berbew | 1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe
Size

96KB
MD5

4c54cedd3fdb6552db9aa46be094caf8
SHA1

adfe5e172549001146f58eedaaeb0027bb8b2820
SHA256

1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8
SHA512

95a801dac1e407298871699e0c342590fd9ab02fc38814210cc314b14447a2446433ddf419c6145900e6ae35f827128a3f06e22ec205c0fc531527fed5407705
SSDEEP

1536:A+diu3nsq27SYOio2x3n2VGv2Lo87RZObZUUWaegPYAC:A+diu3j27SYOS3n8G03ClUUWaeH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadeieea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkdkplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deanodkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cehkhecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjlcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoaihhlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehkhecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecoangbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hecmijim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1580	Cojjqlpk.exe
4504	Cdfbibnb.exe
3196	Colffknh.exe
2280	Cdiooblp.exe
2060	Conclk32.exe
3720	Cehkhecb.exe
3812	Doqpak32.exe
64	Ddmhja32.exe
3840	Dkgqfl32.exe
3476	Daaicfgd.exe
4832	Dlgmpogj.exe
1460	Dadeieea.exe
1076	Dlijfneg.exe
1816	Dccbbhld.exe
1560	Deanodkh.exe
4436	Dkoggkjo.exe
2384	Dahode32.exe
4540	Dhbgqohi.exe
1372	Eolpmi32.exe
736	Eefhjc32.exe
2928	Ehedfo32.exe
5064	Ekcpbj32.exe
2616	Ecjhcg32.exe
1484	Edkdkplj.exe
4912	Elbmlmml.exe
2448	Eoaihhlp.exe
4560	Ednaqo32.exe
4000	Ekhjmiad.exe
1892	Ecoangbg.exe
3208	Ehljfnpn.exe
3216	Ecandfpd.exe
2068	Edbklofb.exe
4840	Fohoigfh.exe
232	Fllpbldb.exe
2188	Ffddka32.exe
3796	Fchddejl.exe
216	Fhemmlhc.exe
2024	Fooeif32.exe
4592	Fbnafb32.exe
2580	Fkffog32.exe
844	Fbpnkama.exe
5116	Fdnjgmle.exe
4748	Gododflk.exe
1876	Gfngap32.exe
740	Gkkojgao.exe
4080	Gfpcgpae.exe
4584	Gmjlcj32.exe
2464	Gkoiefmj.exe
1300	Gfembo32.exe
1616	Gkaejf32.exe
1896	Gcimkc32.exe
2080	Hmabdibj.exe
2304	Hckjacjg.exe
3380	Hihbijhn.exe
4344	Hobkfd32.exe
2324	Hflcbngh.exe
1004	Hmfkoh32.exe
4920	Hodgkc32.exe
2288	Hfnphn32.exe
2176	Hkkhqd32.exe
4060	Hecmijim.exe
804	Iiaephpc.exe
4852	Ibjjhn32.exe
4388	Ikbnacmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Colffknh.exe	Cdfbibnb.exe
File opened for modification	C:\Windows\SysWOW64\Ecoangbg.exe	Ekhjmiad.exe
File opened for modification	C:\Windows\SysWOW64\Gkaejf32.exe	Gfembo32.exe
File opened for modification	C:\Windows\SysWOW64\Hobkfd32.exe	Hihbijhn.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Fchddejl.exe	Ffddka32.exe
File opened for modification	C:\Windows\SysWOW64\Iiaephpc.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fhemmlhc.exe	Fdialn32.exe
File opened for modification	C:\Windows\SysWOW64\Fooeif32.exe	Fhemmlhc.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dlgnafam.dll	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Ajgblabf.dll	Hmfkoh32.exe
File created	C:\Windows\SysWOW64\Ikbnacmd.exe	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hbcbgk32.dll	Ecjhcg32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gkaejf32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjjhn32.exe	Iiaephpc.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ffddka32.exe	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Gfngap32.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Conclk32.exe	Cdiooblp.exe
File opened for modification	C:\Windows\SysWOW64\Ilghlc32.exe	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pejjde32.dll	Ehedfo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7092	6616	WerFault.exe	297

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgbnlmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfngap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffddka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfembo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehljfnpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecandfpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hckjacjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecmijim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilghlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqpak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deanodkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eolpmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednaqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfpcgpae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahode32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlgmpogj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpnkama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkdkplj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dadeieea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkoggkjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edbklofb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelcja32.dll"	Edkdkplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaijinl.dll"	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geplnioe.dll"	Ffddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehljfnpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpjp32.dll"	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Colffknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhi32.dll"	Dkoggkjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhemmlhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcimkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1580	2588	1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe	83
PID 2588 wrote to memory of 1580	2588	1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe	83
PID 2588 wrote to memory of 1580	2588	1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe	83
PID 1580 wrote to memory of 4504	1580	Cojjqlpk.exe	84
PID 1580 wrote to memory of 4504	1580	Cojjqlpk.exe	84
PID 1580 wrote to memory of 4504	1580	Cojjqlpk.exe	84
PID 4504 wrote to memory of 3196	4504	Cdfbibnb.exe	85
PID 4504 wrote to memory of 3196	4504	Cdfbibnb.exe	85
PID 4504 wrote to memory of 3196	4504	Cdfbibnb.exe	85
PID 3196 wrote to memory of 2280	3196	Colffknh.exe	86
PID 3196 wrote to memory of 2280	3196	Colffknh.exe	86
PID 3196 wrote to memory of 2280	3196	Colffknh.exe	86
PID 2280 wrote to memory of 2060	2280	Cdiooblp.exe	87
PID 2280 wrote to memory of 2060	2280	Cdiooblp.exe	87
PID 2280 wrote to memory of 2060	2280	Cdiooblp.exe	87
PID 2060 wrote to memory of 3720	2060	Conclk32.exe	88
PID 2060 wrote to memory of 3720	2060	Conclk32.exe	88
PID 2060 wrote to memory of 3720	2060	Conclk32.exe	88
PID 3720 wrote to memory of 3812	3720	Cehkhecb.exe	89
PID 3720 wrote to memory of 3812	3720	Cehkhecb.exe	89
PID 3720 wrote to memory of 3812	3720	Cehkhecb.exe	89
PID 3812 wrote to memory of 64	3812	Doqpak32.exe	90
PID 3812 wrote to memory of 64	3812	Doqpak32.exe	90
PID 3812 wrote to memory of 64	3812	Doqpak32.exe	90
PID 64 wrote to memory of 3840	64	Ddmhja32.exe	91
PID 64 wrote to memory of 3840	64	Ddmhja32.exe	91
PID 64 wrote to memory of 3840	64	Ddmhja32.exe	91
PID 3840 wrote to memory of 3476	3840	Dkgqfl32.exe	92
PID 3840 wrote to memory of 3476	3840	Dkgqfl32.exe	92
PID 3840 wrote to memory of 3476	3840	Dkgqfl32.exe	92
PID 3476 wrote to memory of 4832	3476	Daaicfgd.exe	93
PID 3476 wrote to memory of 4832	3476	Daaicfgd.exe	93
PID 3476 wrote to memory of 4832	3476	Daaicfgd.exe	93
PID 4832 wrote to memory of 1460	4832	Dlgmpogj.exe	94
PID 4832 wrote to memory of 1460	4832	Dlgmpogj.exe	94
PID 4832 wrote to memory of 1460	4832	Dlgmpogj.exe	94
PID 1460 wrote to memory of 1076	1460	Dadeieea.exe	95
PID 1460 wrote to memory of 1076	1460	Dadeieea.exe	95
PID 1460 wrote to memory of 1076	1460	Dadeieea.exe	95
PID 1076 wrote to memory of 1816	1076	Dlijfneg.exe	96
PID 1076 wrote to memory of 1816	1076	Dlijfneg.exe	96
PID 1076 wrote to memory of 1816	1076	Dlijfneg.exe	96
PID 1816 wrote to memory of 1560	1816	Dccbbhld.exe	97
PID 1816 wrote to memory of 1560	1816	Dccbbhld.exe	97
PID 1816 wrote to memory of 1560	1816	Dccbbhld.exe	97
PID 1560 wrote to memory of 4436	1560	Deanodkh.exe	98
PID 1560 wrote to memory of 4436	1560	Deanodkh.exe	98
PID 1560 wrote to memory of 4436	1560	Deanodkh.exe	98
PID 4436 wrote to memory of 2384	4436	Dkoggkjo.exe	99
PID 4436 wrote to memory of 2384	4436	Dkoggkjo.exe	99
PID 4436 wrote to memory of 2384	4436	Dkoggkjo.exe	99
PID 2384 wrote to memory of 4540	2384	Dahode32.exe	100
PID 2384 wrote to memory of 4540	2384	Dahode32.exe	100
PID 2384 wrote to memory of 4540	2384	Dahode32.exe	100
PID 4540 wrote to memory of 1372	4540	Dhbgqohi.exe	101
PID 4540 wrote to memory of 1372	4540	Dhbgqohi.exe	101
PID 4540 wrote to memory of 1372	4540	Dhbgqohi.exe	101
PID 1372 wrote to memory of 736	1372	Eolpmi32.exe	102
PID 1372 wrote to memory of 736	1372	Eolpmi32.exe	102
PID 1372 wrote to memory of 736	1372	Eolpmi32.exe	102
PID 736 wrote to memory of 2928	736	Eefhjc32.exe	103
PID 736 wrote to memory of 2928	736	Eefhjc32.exe	103
PID 736 wrote to memory of 2928	736	Eefhjc32.exe	103
PID 2928 wrote to memory of 5064	2928	Ehedfo32.exe	104

C:\Users\Admin\AppData\Local\Temp\1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe
"C:\Users\Admin\AppData\Local\Temp\1dae0b0344aa6796e47bd389dd5a729975e6eaecf4e391d2b2f53191436421a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Cojjqlpk.exe
  C:\Windows\system32\Cojjqlpk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\Cdfbibnb.exe
    C:\Windows\system32\Cdfbibnb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\Colffknh.exe
      C:\Windows\system32\Colffknh.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        23⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        26⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        34⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        38⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        57⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        58⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        60⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        61⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        62⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        66⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        70⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        72⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        75⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4224
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        78⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        82⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        84⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        85⤵
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        87⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        88⤵
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        89⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        93⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        94⤵
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        95⤵
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        96⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        99⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3484
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        103⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        104⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        105⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        107⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        109⤵
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        115⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        116⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        117⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        119⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        123⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        125⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        126⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        128⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        129⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        130⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        131⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        138⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        139⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        142⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        144⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        145⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        146⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        152⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        153⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        154⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        156⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        157⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        158⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        162⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        165⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        166⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6448
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        169⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        174⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        177⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        178⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        180⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        181⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        182⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        187⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6572
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        189⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        190⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        191⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        192⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        193⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        195⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7032
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        196⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        199⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        205⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 404
        210⤵
        Program crash
        
        PID:7092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6616 -ip 6616
1⤵
PID:6844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
9e8b7c9199e1fa3dfcce027e36799c06

SHA1
95e9f84553eab9dff87d36578390f9f6c96a1505

SHA256
4fc55fdada3c774124e7f7108681011aba3758c440aef81212d50654f7137b6d

SHA512
5e154ece0b02f7307885caba3a0880cc307e826c30ce102bb09a4292b926928f0059cb1a2c089e34b1dcaa8b4b0617126f8f12c1ba949dcf103cffb341b0affb

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
acf379d4d79bdea236070cdc9c24ca72

SHA1
e487a62477851e4e277376bf64dcf0a2d7c6e0dc

SHA256
f6a5082eca05b01daeaa671d7dfe676c232d5b9459b8f4294076b05ffdd17860

SHA512
1879662b19bdb95a44e259f70abfc3b8dc1de72080477b04b931fe3560f474f265c60df8e4a1af5a9b159b8f3221065598a30d3af77a6fa79c325662975669d5

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
336826787c075b39b81ef7a8ce2883cb

SHA1
3d2e10ced8ce57ac3d8f415495cd9e89bbd36038

SHA256
41ec556f1f173178624f5e603ea65301b4bf10e823fdef0011a0f240e840c0ad

SHA512
665236b44756d4a954ab9fa0c014a0a0f515127112957a47613ac45f024fca9bca9fe4f68ef2100336dafacd7eaccecbb6bc5bcb2c0266f5d25efe4c4e0b9b9d

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
0c7d78e2c1efc2829d40077c87881ddb

SHA1
ee1f14f24ab9360c0c311d1349ffc898a6ddfb52

SHA256
ebcde02c37413bef0fbba74d04d0bcddbd9a047fa78c1af5299c1a3f59f3ffa2

SHA512
688ffb4036891721d4d3a39965e08ec463d04841a1d863e96dab7851092372ed41adecbeb6689e1771a129edcadb99877056e9730f44a71e1304ee81eb5adfe8

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
058d8db2c959d824830573c8f6fc3672

SHA1
726ec36ed157468c41fc58c3d1b1f27a911dc73b

SHA256
ee612562c20f09bed202befffe9a2b94e1b91b6940ce441f5fe0a4e0ee2ef628

SHA512
677b6545cfb6f0aafdc0cd21540a4e22773e29895d3a0e43e7ef310488b034ed7dc39c6cb71b02e7982061fd63cc2df113370cca87afe09890c7a7fa00caa33f

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
8e53f063e2342567b696770e709ab963

SHA1
5a82d74d5c11621fc3aaafe1593ec24ac97bbc24

SHA256
8b466dcf21f07703efc630ee80a1a9a892621649bd064a3f07958631e20c78cd

SHA512
5f7d4a16e69996247ab96e4a7bc53da281546783278105535087b94aa261f5c9dab75ad7fe0e2612147caa9f22cd9805034842a220f34c573983909daa83f191

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
96KB

MD5
380055bd37938638ac685e2eb72c4cd1

SHA1
ea757951f27521897226635568b2bfa50df19087

SHA256
ce86deceecfb5d1b5817a68787824e65a7820b740feb08b4f94f9bbdc329e98a

SHA512
3a528f9f49deb43ca13a549681941d6acf566f9ad4b3d52d97f00bcf57ade79d8bd548ba10f78d403a339ca535c6a0f58db9595a700d518616a09a09afb9aba8

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
96KB

MD5
060500d94dec9ccac54ebd83e833e275

SHA1
a67481ab3cb8fd5bac9948b69c86b594f2dbfc25

SHA256
6dca9c2d77042b80ed2a1d5e260c3422bae8149cc9e5f65311735c5c23596527

SHA512
d77d5e1a1b1c1c8922c3b74fb24dec1d10fbf0d682ed4ec0fc3f07882cc6b007425ce132da2d4f9fdbce9d8b8812dbb92af644bb029a2f651a67315fdcf3f2a9

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
96KB

MD5
eb44c38cd128064837bc8b18fe7367b0

SHA1
1d8c0f30ed9bdf390dd2a2999a6d40a9bd738692

SHA256
1fe0ffb5d847b55606c164e6940d8a0ef1f94edbc079057a8e211b16833674d3

SHA512
109c6747b670c4e4ef498a67ee79f0b474ee55ff22dff0ec7b3ed83da4202a0b93ddfc7b87aaad3a0d8a8fee0e7569e3ee8d39271f322b1b46f8a71daa1f9c20

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
96KB

MD5
40519d06591b8b837be75ee3518fcded

SHA1
7bf697669f5965079f7f2b5ad4ff483ff701e841

SHA256
59b171e2e757e95070a93a1cdb16357873fe55f19399e6fb7a8cbccf5bee8652

SHA512
6a308044184023e67e861e26a26b3fb6bf020d7b0fb637e8e7d443bfc1a86a2d41e997765726b34beaa761bf20d411f2624b399820642b12607adb723d76b0bd

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
96KB

MD5
a14630537f945ecb9a3af0e72cd194b7

SHA1
3271288f86ecf81af083d3d28b5bf2c5eadfbb4e

SHA256
0014e38ef814649fc660e1b884576cbf00ea317284b4a990f8a072316f75d701

SHA512
091de4a94c7b6aa9675c8eb1c062f2497479743295e0f7f6dc6ebaff9be29e576f6ad2dfbcf51967359051e56a45fcdc77e910effabcacb13c945892687bc81f

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
96KB

MD5
3b98dead58f93d95cb91924bbc07eaea

SHA1
64f3ecefe268aab2cbf6832cfd971de8085274d7

SHA256
1f14cea8a9e23613cf00b0deb5eff999d32f0081e43fe5aac7598b08a231f985

SHA512
f996faf776d8b9f38716fb3fcff58117cb6f5d21e344322611d2892b7020907fe1c18c093b990559367d3cc6df06297557e01ec956dff21d0d17398821e35474

Download Submit
C:\Windows\SysWOW64\Daaicfgd.exe

Filesize
96KB

MD5
c3d85e657f53f19b0ccfc758b922cec8

SHA1
5a398970e4648a8c2b92431bcce772ff790bead1

SHA256
1709ec9a052caab6139fd8464e67b77839b656ad532590b8f0b23160b998b001

SHA512
69d541227f151fdf2ffcb9301832ce1bbdc429dc717b3be060bdb93e6fc1ce616a7eeb4eca67f7d95a774f7dc6a7f21a02cce8283217ea5f82e4ac8ac8785fe8

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
96KB

MD5
3f9513b0e274269f0af0a573234d0002

SHA1
8f9761851a372b9e22d99df43528b5312dab17df

SHA256
f050701d1cd956fbf8dc084bc831711da057e2774051fb7489fcb830c29a2eae

SHA512
b497bd9651c35ccde6f0a5dc46bf446617f5e3d69a363b8f2fb1d85c7276afb0842ff755def57243219157720f37aff1565a8e9c8ee5fc470ec93239ed5384f0

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
96KB

MD5
ce56290c8a44598a2fcb8c9a17ced702

SHA1
73c66678f9ca4858f14dca6902b80c67ce2bf92d

SHA256
6805517f5416391005e5c550b6fa049a5e14fc3818c3763cee51773028739031

SHA512
a5aa86a2aa52045046fbc7e8111382dcc0563445899746b8b9ad750ee423536a618ee864a854f105d6b7ac7e167a379885ec29298f3607056cd7c5de57b1f20f

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
07532a13331f8288b1313dd4e543f819

SHA1
5b60b2c29112a08a8b3c4fef42269778c0087931

SHA256
e7182bbb92feff2fb97d4d171d824f78a4e60d595dd182f75d24807ca8b8d929

SHA512
e0cf36ecb9b715ca15f665ed7248e969e68fce725480a264c1f712b3ddc3b74c668f303b9f2c6952e441f52c9fc494f59daf557b7f5f29ea05349b3bc066ffe9

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
96KB

MD5
b9b850f1891bc74907e24fac9056fb4a

SHA1
df067ac567dad94c670430e26cbb3c6ab3732ee6

SHA256
3b9f456e2e5d0942f79bdd648b328c8066b8b77f2f13bf78076de816334d3569

SHA512
6e07508367c9c1f9cb99eedf937b16737174d59b611cd107f3ca4919ad7f89e0c7af1d5a65d53ec61f2d73b1cc6f8506538fc3a46dea941c45e51420ed410a3f

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
96KB

MD5
ca456ffdf61229ed34a078481c5f596d

SHA1
fdd9a34dad6d5145171bfba2d264587f941422f9

SHA256
655faa4a65d012d476783f78ce797dcece63b6b34e81289f8aff8d0f41caaec9

SHA512
759ff580f8147ccc9c7e5c1e1c9685fabb5c5737cd51fb605237e99eba65f27873642a37908b136b6866c8eae90e529a04e80e8ef5581ed9d4236671f8deb116

Download Submit
C:\Windows\SysWOW64\Deanodkh.exe

Filesize
96KB

MD5
6825978a7b8347f61e33047f9dbd0264

SHA1
ae8074b88c782519ed18801de4704c2399a48f62

SHA256
79a8bf715b17d03b1ad4c6583d2b54257def7733595b0df700daff1a3b18ef36

SHA512
cc61322478ccbdcb75b75f73014e4227b0d1f2aaa84e520b518b13ec290f02ea54384b231f7a10de28abcf92dd5ef04068f9b8cdcf41b58ac3716db9c95816d2

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
96KB

MD5
8e354ee4db4c5261817b3b0d5ef2b120

SHA1
ce32684f8e26d8a12a0b8b3612b5d55cedaa65ab

SHA256
fc46b5b5976af372f4257318e5cabb4069428f55aecca218b1a5b242af8f8606

SHA512
a0cd71473521a1a5e04a2aaa6b00751a1953ef42e0a526cf8a5ae29c0761b55cebc5a1506030574babd3238fbbc329765c3329acc080108061aa72959ecde044

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
96KB

MD5
9b7b5c6aad11377b8a1cc4cff1273989

SHA1
856bb167eecfaed1fc89ba25276f2d4871780a79

SHA256
c586a67e4a6f7b3a37ecdd9ab68c2a153ec9debb61bd75058c1ee227859ad008

SHA512
ff7c5b23670077a527b232b51d3317fcbd1101992ffa5b01efa9bbd00c737cf75f5cd58131771b35d5ae4297f7755ab638835007d99a733bf5f58b2daac5da6a

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
34d9d7b37085bb9416d42409eaeddb09

SHA1
490ea847c513b378bd42692e1fb7708adbe0e16d

SHA256
67a035b76f7cc3f2eac0368b251aa632d8577768d9ba1be6fbf2d51a167f4c26

SHA512
a83b438301066acc092fc8fb7ee1d091c3bd7b262353c6899563feeb4dc00185ce18b6e31d2f2265459f52746933e27ca0cddc22dd2e26f68ae9d13b230f568f

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
96KB

MD5
16cabbc639bebcae1f8f6f13cf07d4c8

SHA1
3fcacefb0c462e46b89ecd7f278981ad71e5d279

SHA256
46235f3a8929140bf1eb80e2157cbe2fdda4e0e41bb1e320da3b32b3f1734b37

SHA512
609394959b6fccc0a9218d559e5a567f0d4bd82552ec2395e66df1f8b7ef90b92e0e00ce3eb851d7aa506612666a44f99367833d04fe90180245a50e3b5a7b8f

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
96KB

MD5
ba6bc11ba07b0623a0c376922543d160

SHA1
00010d10b32b6f914ecdb99ddb9c9e35827f81c4

SHA256
00311aa9ad491f1de150ffae51f376a48702cc0cc3b75275351fd50db28ed19f

SHA512
8fb70323656a957fec6bc63cd354b368fe0080f01d890bf6b0504c3fd3810ea0290d62c7891192bd70f1e28618dab66cd4de2e1387aa56aa06f3b05b58584744

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
96KB

MD5
b6173bf2b9bc0695008c862ccc6099d9

SHA1
9da6731d7eebc44d0fee4b5e930fbb7868062f99

SHA256
20e6321d1809b7f43b6afc6e102128edb5878cb2867b7add43b1df783ef600d1

SHA512
002c833ddd47c11eabec1069e9c4892b52b4c01e8087bcca197ea02e36fcda958fc37131edc76b7c40899ed228a6b6b00cc8a5a147a75abd40ab9a646cc0639f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
65af271b4914542b95c1183e9d30e239

SHA1
33a7671ee210173625c34f642b48f7ef7cb4c88a

SHA256
56ba0f2e6a8e51af343e6d0db0cc9bb640e502b8b2145e7f830a252062c36114

SHA512
c6c906231443312a70125c9cfbbab936adc00c1d73701f50dc337ea50504a74a5bce3653105ccd1afb0d93900a5896ffbbc17495d9c730ac7e2f89ec234b2b89

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
96KB

MD5
c775b18e4ba7fe357711d0cd8869d9ed

SHA1
aa5051a28963fee4731906d4d27db34a23755a63

SHA256
69b52460ea73847889586de9f227d112a2dd10cdd9b3749a0603a9f61a2bd77b

SHA512
75f77aef0d5d58ca4730807962e2135bbcca5e11a45d493d45dfa26c7f1ec574a315a4cc8365e51055c33addb9cc98119c3fe3f7867bb362d4926503087b66c7

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
96KB

MD5
deb83a63c468e52ab3d83888aa4ff8b4

SHA1
01c94981326d044c83fc6825edf033f01a1db50e

SHA256
c75c8fdf90eea27db45011981a0791e33254e4824834b3b3dd826614632228fd

SHA512
79836a8c3faf249851abf9a9cb09c5f305bff9eff57ae39e4314d5c5f39ae57002d764c90fe3ee5984cb22135d3183e0302980891300594478886d924b43d32b

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
96KB

MD5
1bdef8f6e7cd4a735020e22b998319d4

SHA1
5af8a5cbd11585f348538d412660b5a172293084

SHA256
54a80df302090efaa7a73e8970e4d6a91effac8fee5167a1ffd42f2504946b67

SHA512
21ff108b83626f7abb384b700c4964662f26270bde4ae8cbbd92693d3ebed53ac881f4286040bb046beaaefdf0eaa99a0066bca6478ce3e2ea3df1b6dd8a634e

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
96KB

MD5
766656053df2d7240a6ed5ee994c256f

SHA1
3bba0d6c9a9576ab30acb7a7ed569b1fe320fbf4

SHA256
270a684f6bae852cca3a41a87c3c859c6f777788bc9cfbf38a3b96c322eaffc4

SHA512
4c7aa291b503442ed077d3f246b293a81932090cc8c5d19c6217f006515ee7e1ab27c94c24dd493e659ba9b51a4d3e4858adc1f1d597bbd1c278f9cf61ad4cc6

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
96KB

MD5
5c428eeec6632d2694f79a35c7a701c0

SHA1
b016da36ed7e0e4d1a186b31a15fc38330d116a4

SHA256
46af778782ac452c04588bead5ba4951bd33c1d87a2ffbd3d1de0ace4e61adc7

SHA512
9198c6b49fa7a69ca0d99ca237e655296f71ad782fd43e86e5371565ad1cb560941cfd0bdcde1fc12296ed6b905073a2a895c13de01ed96839a9f5a9dfa53d44

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
96KB

MD5
9d435e4f15c58d839a840c516eb92c79

SHA1
12bdcd95e243d8d7ee4972a4140c12607beb666e

SHA256
4f545d265246d47026e722278a2c4103158dcbc2349e2f8bace18e476ca4cef0

SHA512
033810615e1e6b39a3987afff69496e7dc6620062b9b8030ff30d0cecf832766a663394b5c8253519ab5a06ec0fd526a278c21340c83775f7d0f10b41e613736

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
96KB

MD5
7ba37429f22123150146f8eeaf622821

SHA1
dc62d9202cc4607caffc1f2ebf7730dca2e9222f

SHA256
d5f9daefe0944bb476694a1c5491a7da0c66641b27e7e635c9014cd5fb66e2b0

SHA512
23938f0b019198500f2114f2fdbd123e185d65a7d823f87338e6fdb7611bf398d77ca14fcc57beb5cb2b6c4c8e35c1ac656aa36cf36261c07f584f27ecf1184a

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
96KB

MD5
135e636c22a632aab0d9f822e7305332

SHA1
7c264c453870da2830fa6b1492d9e293855b25df

SHA256
e13dad74dbdf6dc4a29157bec1ca41573bc76f4698df8629cc125e343292c1e8

SHA512
ae7207fb6d5749321871f60deb1b25a844139edcaf16ee57767d5dc57af5e2e73a44cabcd92c383a4bca0f36567492f3ac32538bed0aa5d3a07235e678cd3e63

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
96KB

MD5
8cbdf1a8964b5d7943a5697245a56ab2

SHA1
a9b404a624a851fea875c14b53ec875aed3de9b8

SHA256
d8d1b6390288ad8226b43194deaaa0508c6f3eeaa4c30a92e086db773e4c324e

SHA512
754452e2c1ab2f94630a86ca4bb2885c22325a9cb34d618ed6f21d0035102c7f6c152f6613715733bfbd0516fad7111c0ce48690f3ceb65b4743474361f930d3

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
96KB

MD5
bf1367828a7bc38b2bd1b2d8ed0e4e4a

SHA1
9834959b821c6901279d1f87671afd95ac3bc846

SHA256
1914a1c1464d28e000fc59196bf3d67c1930c32245e3424fe5b57ed6ea995790

SHA512
d33133ba24928fd2390f2a9dd9195e9330ede59e231da75622eec42d91bd11ec02eb2afd261c0c42ce0bd536abd5b96fa9f422ba81e4a23fd9baf4f1baf16450

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
96KB

MD5
cf8a28588b396dcdc046e8a4afbe5820

SHA1
e4b9417e806a2c6a7fb5b114f9dc54b060505a14

SHA256
9bdb3dca47fbe230eaae56c8fd5ee69f434bf379f85498332730cf7b89aa2c4b

SHA512
f5e4748bca07fc89bf4f514850ca681cf4f362679187acac3a1ec002c3bca5970795422ec6e370a09b1483f954ad1c8b6c05f8cb7ab95b7cf1848fd9eee8f04e

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
96KB

MD5
4339074ae9bee66a72df62b6c4a64b6b

SHA1
541196539c61c6a814b1c2167e003e279e96ae48

SHA256
86aa17da5adeac0608409421a1cc223f6480d32489df1727df27ba8014da169d

SHA512
4489451ef1d5162569793dca203079613d17a4cfa568d5fc6217e6810ab5b209232b0590008b813e2a524fbc2aba46c3940694b43bc2dc44818ead9e5a72ec07

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
96KB

MD5
7f1607ee3f4dfc0fdada856af23af9be

SHA1
71741ed8a1ba5d0d7da3bfd8fd8bf57dd211f38e

SHA256
7e41f56836783221b7fa0dcd2b8b2d3fad140f60439c6255451bbf93c30e06d2

SHA512
d5e0e79a38d6c4f9258375b4e37eb0b995b037ec02e0bc8635d6557d78aeb2ae822830064e58854b86fe8a8bd24f9bc8cfab240e3baa3bcfe036723e34a73a74

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
96KB

MD5
0d49f1cf1072aeeb2efa4124fbf8dbff

SHA1
e5a5e4672d1038fe741117eb1c8a391f3f8d7198

SHA256
6a19727a53c17f61c07611f7cee5f0bfcda13056de72bc847ecb6658ce2b1491

SHA512
fad2d45c5a8ca638162ac77123a80cb5fc960a1935bf53938bb640b04e16bcf35c06467a5868d531f9710480cf79abe42b5be7159f88639924f491e8d0470cbe

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
96KB

MD5
40a91219b0d8de7afed8c709458294cd

SHA1
50692c2e8aa6bcca3ebd41a5a3a3cd7258b856bc

SHA256
bd5dc1ad3f0f372c95c6a634d725cfe6a0235781274305fc80e452116272301f

SHA512
ce32aae36f777a1798577a4355422466f760dcd5aede7805c65632cb0cc9027424d63de07c2cb33d72eda6315c8e86d081eca908586b44b892e28ba779987287

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
96KB

MD5
0de02d9cedde6c97dd6e54a2fd28c4b0

SHA1
e1e41581796a1321b9aded256820d18440959d54

SHA256
ebee9382b70e2a581f2902d4bb8b593591e6e036ac8234d3cf9bd5e4190865d8

SHA512
bd62797826441c9e901a949f9698a7bff15ff61a59d54450b1e994d5aca02ae3b407bd67766a8c8cf1d73a0749656a4f2cfab3a011b0c5d6901a28fd1df016d6

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
96KB

MD5
703e35955137e505596e3148b48078ec

SHA1
d0d65e52945110ea3d4482ca7e50ce895b92b2bc

SHA256
def99c5a082694c55c22a380260f151ac43c73b575fdb564a7b70ca68ddd8bee

SHA512
3dcc52fc6c03ba6238b3bfcb81f68ad8356cb04828134c08ab47074db5eadd54e38b27e8fa5364f830d7499c995f06cb84d2e6159c887d472bccad6a994ebd47

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
96KB

MD5
1f0abeeb8e9228f15e2c6ce572e9c24b

SHA1
1ef98ed3930faa8d7c18037875da609de3eda3c9

SHA256
ae1ade33a11912a98f10747dcc6741a63ec383bf14bde301c21138f7a2f57fdc

SHA512
33551fbaa257be49aad1c4f7f7df42f53d72a88d1939f1ac364451bbe86a353e6f5064963b5edff39067f4c640f965e3f85313e2b542396b6589717b7a59f538

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
96KB

MD5
11032fa765ccfae9ecd05a878e9ee0b3

SHA1
9a637da2448313f70c88dc09cc3251d1d0a1492c

SHA256
31efa15dfa6250c30204ee3db56a68a65d323095deec33bd9f2175e47d85b409

SHA512
0918ed82ddd0d81553296090933f81781dfe5ef5d97fc5ca485f6b4fd68691b46e182838eda2f4c8d5bb5160518e021afb788d05039158fd4150eff1a19921f0

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
96KB

MD5
8e24b5b6ed39661fd144cf083b956196

SHA1
067266042ba01276374d7b949f175457de194ff7

SHA256
75208f0f8b599697a5ad04330e69ef2a5bb2c3fc284cbf05cc9366eeabccddfd

SHA512
df8b3514c4f81e9cd0d3e3bc1a30864262a310d9e9597d8bfda0807f76aa30f8df8864bff3523a5e85cd6308efc48fddd58fad9bebfd711dee9021fc0e273fa1

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
96KB

MD5
625ab926163ac1bc9dba38b242764f4d

SHA1
90914b2c194bb9e8580dbdad097ffa1c06966530

SHA256
461f1bee530981427ba347d1f294908df58fa228b5f6bdebb09ef8309d33c76b

SHA512
c854a904c239c3e9c16f21201d743c9fd2e90e3c4db7cf058cbb39f9f228f7c4f14d6048e2a461bafc8209e61db0aac8bc240a29ab011bbd2265622c77dc713a

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
96KB

MD5
e6850656059426da9d0539cfcba41b7f

SHA1
f706547844e8edaa19a00d1c08cd844d39d8c70e

SHA256
da45f23cbbb03f6203d5ca27a7eee37ffc9c606ce71bf726900095250ab4a4d5

SHA512
780d39acbdcc45eac4f19b74558fac00690393d33b7beeaf31034f76fe524d77eef97b4a60203b719ee103ac899b6acd0fb41cb449a91c63348de32e8864151c

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
96KB

MD5
fc6dce88ea644e350c1d3711233c3b63

SHA1
3bc51559953131fbf314a7a9f21b3a2db778a8da

SHA256
68e603e3b0f509e0af7400008ca583a3dd965d24ed59e231c3a65ee17495fefa

SHA512
73b2e43ed77682aa54330114d1e4027945465fd27f479afa1eef0daf4d175ce0ff7264b5576763379d224cbd782810a0f86640178de2ee1e82ce2538b4fa4549

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
26c8b34746867540777a1b495165b2e9

SHA1
7110dd2f42e16341f486c7716d58e12be47f5fa5

SHA256
9caa1679242ca3be8fd1de03cace1f38476d376754d52e2b6639acdf0e061c14

SHA512
81416c51f8962aad5aa7aa71175637ebec04e215b322e1d3cd60d94aa1f3719de947c21e9fa6b25d758f01ceb05dbcbb86ba382011a3af77cf39cc6d1dbc8d1c

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
96KB

MD5
d9b43a786f8bf649539da58957457a18

SHA1
a0f0c6e631fac5fb327d16de2625c3ab1a03ae75

SHA256
4205190f954ac92c3243727810bfaae7c184eb5c57383338885018e84206abdc

SHA512
8a679a096df28c1f82bd8ca095c51f3b7624d2308770462048549ad278a80412693c3cba010cc4f4cdbf82b9d18d9947586b0e38e3ac29b3f852344b26fbb725

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
dc2e02f0e8779493d3d549d93e5d3784

SHA1
950b202916e918bf69d05c2191912d5c18dacc3f

SHA256
de0826754cca382724bc5dae5993bbc720a7872624d2acf244af0451fc80a7a8

SHA512
035a9edf25f8435d74a6ebce3fbb6f690cd4355a035676bdd1b90d911ff8867d0f3bc68a62da3d9d141ed08abce7ee07f9b4dc30f2555d6685a4733b67eb0c60

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
96KB

MD5
035d16e31d253853c5b7beaf2ecca885

SHA1
744fd05c5c1841d203a22b75f05ed609da640e18

SHA256
e030487f50d53d6ed605762f1f2775a7826e57f02ce9884997d223e3e8fd945b

SHA512
032824d037c13894abbb4f0cde56af6de9f01627f9c0b9cab1750d46853a9dd5e8c90c64df6cc64853badbea42a579d5626b8539342a933ada1726b98f3c178d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
732a36c8d3c9f0339b961b1b006f3f30

SHA1
500b77ce7c4bd7f4463743ce44bb1aa3e795c823

SHA256
6790aafd87e687296f83c002934790734921491517cbd7b06dea4d9f988897d6

SHA512
8269021d7f9a40901231f63902c0d10819aa01f3eba8bdeb2f9321099523487a17985664fb9f6a9f2a35e065f37716969af17566ad965a66ffd7d9492d4c7548

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
813b07401b73ba38d913b2966941e74b

SHA1
b8dccab6d3e8f52b63d863cf8ad44f2713b3ff0e

SHA256
009f22ed557c4cb3f2f981907738ae7cd05c27db5a5816cb5316bbec758a47db

SHA512
8d51c2253cf5323a98a9aa684a2645e663dd0d6dd43c8826685cf115dc0b4c1c5c427f3368b52e4c855620f8e228a431d9d747130cf0646ec3a96c8c9de14051

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
99d2a74915cb04417cb4bf0c2affd9e1

SHA1
faca7c7ebcfad8ce4226e73d96988717d053b13a

SHA256
8b3d04c4ab821467adf9985697a1f5257b4db34afed87e85d0f6e0cde32f3177

SHA512
be054a5e4e043dd57b0c2ca97d06dce76bedbacfb27368fe9adcb1594e9eb7b464c39d71c6e950bef22037dc206e8d563ba24d594bf493a90bd10a8abcd2da44

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
0bdd29c2533117ca7882fff9e898cced

SHA1
d2a9f92fa43c930f312cc33df58bf1f68499e835

SHA256
00ce6bfa817ea366ea8f9f6a20aede25f9930d5112b3f4b83dd4ed5a391aef00

SHA512
29a2964fde3000d269920dfc7a2cb19af8e74f628966fd0f2f83f08e0828ba7e2641638a9e9ebda0e4ec651d29a4f4718c3142e15350cbb4209828d4d91e9701

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
b8a53dc671b8b95ab6b3f015035d7474

SHA1
5fc9e1a122b558c0febb616716a37c6bbf4442ea

SHA256
f3ff7a862425292104143f334465d06275d13deea1a0789def6f2537072d6ca9

SHA512
32c7915dcbf9e2a7b2646fd7c4afe6459645c186517366658242d8864a96cd0882871ddf5b39934abc1e22c260875662d0e4ba66b00020a1a5d094f70bed6bfd

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
96KB

MD5
98735cc3c1e984b95205140d7f5c0b2a

SHA1
10fbcbb4a38d624b2872e8ecf692ec5ea6332a45

SHA256
69878a493aadf4473be1ce2341eb8e83285e891cbd08936ac4a175c026881786

SHA512
b245dbd551b062ed91c28eb4f0c9080e4f591cfdd2f143b6338c524725b10f9115c6d1d01930bc901b94854a9a72d24136ccbae617022ea816d01897774dac1b

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
87ad63212504166cc54f9b268727b749

SHA1
4f559d2a049eb8faec1f7e7f2470ee3105a59aa6

SHA256
66cfd12446688fd26a656e7f59f243a47eee04f39cf9374c6737dc4eb187e339

SHA512
c625fbc6bde5637e054292293c6a51765455fe1ca0b2f1a1d884b2016bc05cdebf33c1db62e890e7ebf7facc0a1702fa18a09ad69d7851adcf2ef71edafb86ab

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
32cc0aff6ae572183aefeb6c97aaeccb

SHA1
331859288fc6d1d669eeddf2e5a38d3693e09f31

SHA256
ea6e4ee0a5e353a721d7d9f03458230e00f36f8cd9d85e656a7af8f6071dc578

SHA512
92a471c1ae54fe263119bf394e0b9529d4e5172e4a960f1f97cc3134f383744f8b4b37534f8754f458c596e2eea083d8fc04f55735dea281109b5091bab862df

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
defff7467bc5b66d0cccad95baec8257

SHA1
6809c2fd71025d2c8473c6261eeea4f31ef3fdf3

SHA256
ccaf9d04f6d550894ada908d82475cad2e31d6a655c0a7dedc3b48a1e6b7feef

SHA512
c76a36c81e55ebfabe0ab6767e5af3a0c22ada50c79e2317d3f9ed72d76a9e2b108dde688be57fcccf2186b6def78f0fd373621d212d72e43a7264cd32c99ce2

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
e578a38f37229e3e0bf49491938d8ef0

SHA1
15070c69e5df2731d8a3d391dd735dbbd99ff4dd

SHA256
3f83be56de9a2cb7d3c88c027f3f953da96469d6c727933809b1c3b26412702e

SHA512
a69ec1a55f05331b7717362566c8bfe831d8b571701e2f650afe4b4399107bb121bc8d3821624d562dc21e26c8341ea87b5ca428a8af5b657264cae958a7e63c

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
59341d23e900b2cea2be49a1fd5d3898

SHA1
2dbfa9c597ae86b58032a002668e155ad00423cd

SHA256
70d7ec14ae830986abc838b3cea5b43feb38d6fc730aa436415db58c4b4cd062

SHA512
a44f05c07e2f00aca33f69d1a253d9b5ada00ce2457e7b9eb457730fd51978f88e81e9ce4fd7ed431b34059e0c411a015f6826b0c9ab28230e73e7650f9a9383

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
1071f90241da403c9dc71d097972b22d

SHA1
4c923d3398e8d3880bb5c9329649efce6be2e3c1

SHA256
81441cfe4f27816d139284c641c6a717b26582dfd40bfbf729b700ae45efe71c

SHA512
be1ec9d4a0fcd61d52621f163ca5ffd08133f92a9900108bf3ce879102a0e18b35822183a1f51bc39d04028316ee1efa15229e8d5fed5ad744badd087852a42d

Download Submit
memory/64-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2588-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6624-1491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6872-1484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6996-1523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7040-1522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7100-1479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads