berbew | d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe
Size

98KB
MD5

3870e23683d215fbc8c6bc7dd276b6c0
SHA1

bfd85d2b0eb57a0b3a72cdd8590ae7b6f3175009
SHA256

d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e
SHA512

e00409580dad3168c02c211b855415aca42259c7f8d3fbcd124940a026389d2d9b0d2d5f8a4da75f69e71368e6b0ee6b15fa77525c7561014a24a4970df5daa6
SSDEEP

3072:hAFwt/GdGSrXyP74AglamCETeFKPD375lHzpa1PP:hA6QdGwyP74jlamCETeYr75lHzpaFP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3108	Kemhff32.exe
2684	Kmdqgd32.exe
2332	Kpbmco32.exe
2464	Kbaipkbi.exe
2096	Kepelfam.exe
2388	Kikame32.exe
4048	Klimip32.exe
4720	Kdqejn32.exe
3944	Kebbafoj.exe
3920	Kmijbcpl.exe
2076	Kpgfooop.exe
3224	Kbfbkj32.exe
4352	Kedoge32.exe
1288	Kmkfhc32.exe
4916	Kdeoemeg.exe
2668	Kfckahdj.exe
5056	Kmncnb32.exe
2224	Klqcioba.exe
5096	Kdgljmcd.exe
1152	Leihbeib.exe
4700	Lmppcbjd.exe
972	Lpnlpnih.exe
2640	Ligqhc32.exe
880	Llemdo32.exe
4772	Ldleel32.exe
4400	Lfkaag32.exe
2100	Lmdina32.exe
1956	Lpcfkm32.exe
4204	Lbabgh32.exe
2064	Lmgfda32.exe
4852	Ldanqkki.exe
3688	Lgokmgjm.exe
4872	Lingibiq.exe
5072	Lllcen32.exe
2508	Mdckfk32.exe
4652	Mgagbf32.exe
4464	Ngmgne32.exe
4756	Nepgjaeg.exe
4856	Nilcjp32.exe
1164	Nljofl32.exe
1528	Ndaggimg.exe
1840	Ncdgcf32.exe
2736	Nebdoa32.exe
4364	Nnjlpo32.exe
2696	Nphhmj32.exe
4292	Ncfdie32.exe
3608	Neeqea32.exe
3788	Npjebj32.exe
2532	Ngdmod32.exe
4648	Nnneknob.exe
2436	Npmagine.exe
408	Nckndeni.exe
4888	Nfjjppmm.exe
2104	Nnqbanmo.exe
1084	Oponmilc.exe
2648	Ocnjidkf.exe
3104	Ojgbfocc.exe
2336	Olfobjbg.exe
4320	Odmgcgbi.exe
1920	Ogkcpbam.exe
4660	Oneklm32.exe
1160	Opdghh32.exe
4896	Ocbddc32.exe
4980	Ofqpqo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Klimip32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe
File opened for modification	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7388	7256	WerFault.exe	308

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 3108	2516	d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe	86
PID 2516 wrote to memory of 3108	2516	d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe	86
PID 2516 wrote to memory of 3108	2516	d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe	86
PID 3108 wrote to memory of 2684	3108	Kemhff32.exe	87
PID 3108 wrote to memory of 2684	3108	Kemhff32.exe	87
PID 3108 wrote to memory of 2684	3108	Kemhff32.exe	87
PID 2684 wrote to memory of 2332	2684	Kmdqgd32.exe	88
PID 2684 wrote to memory of 2332	2684	Kmdqgd32.exe	88
PID 2684 wrote to memory of 2332	2684	Kmdqgd32.exe	88
PID 2332 wrote to memory of 2464	2332	Kpbmco32.exe	89
PID 2332 wrote to memory of 2464	2332	Kpbmco32.exe	89
PID 2332 wrote to memory of 2464	2332	Kpbmco32.exe	89
PID 2464 wrote to memory of 2096	2464	Kbaipkbi.exe	90
PID 2464 wrote to memory of 2096	2464	Kbaipkbi.exe	90
PID 2464 wrote to memory of 2096	2464	Kbaipkbi.exe	90
PID 2096 wrote to memory of 2388	2096	Kepelfam.exe	91
PID 2096 wrote to memory of 2388	2096	Kepelfam.exe	91
PID 2096 wrote to memory of 2388	2096	Kepelfam.exe	91
PID 2388 wrote to memory of 4048	2388	Kikame32.exe	92
PID 2388 wrote to memory of 4048	2388	Kikame32.exe	92
PID 2388 wrote to memory of 4048	2388	Kikame32.exe	92
PID 4048 wrote to memory of 4720	4048	Klimip32.exe	93
PID 4048 wrote to memory of 4720	4048	Klimip32.exe	93
PID 4048 wrote to memory of 4720	4048	Klimip32.exe	93
PID 4720 wrote to memory of 3944	4720	Kdqejn32.exe	95
PID 4720 wrote to memory of 3944	4720	Kdqejn32.exe	95
PID 4720 wrote to memory of 3944	4720	Kdqejn32.exe	95
PID 3944 wrote to memory of 3920	3944	Kebbafoj.exe	96
PID 3944 wrote to memory of 3920	3944	Kebbafoj.exe	96
PID 3944 wrote to memory of 3920	3944	Kebbafoj.exe	96
PID 3920 wrote to memory of 2076	3920	Kmijbcpl.exe	97
PID 3920 wrote to memory of 2076	3920	Kmijbcpl.exe	97
PID 3920 wrote to memory of 2076	3920	Kmijbcpl.exe	97
PID 2076 wrote to memory of 3224	2076	Kpgfooop.exe	98
PID 2076 wrote to memory of 3224	2076	Kpgfooop.exe	98
PID 2076 wrote to memory of 3224	2076	Kpgfooop.exe	98
PID 3224 wrote to memory of 4352	3224	Kbfbkj32.exe	100
PID 3224 wrote to memory of 4352	3224	Kbfbkj32.exe	100
PID 3224 wrote to memory of 4352	3224	Kbfbkj32.exe	100
PID 4352 wrote to memory of 1288	4352	Kedoge32.exe	101
PID 4352 wrote to memory of 1288	4352	Kedoge32.exe	101
PID 4352 wrote to memory of 1288	4352	Kedoge32.exe	101
PID 1288 wrote to memory of 4916	1288	Kmkfhc32.exe	102
PID 1288 wrote to memory of 4916	1288	Kmkfhc32.exe	102
PID 1288 wrote to memory of 4916	1288	Kmkfhc32.exe	102
PID 4916 wrote to memory of 2668	4916	Kdeoemeg.exe	104
PID 4916 wrote to memory of 2668	4916	Kdeoemeg.exe	104
PID 4916 wrote to memory of 2668	4916	Kdeoemeg.exe	104
PID 2668 wrote to memory of 5056	2668	Kfckahdj.exe	105
PID 2668 wrote to memory of 5056	2668	Kfckahdj.exe	105
PID 2668 wrote to memory of 5056	2668	Kfckahdj.exe	105
PID 5056 wrote to memory of 2224	5056	Kmncnb32.exe	106
PID 5056 wrote to memory of 2224	5056	Kmncnb32.exe	106
PID 5056 wrote to memory of 2224	5056	Kmncnb32.exe	106
PID 2224 wrote to memory of 5096	2224	Klqcioba.exe	107
PID 2224 wrote to memory of 5096	2224	Klqcioba.exe	107
PID 2224 wrote to memory of 5096	2224	Klqcioba.exe	107
PID 5096 wrote to memory of 1152	5096	Kdgljmcd.exe	108
PID 5096 wrote to memory of 1152	5096	Kdgljmcd.exe	108
PID 5096 wrote to memory of 1152	5096	Kdgljmcd.exe	108
PID 1152 wrote to memory of 4700	1152	Leihbeib.exe	109
PID 1152 wrote to memory of 4700	1152	Leihbeib.exe	109
PID 1152 wrote to memory of 4700	1152	Leihbeib.exe	109
PID 4700 wrote to memory of 972	4700	Lmppcbjd.exe	110

C:\Windows\system32\usoclient.exe
C:\Windows\system32\usoclient.exe StartScan
1⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe
"C:\Users\Admin\AppData\Local\Temp\d740584c7f21872208aa3b583ed96bd52ad2f7ff1a03bfac8b20024afa434a6e.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\Kmdqgd32.exe
    C:\Windows\system32\Kmdqgd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Kpbmco32.exe
      C:\Windows\system32\Kpbmco32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        27⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        32⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        33⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        36⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        39⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        42⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        45⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        49⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        51⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        56⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        58⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        59⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        64⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        67⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1888
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        69⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        71⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        72⤵
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        74⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        77⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        85⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        87⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        88⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        91⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        93⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        96⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        98⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        99⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        100⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        101⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        102⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        103⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        104⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        105⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        106⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        107⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        110⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        115⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        118⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        119⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        122⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        124⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        125⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5032
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        131⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        132⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        134⤵
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        137⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6228
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        143⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        144⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        145⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        147⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        149⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        154⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        155⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        156⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        158⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        159⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7156
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        161⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        162⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        163⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        164⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        166⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        167⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        168⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6860
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        170⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        171⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6268
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        174⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        175⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        178⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        179⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        182⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        184⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7004
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        188⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6456
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        192⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7228
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        196⤵
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7360
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        198⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:7448
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        200⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        201⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        202⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        203⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        205⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7712
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        206⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7800
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        208⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        209⤵
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        210⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        211⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8068
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        215⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:7180
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        217⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 216
        218⤵
        Program crash
        
        PID:7388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7256 -ip 7256
1⤵
PID:7348

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:7756

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:7316

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:7184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
98KB

MD5
5f680a081d84d681078254814e3af075

SHA1
9920f3bf68c8d873f8a996f62ad4c8adea4f4258

SHA256
8313e7024381c6509d8b26e020a3f664703bab5b3356bbe9053a3956018a0aaf

SHA512
61e7eafa83d19b2dadc0206ba15e80919d774e99a14828a95b5ceac69021c210887849da4547e18fc5eaf816f2c34fc070977f1ac106c8d91b66e34edf7833ca

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
98KB

MD5
737fcc7fbb257e311faccbc75d8b8ee4

SHA1
4efc6cac20b851ae0f70541a5b33a7b27aab0286

SHA256
f20c8f0ed8ceb450b7673ded88d7cd5cbb07fbde91fbac7cd599b3b0505c2881

SHA512
e4f399d1aa2e955095f222a5b2ab791019d2d25df0cae10c2f022679e6f8729d310942ee7fc7fe5c5852a30fdc003fa75b2cccd6a704884c98ded3c8ab28228a

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
98KB

MD5
1a7cc8b511a4bdb3a62c35438f8da2a3

SHA1
d5e499546c3a1c2e5ef6fc99e78a7d2b455cbeba

SHA256
9ca9c6355cf979c1ae48d9387dadd6f0bccd9cc95bb99bc566090e9a5f2a303e

SHA512
6d52d491ffbaba490803d03636d4dffb3ee1a5a1d3878242a1bbc6cc0609686dfecbabef037bfcf008701fc2cdb170936839259b87d853265ddb93fbe12b6e57

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
98KB

MD5
a6458a3610dacb9d4137e5c36339c77b

SHA1
96e4252be3cd53679451ac86e7bf4566409fc845

SHA256
cbad891ebb50da3ad4ddb804f45019be434abfc5a4e666e7bd9f1f31500f48df

SHA512
cfaae21b3d3f27a33457a2bc045c4ed41a4a5a60d8fb619923606905e1d3519d649aeb28b586498a00a0629337d8f67cb65416db9f111af8ef4db71ca2a69e9b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
98KB

MD5
650ab0967693dc47c43506de68f60f71

SHA1
0ce51a4f33601a1e26cf4bb5b04707711e90e30f

SHA256
64492c46d639bc05a89d6660013c6c2588fde03a8187974f71d34f04a383ff9f

SHA512
1ebd27c34ba868346e8e4efd693b4c8c885cb53ffd5ce537faa3ee7ad797f27cc547e930755ab30165327f3f9cf53280ca9094138aa999abb2e709afee6554e4

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
98KB

MD5
a1b24891c94c7004511b9087d682c555

SHA1
35b91603fbb7e4bbc2b6443c541db9626ee3d1a7

SHA256
c79dff56563e9d617d61ec405d4b6429b27ef1467ac255127b5925b18890bc46

SHA512
0f9b39b21796e33c5833fbb6c9471f2632b99004f9e1125e25b08c8650c8b88bf3807048fcfcad7103a96c8d99f22f52b10dc66d127762906af272974f293679

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
98KB

MD5
a1bf7a16114fb8a8f03ae3b0ced19838

SHA1
2264334d04ba6fff49accdd24e4177ccc5202fbe

SHA256
a7773e218e781181c4390fa16508865fcf5fa580f1b0ad399f01ea2c15681dd1

SHA512
a5cb470d83d4390326332ec11c84229be85bfde83e1030c0767e1c111ca15364d1b280b281083cbfaf9991a29bc56ee9f0222cb3f64e204922dd7243cb88b495

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
98KB

MD5
460fe295bdd399e42d9150af4ad8cb7a

SHA1
0f880d514e811df831d83bf2aeb0993ccfe7e46a

SHA256
c68a4563f49fcbde15a756096aea34d73322c70bf2dd4423a3bbfc519626d3f1

SHA512
3b5a9d1b70fcec986873c84721c1512558bdad3c26c0e33d081bcf82355d11ab237850cf569b0f692aafd933abc5ea55f80c18aa507bcc334a8e09c0697aa1d5

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
98KB

MD5
5f0037a3b7137075e084d098606788d6

SHA1
1a802e71eec6345957a57bbc890f973150004fe9

SHA256
a1cbfe9d11857a1b57d3db00a7305d2210fdfe65bf637fa69f7eac530552ae8f

SHA512
cda275b1aa9b6962ed035ec27774902dc6849fddedbdc2889ed289c839dfdec1df955573d390f10c2fc796ae6b4301959acadde691b6f2c90c4e6b011935bd42

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
98KB

MD5
08a8fe94c7670c3678cd4e88a57582f0

SHA1
8bf4334361f4d8d7d4870b35ee5cabc6e7dd9491

SHA256
5153440aff60815c759eb737471ec888042c14f99a816cf3f2c867b4a73838b3

SHA512
dcf169f4f11af4ff3dd58b56317e5ec6eb6cd6d867c2d3446a40516b97360fdfad9bcdde68f843898263f816dcfda59dba9c5af94d08206e3deecd4f77331e99

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
98KB

MD5
acbfaae89fbd373f220b7b5055f8c9b6

SHA1
49a94f3408ca8230dc1e64542901f64dc4490485

SHA256
e5ced7638a297cb0a4c039c3bd2bf3d3e3dfd617c3a74d4b3aad0c640df5f558

SHA512
51a950e3a98a006c0c89616c1b0914699ecf5a9311d3dd7f60d590eff56cd9783455cb33ffeb8a400bf0ce08f4e85a0aa5e095410d4b1b090bd23afacbe6ec2f

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
98KB

MD5
de26698e46077d37bee90c361133d024

SHA1
733542fcf2c6ee94ea31a299b65d138fa6d6c087

SHA256
f3bd976b8cb402e70b94ff26f3b31a360e2de8f10f941bed60f623840b2ca35e

SHA512
fe354f2586fc8bcc266fd39228e8f9a610831891eab4140eb1237703812ab1f05022752ad7e7e82f28649a21b64340082661e83dfea0e78ed212fcd9c706fe1a

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
98KB

MD5
31c86658ce696e2eddf8185d1bf0dd3d

SHA1
20cc1206510f849426da301de5d0182cbc412bac

SHA256
4b9a2c54c16210ebf1a0506416e3ae7a527a5acfe9db449cfa9956c18e6f06fb

SHA512
af6b0439af63550fd59c4ecadad202f6ea75efbf604822fc041401008125c97f8111ed0a40364db5f125d1438bcf2aa5b781a2c42cb09f8187b14e4ad46d6722

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
98KB

MD5
9aeee30acdff3be7f9d464142280ed19

SHA1
95aa73b4d6a6085632c6dc6119eccb840369c03a

SHA256
2c08e44d1ac51313282978c04824401b7bcd676e788b7c8e9c0bedf5c235f23a

SHA512
bfaa5e8c9f601009ae7910f0808a61d4bf3a7dc2804fbdcbaf069ce34170b153361747fa23b39f2b90c69039c46b9866a5bdb59219c62ea21ed7bc5f50fdd66a

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
98KB

MD5
41c90cf0d464bc3ee216ee2af567205b

SHA1
51697710d152f307ed185b4e00597e02e4060d2a

SHA256
a51b551b3c47c22304890c328e20a0b90fcebfaa1ae3ab4f3370e57f90af7d42

SHA512
27d705ac8317b24c883af275384a0aa0709f068772ce1c810df61c82c54531291babff31aff5f6048672f22e34fd55fb5194ef0bef553f80bfec6da7a3786d26

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
98KB

MD5
08b9b4bee4e20aba366bf26a3cc79692

SHA1
bf32edc79ce3f76ced1c9ae27816e5c3bcdcc63f

SHA256
79139265d350ed4fde98a22905cdc1019ef10e3fbc7c36c312c0909fe534a3f4

SHA512
a178fd12d620cca68d863c2e3b09efd40b31ba2aa9b453fb14992b859e1cf698691eb50fab789a62e621f9e88f2f2360e19734f7d4a4471c9a7d448149a779fc

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
98KB

MD5
7cdf22779b94566233264c9a0bf2aa8a

SHA1
f3365dcd18fe60976a310a0f22ba6aed0910669c

SHA256
ed6e04fb0000b929ea9e7b0230c734b504d61c2e0d9b789a7ad26eb933ab9ac3

SHA512
805eba6759e67ad326646685b90cf672875746c1cf09caf65fb5178904d9d468e3086b0a40f1400237c82dfac85f9d9701ee5c3fb0c529ee846e7c1a35d55a2e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
98KB

MD5
b2774e52a30dc20e2c275f8e7076de33

SHA1
7eae76eeed7c2ccc969e17bf1592c31d844bd2c9

SHA256
f737f1250bd0b7410622fba79c1a7c432f8019f6894c38a4ee06cd6ecc3b25fa

SHA512
5ac2145768cd826c93aac65d5894ffae9c1e52255f19b7a5f5e549d1efc1af5b3e1706ba5856b904faeb09afccb74cf7b0b7345086ac217a3d17aee42c320446

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
98KB

MD5
ea4c36974baf08d88393fbc52bfc0fc9

SHA1
0969739f6c1eba42b0b9fa430f3b4a94b045e3fd

SHA256
c4477972623dfdbe24c319df683a5d56c1e4962d36feb386a7684627af67d861

SHA512
330e11e7737e8b37d93f5cda59f5290e0e8bf06a1d3b89b7f71e2a044014a6ef1d3d046f0d6ac985a9ca6baa75eb28eb5abe2a485f4977a157349139c7b8fe5f

Download Submit
C:\Windows\SysWOW64\Flpafo32.dll

Filesize
7KB

MD5
07188ffb52e1c28dabce0cf6cd0088c2

SHA1
1593c402b87dc02bfecbf47341a487733f87e707

SHA256
03cd536cda067b526717a6a7bea83326a51e3e2c3743ca812b92acc545ba80a6

SHA512
a92a27de5a4f2918975b23ba610b96d4f9c0d6fcfef61562f925e72cd524cba8d678f7a929f529568dab9a2e15175d0c0e88685cee7fb7b11a716b4549d68ce4

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
98KB

MD5
a1de29debc2c4c0596b78e65ea675f76

SHA1
bfcabe45a2d9d90f108b9869704505319fd932ff

SHA256
c05d5028a6b9fca34d666dc0ea88d9477dfc341a2e3f3957d7031422656aeb3f

SHA512
d13ca9d3ce50e8f795dea9101747094f8909b1e5b70dd57690c9704f6f29c4a733e26c8a4fbfe776d3328a54f2bf40ea968c9a3f778fd149249b2610e7414c94

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
98KB

MD5
54331ffbbae284065e27566762b13048

SHA1
067202d974234ccccf0d32fd65d3c2ae2e0afcd7

SHA256
54f5a3cbc1d4bae7ffc0c79a7854cd467e50e9e0ca5e67629babf3d86dd6c68e

SHA512
a9224a7eb91dcbce80d6563787ec5b99e2c30bc6f7784e70b8e35833e016f0d2970c0bc7de974c60d98c18184b223ea72e4837ea19c660ba107e3eb9766090ee

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
98KB

MD5
8a899340f6b366d8221eb58e8ee80cc0

SHA1
73bf42cb420ce3a963eee296208a51703ff64e60

SHA256
14b9bffbea8c87c881e6f19bed36964385777932437d3ea3afb345ceb41a3aee

SHA512
363984147de8e160cbcb78204ec8643d3937065513e95053bd33ce617bf0f5de446d3a3739d87b16f4aa8431f55b9d44e0d9aaeb0bf4ca03f72a427fba8d53ca

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
98KB

MD5
191cd4a2da1b8ea59c865f5daad691b0

SHA1
534fc44be838eba078c95b01caa9b1140b94c409

SHA256
e0eb4174afad27d1cec1effb54ec58e160b71841e14ac3e267734abdb4a66559

SHA512
2062b0a80ab7ef19452bb915d8f32e134495bb9dfbabcf71c11d8009b4786aff05fec7e014becf436d32b5d9cb810b74f095be6fd95acd27024c866a0108f544

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
98KB

MD5
eb8301eb0a9381ea4fba1b32ae363aae

SHA1
35311057c00143fa501aa0caf9f7e46df3f11bf5

SHA256
5bdda579411c028f920cb28e632faba98b2eda174863b766fca5e64e1dbeec24

SHA512
659c08646471581c4382fb9995c3e1cee829f506ba9cc871689b1a944dc988ed46a5e96062598b5c4ce03bc5be63feb03feff262d6b96fc9ecc1cfd2162c6acb

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
98KB

MD5
ed812592e30601c73b49306743d37159

SHA1
54efc4ecdec2c32d9b3e7641835447dd2164fe0c

SHA256
5dce83501baa6e36be03e15f13c76115c41657c536943fb0ae51820977b646cb

SHA512
93f929085af6ba483dbc3c6d73272a8e0d12c59a01d60892b06f92882602a9f1e297204c02dea13c427425d081d70dccfda4a7ffb348d427183944b5fd0a4df8

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
98KB

MD5
a74095506cba198b4630badc53817a45

SHA1
ef9b70ece37a441215ad0891cf0ffb4358c733e8

SHA256
d2be2bcccedace2da80a71931fff60fd6b66bea113ad5bc2c6510ed91e916d0e

SHA512
39a1de6ca9b938390af268a356a21e4f3536bf0cc8a382b0784f613810350c8f73af105428d45bce6d5af101e839dc71bc80526b3677a204e4c9b5f5d68f8228

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
98KB

MD5
dec1f5894b4b7b1d40fa90873f04415d

SHA1
e54a13b85aa6cf6bff7e58b25d25cf6c64e74597

SHA256
bee6e7ed91b9020535f22e621c549274b12065c14926b14a94f92f34295cec68

SHA512
5e2fb1c41dfc14cd23c3b684abb4427639dee1bf612f8e0317836364f06528454b341c1d5fd16b651349a983ae2bee17ae68ec943402fb3c215e752dc34459d6

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
98KB

MD5
5f1efa00c7909fedad33f0bbb94ca954

SHA1
b63c34e4f218019ed6e4dcedcd366f6b5d07b70b

SHA256
32c3b2cafbda294db96922598692dfaa274dc36818ec652e40ad13c3a71f291e

SHA512
7e41ffc2f70b9e37bfbdc8ab2ad20d45e52c6df68e65fe210b40bae1b9d463a40830905993dd308b943b45f9e052d519869f3f9893690177cb9a0d2774ccd043

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
98KB

MD5
91130bc89b705018d50ccf3b609ac703

SHA1
65d29a2724dd2e443c53a151d7657aac05542403

SHA256
91951dc695711e2bd280026737db921a89c30a4e72f021f3b2dbec096bf61c59

SHA512
04e9f28e9d43a2ed1c5aeba709f28a4dcb43964a6b3d5ad65b699dffbe689dae3a4ee495a2908700ae4c9760d9be18053e3f09f85d6aaa9bef66c9e8dbb1447c

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
98KB

MD5
dad9ca9abfdb5440111c192af9a057bb

SHA1
a5bd2ae8503f4517ef30a31329f2c7b9bc3a0dc1

SHA256
b1dd6bce924c27cfe7919866d074ec881bf25100828133cec1c5da99d881c9ce

SHA512
960c046a7cec26dc41072b115648709f906e52f83a0558b1314c4c815e7e787d5e7eefa7dcb99494cd7c57567ce36deb0c1c705443af575fe1c4cb90a8f5ec6f

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
98KB

MD5
360864260b3e2c16e72fa5291758c313

SHA1
dfb2f6463b75807ccea2d76c95cb79863a3f9c00

SHA256
d8e018de8968147f69f631fd66b5e3af3e3d3c81dbd37402fed5b63e6f1e69d7

SHA512
42cd7cf05620f261c283882db4e506ec7e955a23434c2f55a5384fc910127f85f93dd136b769fb9319466808bc5e5aefe4e1facaaeb3e04c67942a3170d0a5de

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
98KB

MD5
718b70f313102cbe09dc9345ddb43096

SHA1
6869ae1fc85a8f17432880d91bdd48c955b75978

SHA256
d4f1f2559157af66dacf5e64e0c1e6c141f89854eb62d19bb5f1c6a8d32b0e59

SHA512
bafa21041c29fe80e0a91b2baa8fcc11e3422174f8ce8148f9e72c5f0b8419b52c210ca4aac7fa33cb1df6f5004680290c0ad1936ecb983439f1d1bc62720408

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
98KB

MD5
80370945b6cbeb5ce13f26d1e92dbf2d

SHA1
dc9ac1eed90d7504e25742eacb85dfe82a5427f0

SHA256
70b8a43c3e2781ffcd5869d3aa9c282c8e903c0a0b02f2fc904185d19f915e01

SHA512
7b0c21f0f50bbc0ec602e3703085bdf57819017aecfa1f99256516458bb67df99a186d2cd1cf67fbe43397e429ecc8d5c0470a69f0c56a72490219bb6870afbc

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
98KB

MD5
c1bb8598373a3124cc395dccc0d03b56

SHA1
3fd18c24e28836ba0ba7b8c36f71f4d79266369b

SHA256
d715be335c97f0a1707692a780be3c974a9e6af6d3c8c98fa682b0da30f44dfa

SHA512
a16e7f37052bc46ba151c2d4ebc544bad5f895a0563164b7415d1a0c96ac1872109c4c3e287f9a1ec79480bc05b0efbbc0238a9d2aed2b9c7229bc317f168d3d

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
98KB

MD5
dd1dd17bb0063727b4644db58146590c

SHA1
847b873f90a6c40d3f3bb362c3ad759d83bf77de

SHA256
81aa477d23dabe10343f1d38ac6a35c032c1ced82466851d0e3cda626562250a

SHA512
edb895272e3070884d461f390fe4815e1743b8122afdbad3705220c6f0ea57e02eed1419f0044fd364ef11c3f7bbf861c2482bc0fe1b252187de9689244c0827

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
98KB

MD5
badadd85ba3e30fd1979fcfbe7e011d7

SHA1
1f76e00bbed517772cf80ad44a391c9a2ee03bb0

SHA256
70d99d5da2eee6f2f12eea8376ccf244b532292f14bd3c5c9296f60c58391b5f

SHA512
40475f4be2548441db5262cbd5af7a95eed0d5dadc1615e440857c2a85a6b04fffe1d6d5cae06d0f9d9d9a7ce28748377547c40b8221457f0b08a23e212278b8

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
98KB

MD5
a484ec7e675c9091b7515af1506f1c44

SHA1
43ec53715bcdc65a9e8bace098590b1161232359

SHA256
8be92262cb2fbcdae973b1e69842a198dff4bf9042f3103f4d36502bef844963

SHA512
53e8f30085dc4500112389a6abb7a430ca60573d4c112d6e0da5536cbd7284467fe26c8a8aeced559638b480aaae58e247c9c77065c7ee04dd450c351033130a

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
98KB

MD5
0dc755a0be01d2d1bda4bedd265cdb16

SHA1
ac077cc24409fa24c8d176fdc31796d67e31e5f5

SHA256
85243b13d3d1e3f3d840c5f7a0cddff14e123e2290f6b5fc70cddcafd002fb5f

SHA512
ba20b25cebabb772263d9a1cb6e73d9cbb7c71221fc1fc0abaa2e04aa3dca6f5a177cb57c3bdc3a43e27bf98d0de2ad8cb1a9fa6253f01e5434dd9b562ae3a7a

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
98KB

MD5
df173c767fe176813c0fed6936404437

SHA1
9ec657b4829b34f3aa2f85cba7233ccd987b4fc2

SHA256
697779e1db0cbf0a08adacf00f574724b0fd070778d6863ffdd7c020d2914bf9

SHA512
eda7aa3860022e6a03ca310428eafe85c597535a1de0c233dc2163489234866f8e73c3852e82dc0dc287f1d1735f22268306f2b7494f5a2f109193f43c3ae993

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
98KB

MD5
fbb3717d1734738ba20d9bf4b3a81d1b

SHA1
d44f7b406741e4ca7c8bd94a32757676760fd57a

SHA256
c3575b1c07336868127571705237c375d835519a136971226f54d2b0429cca92

SHA512
e4b8e18a39a0393c2ea84fbf87a65171c1d7eb9a6af09580e6038bb9f85d3ab7a28983a123814c54d4662757513947ce1e404446840239b2cf6f3a1597a913e5

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
98KB

MD5
28bdb41209a58a49bea72e5738fae311

SHA1
8373d22d7e9e7c87fe8a9ef4874c9afa2ecf8491

SHA256
3061d7e582c9adbf384c0b650b0b2c4d526220d79d67efc4c91acff3f12dd0ba

SHA512
81f63050bbf944e784f2009cbe2977e468a5982a13b4c87c496606bcd32a7b3831c7be19700a9a56b2f385efe48eb4ea634728e63cc59d785d902e14e9e3cda4

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
98KB

MD5
aab4f3a06264d6bd95ee834f144ba1f2

SHA1
829eec23674642d3f37727302662df235a68e2da

SHA256
dd60083fd0bfa5803540a8e2976b041a3ef6b087c5cc18e88ecb79946e137689

SHA512
788492797eda3daabf563b23816c396d74a1fef5451e5c24f2d8bfafba2c3d0fbf8f7680a3e5acb7ade133eb9df4479ab30c167925def5ea5b8dfc705af2e4cd

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
98KB

MD5
b8094a7211ee07bae7e19be06abbf046

SHA1
b4eef7cec10d6994c2e4f93a9c9a5deac3856ace

SHA256
721978166fc5ca9be75a3775c8afa27bcd75ff5869844e0ddc81e5624515b810

SHA512
4abe6bcc35cd661bfa9f725eb0915f90e3a54cf4805b3efeb68d2aa4c7c336f313065587bb329d520d88cd1ca330db77b6b46c6622ca82e4eafa6df0aa1ad163

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
98KB

MD5
f6a42dd50f5cf26eb8fdf22c196ab7fe

SHA1
f6e83125b39aa6765f4a3d425b02a696fad6f4dc

SHA256
8058cc3f178c4edf1b20e65252ec3fcbbc8f1e31e28034f382a04e7ca7fbd5c4

SHA512
6dc7f948300e5dbcc48b3c5c121bc6375737ec6943c347ed311c27b65f7277a0c05209ef43ee57151fc6a45c65188215e059f4590a044f4371403e7fea02d9be

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
98KB

MD5
cea74706570b7f81df4272f104d2308d

SHA1
76ce330d652fe13d58e304ae52e2934da0c7a7a4

SHA256
e9620969a6cf43dbbccdaf6bef8507acdd4705442abb928a8485f5929ebcb463

SHA512
29fc2d5571a29460a63a4772b27bdcbcf9109dfcd5236ee4a8b11c505cf81b3a7e4567435a90bf3ae979b9ccd059f1aa08c069c6038c6bad433a84be12cb8e4e

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
98KB

MD5
008ca1976433dc9bfe59b5bf9e9d0103

SHA1
f559c209cdbcc92d598705f26cb9c86618f6a481

SHA256
f0bbcb26d1f32b0e4cb6c5e1bcef4fcf8aec285ded044fdb5daf0c313d857681

SHA512
030e5bd04ac8e7c960f2cc44e249407a6527eb02f03b4975cd83f3c6e31b3f66e79c20bf4e09f1700cec18c04f495b1de18743bf7d623225ba03b779e1aed807

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
98KB

MD5
2fa93da40427ab3877a0e91c9333fe3c

SHA1
c7faae4c4428616af66e8e16368bf2e688eeb978

SHA256
5c10d8e0d0e8e1266beb5e6eff5ce9846e468d2c4043239e0388bb3da3c9c94c

SHA512
7baac571e5003e430c443b6d093181a568497370e835de4768d245af46fe7b851ffabd306f3ee1769979cb75cee7215aa121157b85d3e198e2ec8cf6da973be7

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
98KB

MD5
fba63895aed792893b9241b6dbfda686

SHA1
2f3a293eda85970b181d6e4fd32fd2eddef3e9d7

SHA256
e85d0cba306bf98b52bb861c53cdf3198c79526d5044edec33914b731e0f2f85

SHA512
e45ee5a904bb0431d2aff34ea7b4c0883630340bd6e972c0628757eb0dcf9518df81e46650e7bb6e250bfabda49395a410a211302acfe04a817a4620195d3cce

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
98KB

MD5
c5243f20644851f69dd49676d1b7d645

SHA1
fe5513c93731e44b759c56210f9a692594a95f04

SHA256
6ff24f5d74c1909198f6052c8debdbb1bc6c72ecb09a753242ead32d2e745453

SHA512
c0ccd120db7312cbe77d4799f0b301a0a939e708afdff89607b8f3985f03ce2858450688ef6c2a2fed692e9ac6d86309cab7c365b08390260c4bbfef89b0a9a6

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
98KB

MD5
3d8e1a374b46a2b3bad11e96670e7f03

SHA1
d45ac684e69a7a85d1d5c63309fffbdce2e36ac9

SHA256
368fc0cff898c235f87db61c66282b4dc468195a5b3a45c85c825c1c4a5ae371

SHA512
a5c91050da281f8e1c0ff112bddc11857db392d601155eebf6fccd82766d7008111889010a62af35cbff91fe053633df0b75bde0831de78dd9e1280323801dca

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
98KB

MD5
400311268cd905c5417b7b07a9c97620

SHA1
790e82afc853e5b08988787f1f4ce9cab9918712

SHA256
91f82683b28169b98e15b68f875a1a02abf7e4bce2415a592ce7c281742bbf2e

SHA512
b28a1f5f1865262c1aa27b5c152ff0965d6363ef3bb97541ea6b370ef7685b335c2b5513abee2faa15b3b668c1ffda5158a42e120ca4bfd24e22da6517003f5d

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
98KB

MD5
8dea3007f3e80d77104ac7572d6d0358

SHA1
b98145921706c65a2ee895d4a1c25379b508a8bd

SHA256
521f311e34573e1cc3f8206aea280332f688e997292bf9eb5a336a176bad6d2f

SHA512
41a63834a9ec1475f023aa07c8016848f757f6d6f98203a71e8520f912b937891a50390689898f66be9b86658d3cf5e93575d4aee35d1f5d932c399301ded903

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
98KB

MD5
655a61ba341b379be220399da332cc21

SHA1
3e4313f6d61d4c3144c1b56ade166fd67ff90394

SHA256
ac07b90c20c233f9e1549de3b347340bdf5b01c92dfecaf0ee5f40ef191f220e

SHA512
e7d9ee10fface281b0240d554b8feb57493b0a482c235f359da09bee8ee99cd399e611e225cd0b266ce2647188a10748d34f7de56e9c5ca5364d1fbd80eb1b7a

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
98KB

MD5
7ba8a129bfb7558ef945e1f497218f65

SHA1
a8b116ac6b6d767e14b2a51275dc66f57e2f33c5

SHA256
0aee0662b3d238aef54932df6777ad8c4d2341ccb5cb7d2f2577f8050f6e3cdf

SHA512
27c8cceb7a94d154179173206005f0d932c54b5840319434593a1c2a498a71ab6eea92efdb9dc751f11242fcb6472d5d7b7734d87889dc680bf1d1354850bd57

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
98KB

MD5
742beb39f6fee211fb7428e8e49e580f

SHA1
8f29c9d00965ff1be455d4866350ed81be8b9728

SHA256
f62bf01477436bfd80d904c7a4c1fd852f16c5fe0d8277a9c3607aac8ace109f

SHA512
2c024e0ad57fa906b61942c87bb3ad9672a391251ff635cc21f14c8eaa16a0fe0c35de633c534ad45b49a777f0bb25ec37a31b02728ad2a1f5330e6eac55b684

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
98KB

MD5
f4328603066090a72b838c444c9d9d52

SHA1
5739a3d5f21d80f1b4c7b6841f58ead06ad522ab

SHA256
24641eb0dbd42f80e771ba30ee87b26334d74fc2bd3e60331354c2bbeba8bbab

SHA512
c3d4486c0144bac530f3a5c6eb1ae335da86b8d7ea1928c45685fb9b628a692d02dda664852f982777a6fee937dfc5b7115868a3511f6eb4cb089d5648f6838a

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
98KB

MD5
39abf1277a7c46a16a630bfa13d51110

SHA1
b89f4e67a82da3d9de8b29f5ceb200938364a1f7

SHA256
0510fd08a9748104e0380aa3f85da0d7093667fa62ec3ca8aafa5bd9db60d43f

SHA512
15df32db3a008a529c7540ee04516662d5d644dc79d990751cc93338ae96be3551b84075b83fbe29205e340cfdfbce8f5c942562abee81f2c9282e41aa1e0bd4

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
98KB

MD5
207418d354279cfbd14231a67772f8dc

SHA1
8d919ce0362dc14522a0c7a785e3cb8f26bfe00f

SHA256
dc4ebd6bc347facc059c95870b5f07a8ac1ee1c01b3e78018dbcd3c929107317

SHA512
3eb909c4346c4f1e0a9ae9b8402742c30b3a66fa577812a5bcb2b0afd0006d2adbeabf185cd55fa9ecae41f2f9866bbad56c7bab6353756a423af3b0b7949fd9

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
98KB

MD5
5e03c72fad3985f9551c5a963a8d9ac3

SHA1
8c33748a71e8f4521c4aef498bf219d9b82cbeb5

SHA256
8b38f2dc4cc97c6e9a20f8ad005dd7d9a46e051a1228ad58ec44219c1aef78a4

SHA512
7ba327f74094838da79be2a5d0165c078d48fd134d8dace060fcd3772b388fe4a3c5eebd8ba0ddd87731770be1bf451e86461182c45584b9c6db18b4a364945b

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
98KB

MD5
1642843f1f245abfdad4c7073fed9ee3

SHA1
6bc4b0737a4bb7dddf08fc9485e8ae6ebe360722

SHA256
0c496b39e6a86c3faf918c4f90e7b7ae77eeb6b7ef317b29fa845369bd48f1ad

SHA512
9dc2e90f121f5c2085537c9fafd9b265f7ac69a41c54698858d1d55aee9f89c9bbc0f3ce456f5e44575b9a483292dda570a5906d1570c844c4b3340d70efc04a

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
98KB

MD5
0bf135fcae66ce65d295ac9301d05de0

SHA1
068bb835ef53c1c78f61dde7507501dbe6fbccc9

SHA256
19d9f57547abc90d607f43727b391b13b8cc864256b076b94f752402a728b60b

SHA512
2a58a3e4f7f7974c2931114c977532ea721691f6fafb65465516c1bd4182ffbde35882498f78d333405fb623958c24b9eb1e0e13bd9d2071a1b5e7eaa3ccee46

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
98KB

MD5
e07388630a8e5f1961a4948d066c6d33

SHA1
1a8559418abee3615af087caafd3a9a12a0b478b

SHA256
c94befc384f68800a274a35376a3d73b4339059c592391dd4026d12b80a7c7aa

SHA512
8937da9dbca6083f1b98ff337de2472031ff5f2717af9f6678ec2aa5b3f0eaf6327f1963486facd9bdde724db960d58361c8ea6f741354d0f2ff7b3029a640a0

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
98KB

MD5
39964038868ddd774ce3e4ae9e3c0fa3

SHA1
77de5d0fe7ee48c6d319791ae6fd6a0c4a129d32

SHA256
a838acf439543f3ce803c04f2e7092d98665fda6ccc3ac2c1d82b89fba5fb2ac

SHA512
faf925f8ecc29376f138cf34683ba8b2747038828cc07c384b1f1dd9c29ef74e857eb6cadf9f3870b1c41e48f6783488ce0c8f387e406a3b9e2deb906d30eeb5

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
98KB

MD5
b4ff6b6fe14ceff582414b37dff4c7f1

SHA1
c09bc4d82cb5b8efe3952b8fdac7ba98191fd761

SHA256
d5791a9e68d84a705fe92453206b25b55ac6c3af7676dc859938de0c45f2900d

SHA512
73348a88f7fdfc05c29b251793d8c5cb5d0524fd95fa7f1189350d279f1fe9b1aadc20a11405fcb30f19225b3c7dee8942299255543068b60b600e24b7ae07d8

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
98KB

MD5
7914ac9ecea8a12d691410ffa8aa77aa

SHA1
76ac828168e86e9452f9e3cdc9f9e44c72164f19

SHA256
565feab09269c5bfe39c8614ae206120642373d5d4a3b2b95f49a564f0b0ae60

SHA512
0b17e750c39cc38fb211fe3415320ab00d927a6f97303118a04c0e44b00ede872e136f8390dc9ea43e22f54913c6bba4339540d90c8a65ea5f68a8547d3bb263

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
64KB

MD5
4c7a6df0bf39c21a61de303e70ba1927

SHA1
9a734dde3902d0afebb17dc5ad51789d2a77647f

SHA256
29643c26b68164ace36c52a5784bd532c8c0ff40cabdae24bd0f011fd36c61d0

SHA512
3ec74bab34592608ed2eacfc4d0b78b40c61187772519ea5ed8eb3059fa3224d82c49c629f7a6a89082ef90c45b0ca81771eb3074846e6075bd29b5e443ade3e

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
98KB

MD5
1814ee0824c203d65597b39b4a5901a9

SHA1
74928e31ed917ae70d8da57e9b4b7feaca033428

SHA256
e4ef7f9525e5a202aa34b3e2581f8b53aac0a06d7e75b531867fff755c94b33d

SHA512
fa01898a72e6833d8413ff7e80ae3bff6c910ff02172d7f2178c0972af6e03b6d51cc3c88aa4694142a2eb9f990a4846baee0c90b0eebd9fec58ea83832bb1ad

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
98KB

MD5
7e48f664e74a8b6087b008c04f7d79d2

SHA1
b30c33dd4fe6bd2f3a3b9c1defb16454b6d5566a

SHA256
e333cf235af7f29c9377f542049c6745cc3873396d4a28df643ffdee425e0bee

SHA512
5fe27ffe10dc17b9191988b9d33438fda1043ae34bebc17d22843f5f6fe6aff2f516b50e59d798d3f8d70f66549bd13e7b9afa1d7f77b143d4f076e43112b503

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
98KB

MD5
30026bf51c06b68e076d387e21543f17

SHA1
67863e9dd067f5f4a722597b3c745f1a58a67258

SHA256
5b2d3e05e723554054314e2a686b7ac16882cf0f888e0b045bfe75ce9e852706

SHA512
94c07d2233215a8095d894285b836a8be6919787e557dc4820ee2e3903a6dc32e8db55bf7fcee8dbedd956b1d6e5a67010954d727f28fe48136be9a8f2252c78

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
98KB

MD5
455e5d3f38c1d4c5980293382a18b9f6

SHA1
6b15e9d28708e0893c914e7697e921096c0da91a

SHA256
162b694d391e28124c3d3a725cac2279f593a19947e0ac0733c000aa4a69c730

SHA512
d5bd30fb5dbd9f96116843d131378b80f91cc9a199e74158a2d200e77dfe3c13d507d91e116e8083e893eba1bdc8f75a85bf4a5e360bc76c7ee84e13f6350b81

Download Submit
memory/408-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/644-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1160-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1764-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1840-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2508-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2648-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3180-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3224-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3608-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3920-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4352-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4648-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4700-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5096-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5140-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5180-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5224-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5264-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5304-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5356-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5400-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5444-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5488-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5532-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5576-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5620-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5664-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads