae5aba9d31a29d69fdb9af4943adc7

SHA256
93541e84861c0775679724065c6e5c7c58fc0d2f047ac064997f7729fb504743

SHA512
a1925cb167d480aab325e49981be375ab956ad46f04a44751aae617e96cefe6876659fd118f379d3654e4b26c10e416cff972b8de4963fd2e9dd302b89b9de2e

Download Submit
C:\Windows\SysWOW64\Coadnlnb.exe

Filesize
320KB

MD5
89f28325d743c0deb77e46811af1a690

SHA1
f59b74ad21e5f26c81c22b7fdaf2dc9f730be165

SHA256
d3cb02632ca2d91fb00c81713979c07748ef9121b1b6655ce0895fd3cf1db0fd

SHA512
18c5f125e7e3d06191450c4fe1d8e911055a6f957d48fc33f51f6cc9456dff3b7c9df4653e49fa3117baffd5fce074c56fb13459e8b707f053bc17297ed8524f

Download Submit
C:\Windows\SysWOW64\Cocacl32.exe

Filesize
320KB

MD5
dcf6b9e6149a61f82a95c349725784ca

SHA1
64c0a4b5bcc8a357a4c0fd611f4a9a8a5fa73abd

SHA256
9bc0211f804031685d6d49776aeac8d6f19dcd699c20d00b3efb95141c601415

SHA512
8ef12ff4cb3efe4166d5764d54a5c8c609dcb4e168d9aef24f3a8b9221da0bb2539fbf0ce9663e3c4e6d71680e07eb35c02c75adfe941adf93bcc43ecaae401a

Download Submit
C:\Windows\SysWOW64\Cofnik32.exe

Filesize
320KB

MD5
f5353f3a5347c2cd322fd33105b52def

SHA1
a3725363de6e9cc942b84b25b2768d2864f25171

SHA256
36c837d938ac8046c95029f4c5dc064072025690435b928355e5866a6b5c7676

SHA512
88c7e0d9147776eb7b170a29cdf6c9d348a9562ee54782bbf90c55835462a0d8c12c545460aebbf4b0dae4e963871175aceec31072ac76c91806c602f924d04d

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
320KB

MD5
5f4dab422aaa55f48247d3d89c82a3b2

SHA1
95af1a7d9cce84bd44c4f148793b12d711b687ae

SHA256
14259adb20a67d3257b67d7434221020bd81672c3248b26496709334b4598f54

SHA512
dcfeb3d78af92be0c34475beeb7db40290b3aedf8f5357b3f17dc48ac5b789327b5026302e08935f619e88bb7dfa51277ca21962bccc5f9554763f7a67d21cf9

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
320KB

MD5
016186ea2520948a4670e536161e64b8

SHA1
7680da6e8c378e78bc48404250e809270d87f6c9

SHA256
5816c39c0bd31aa69dffc38a8afbff41425ff94548589519009711d6dcaae23c

SHA512
345be00e71e41dfb72c7ecffbaf6aaf389a76a406eb4899e449a48807631c16ea6ade1ac3c15031d578b3184f6c9fdd249a2bab23f8d4f18d38782e7b2c39123

Download Submit
C:\Windows\SysWOW64\Ejoaandc.dll

Filesize
7KB

MD5
34337c4ccb850bb9def8ea9ce9e9a94e

SHA1
089cf1046165b6cac01e91b3d320982904b19dd7

SHA256
542524bea8cb0742a950cc79d3e65d0865f99cae4394ef616940f5fc109fb0bd

SHA512
e546252882659f68c34ba4dbcf5a6adf5aada996b2e9bbfff0a922184931d32af776f56709d105e55b141520c61debe0b30cb92511d523f6288b55fd25bd54cf

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
320KB

MD5
9de52206d72f921983c183010b80d84a

SHA1
a2b4171614c782cb9488b78fb1e38aa92cdaa796

SHA256
d7aaacbb69c94085ee05b9ce99a84d9dc9e98eb34b6323d54ebe3da68a0697ca

SHA512
fbae43b461b49654f3c42811ee073699907943f7f630b052b4c9f791c7e6c94145cdb2381f1605a964a6e6eba930e13aa675f0e02f7987a9709fdb09754f1dc5

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
320KB

MD5
8b3426429c3adb6d6318e606ba773bca

SHA1
cd7c1b6e5c906d3694818385f9d3f52015485e8d

SHA256
bb12da8a63833d76c04ba045a8da520532fce0979a4c2e759e810957674bc2c5

SHA512
b66323f8d4eec4bc42b799ee81216c85ec5dc25dca2e0f2fec12b974d67e62fdcd8faf03782b70d062019aec92d3c0aed8bc0f180bd1f3d868874ccd4dae407a

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
320KB

MD5
d7a9f99e4d6076d3dd5a81f8eb163c1c

SHA1
a97f67ec010b5597f7d194f94f5fa1a6ca26c9a6

SHA256
7df67398afb8e1926831c2a4721da77b18ad6dd2c4d6abfb6b9d4205b82f3f72

SHA512
611329a21ac6fdc2c11153455818f6b62c173009e0411d26e427d82b05cf22a2683acee9b7f34ed65e8025dcb00ab6bbbdaa160baf60425a8e2d53b97d89b024

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
320KB

MD5
3fedb198ed1a4727485eb09ac83001b1

SHA1
cb02b78b426f0236baa048f1724aee413bf67dd8

SHA256
a3c246aa62300e30e6514eef60e2aa5d9b5cd4c92c53b498e9ddc675ee745af1

SHA512
c0192c8b476a2219fbebad8708feb6899f9a704ff262337082afa1892f562100e68a923903ec050ffd8b23938a58837c6b31249ab4f04ae3a16ebf7ad29c6275

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
320KB

MD5
2ba04952133cab7ebaff72e65f0d7167

SHA1
8212310f719ea1f7727984ea3752a957aa9461d9

SHA256
e874f34869553e5d60e4320215da3b9349cbad6ffa2c2e69232376560d80e1b7

SHA512
5e8b0d1fb6a363c503abebe37d6ee838e3a96fa453e4ae98f1ca0e623caa1e85044ebc37d8713258ec0ab2f07084e4e6f3ba98acd2ee2b0f015a27f3e47cf9bd

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe

Filesize
320KB

MD5
cb772a2b75e6c29e4257d77df4c1fbb7

SHA1
ad52a9c9d0064fc38ca8b2877e7222973336b057

SHA256
dc22f729ce1cfd6b8a97393e75d56c3e61697b2b58ff0dd0f4aea400bb3722fc

SHA512
ee036a702ca3ed3287706ad9d74b864b88b2ac64dc19fc9c66a7504ed3393b4a842d6e3e44b3d370bc5269d6b9f633e286e0c69c6286764479ecff59c3ffb979

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
320KB

MD5
d1e436d55c755f48a13791b2396dbca9

SHA1
40b4b0f86926fc4f921071471376f0bd21f8acf5

SHA256
6459fb7e0fa82b4df4e5adde8836212464f63603e4744013542e5b59167879cf

SHA512
09140de5a8477511399c6d392d1c77493ba73694b846b56b887e762a7ec965125a7c496e33ab7b41e18bd50044a26f470abd37ec1cfe5124817a48765b18fba1

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
320KB

MD5
a62b2b5096546b0af7863ea976e6b13d

SHA1
60753f394290136beff4cbcfd4fd49ddfaaa48df

SHA256
20acab51ed062290f31b0176e9494f35e18a74196432e16df373b892d811df97

SHA512
8f9400af604123ba086733ae5e390ee32ac58a7c4b92623a02eecd4a8020d1b84ade413ee85b5deaec9a67cfa5ee3ddd54d0325e0718dfd3cb1580af96ed7c54

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
320KB

MD5
b13564d1bf1b8838f2e743cb45c9e3c1

SHA1
0f68d5ad5a0c0e682f83760a96cdd670f1233531

SHA256
82d50944512c70bf64d9f03a5ff6c87543a308ea0ad86fb717a1aa0accb39693

SHA512
fda5828f7c4d9dce5ce9e8bd2faa893ac98be00650b767183598d482b14bb5e93b243be11eae92e6012b26532dbd2808ec1cad6f240bfcddf095cd3d269f2c5e

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
320KB

MD5
b667ace3452eb247e7bf81c8e674986d

SHA1
8f3c0bdb9affe50e89ef31f194a098e551a8ffce

SHA256
491067e919bafe65bbd371d81002627be3ee5f38021a43419b596103239b7432

SHA512
8408efaf2aaf403044f3f216fddb8d4c809eb9c040c2ae8bbf19ae96368059f5c75b8a4afa12ebf01800f3060b59990ba41a048870742f8da6e9b885152b2810

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
320KB

MD5
84ec6d425543e4182bf82cdce672b60e

SHA1
571d591e56d5361d17c48134d3eb55038efe884e

SHA256
631e3211e6b6a387e84ae46d380b0d6456b3417fc477aacf93dc02dfbb6bd20f

SHA512
80d29d9d1e177b5e6a01b9045d0539db2c3d8ce568d6bdb558c41550526426fe9024803acac5e7c8fc6313dc6dd1099ac1920baad289f093f9aa236e2afaf8f1

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
320KB

MD5
942107b21e97d92b2e8b28d0ad8ba333

SHA1
1febe3151a48d32ff6849332e2076b8f547c3e68

SHA256
98fd2c73c564456665b0979d63b39f0d8a5f7fff62c565db5628401ba6b118aa

SHA512
9b6d6498cd253ff7ea40a3ead19a53d2bf8fce22f565ffd20c9687daf8f7564c1700a28841d868e9df61166efd0cb8369127ddc12df686dc2e2831e7097fb5e3

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
320KB

MD5
320170eccef1715a98ccb9f0280f8c63

SHA1
a36516b6325e30b1a309d2013a88139808b83b26

SHA256
2181dfbcbc8f6c1ceae751a5bd3b104473543e99d750460188d256c6d0263591

SHA512
34ac2fd47aa3e38a89021158ce2e249449c074cd9bb5b28c00b97eec1b0e27b9242d3ccadbd41a52b549c1298a6c77b8d41189978b515402bf7aee7c8cd13f8c

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
320KB

MD5
d503a64ff143034c22c500710a3cf2c4

SHA1
58433daca9acb9f049d34132a5ce7fa939365a07

SHA256
8f08195db65344a61b34e9edb0d822d59b7d14c70cbb278216a28c58672070fc

SHA512
91e52492ee8013ffe7adf49ba08be9c84959ca41108480bf4d6fb9b055f9278dc9b19c9c2276b7917ced6a427fdd8ff2a312032a8e72ba567e7fc5d1b9ff850f

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
320KB

MD5
bb1327e42b8e25cd4d9bfbb505dd5331

SHA1
1533a8efc74c18971bc25a0324ed57bfeac1d92f

SHA256
d42cc2c6466d5d41e7d3a2a418d58f79554608c5e9937d9d88366bed0bcdc960

SHA512
df324847de7c1a9cd06aacdf5869f4e3f4ca1446357fe9f8d08f6ccd0d1d6979e34830d9ccc1a196a3dbab274178cb335e0bac3069adc4f3d66107035ffe649d

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
320KB

MD5
69f625c4bf5603ad1966cacef66360f1

SHA1
dac19dfa4daae833782a59bbe54d9cbc23cbbd15

SHA256
7155ae02ec6918ceb44d8bcb3124120d515c960c81458c4e2bc960766c1e38e3

SHA512
82dd807136c58fd43b4cc99ebcfd3cb40b5e66192839b4fbb7e4d33b6c807856342287679abf80922c73b572d1f3e4af04d669dfcb1769dd9912f2d187396ac1

Download Submit
memory/220-187-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/220-675-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/392-417-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1000-400-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1044-364-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1048-440-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1112-251-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1112-718-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1140-382-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1160-480-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1224-324-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1368-112-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1368-621-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1384-226-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1396-579-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1396-55-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1512-723-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1512-259-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1552-633-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1552-132-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1596-543-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1596-7-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1608-1826-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1612-282-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1676-204-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1692-663-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1692-172-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1716-411-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1820-388-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1836-88-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1836-603-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1844-555-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1952-124-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1952-626-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2032-140-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2032-638-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2052-48-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2052-572-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2112-514-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2276-235-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2276-706-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2352-376-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2356-548-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2356-15-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2424-657-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2424-163-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2508-148-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2508-645-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2524-63-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2524-585-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2644-1888-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2776-370-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2792-1980-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2792-520-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2832-434-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2836-243-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2860-108-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2860-614-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2968-608-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2968-95-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3128-468-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3148-462-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3240-300-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3284-336-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3576-318-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3580-358-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3600-560-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3600-32-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3604-497-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3640-651-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3692-474-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3752-352-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3788-536-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3788-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3828-394-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3904-696-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3968-294-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4116-428-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4220-591-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4220-72-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4256-567-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4256-40-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4304-1796-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4444-288-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4468-265-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4484-312-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4524-271-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4552-330-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4692-446-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4752-195-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4784-179-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4784-668-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4852-531-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4952-211-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5000-80-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5000-596-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5080-503-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5096-306-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5100-491-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5448-1884-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5492-1850-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/6132-1820-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/6424-1778-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/6544-1692-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/7060-1698-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads