berbew | e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe
Size

378KB
MD5

9110eae66e904f4cf8e20dd3db3f0e4b
SHA1

7dee52f0357a5ea4f16b6a29cd05886d74d6a3d6
SHA256

e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00
SHA512

d82d2a0802ad8cee64b93bd964873c2c583ef43a783f5145ef23fa8efbe3ffca821cbf4b03f8a9b12026b70ca74d9aee5d84c11c605f7ee1675bc7e2c9f3f407
SSDEEP

6144:1e075EteYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZE:I2KteYr75lTefkY660fIaDZkY660f2lO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3392	Kebbafoj.exe
4868	Kimnbd32.exe
1448	Kbfbkj32.exe
1492	Kipkhdeq.exe
4256	Klngdpdd.exe
400	Klqcioba.exe
5016	Kdgljmcd.exe
1336	Lffhfh32.exe
2032	Liddbc32.exe
1844	Ligqhc32.exe
1756	Lmbmibhb.exe
2228	Llemdo32.exe
3220	Lenamdem.exe
4828	Llgjjnlj.exe
1836	Ldoaklml.exe
4916	Lepncd32.exe
5092	Lljfpnjg.exe
4468	Lgokmgjm.exe
2216	Lingibiq.exe
872	Mdckfk32.exe
1240	Mgagbf32.exe
4864	Mmlpoqpg.exe
2324	Mdehlk32.exe
228	Mgddhf32.exe
4320	Mibpda32.exe
4176	Mdhdajea.exe
4964	Miemjaci.exe
4640	Melnob32.exe
4612	Mmbfpp32.exe
3228	Mlefklpj.exe
1824	Mcpnhfhf.exe
2224	Ndokbi32.exe
3972	Nepgjaeg.exe
4184	Npfkgjdn.exe
2056	Nebdoa32.exe
3284	Nnjlpo32.exe
1644	Nphhmj32.exe
1344	Ncfdie32.exe
3496	Ngbpidjh.exe
3060	Njqmepik.exe
4500	Npjebj32.exe
3332	Ndfqbhia.exe
4644	Nfgmjqop.exe
2328	Njciko32.exe
4904	Nlaegk32.exe
1304	Ndhmhh32.exe
212	Nggjdc32.exe
1372	Njefqo32.exe
392	Olcbmj32.exe
3100	Oponmilc.exe
5060	Ocnjidkf.exe
4544	Oflgep32.exe
1212	Oncofm32.exe
2388	Olfobjbg.exe
4792	Odmgcgbi.exe
3196	Ocpgod32.exe
4068	Ofnckp32.exe
3808	Ojjolnaq.exe
2904	Opdghh32.exe
3480	Ocbddc32.exe
1444	Ofqpqo32.exe
5056	Ojllan32.exe
4840	Olkhmi32.exe
2912	Oqfdnhfk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7616	7524	WerFault.exe	298

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 3392	4984	e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe	87
PID 4984 wrote to memory of 3392	4984	e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe	87
PID 4984 wrote to memory of 3392	4984	e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe	87
PID 3392 wrote to memory of 4868	3392	Kebbafoj.exe	88
PID 3392 wrote to memory of 4868	3392	Kebbafoj.exe	88
PID 3392 wrote to memory of 4868	3392	Kebbafoj.exe	88
PID 4868 wrote to memory of 1448	4868	Kimnbd32.exe	89
PID 4868 wrote to memory of 1448	4868	Kimnbd32.exe	89
PID 4868 wrote to memory of 1448	4868	Kimnbd32.exe	89
PID 1448 wrote to memory of 1492	1448	Kbfbkj32.exe	90
PID 1448 wrote to memory of 1492	1448	Kbfbkj32.exe	90
PID 1448 wrote to memory of 1492	1448	Kbfbkj32.exe	90
PID 1492 wrote to memory of 4256	1492	Kipkhdeq.exe	91
PID 1492 wrote to memory of 4256	1492	Kipkhdeq.exe	91
PID 1492 wrote to memory of 4256	1492	Kipkhdeq.exe	91
PID 4256 wrote to memory of 400	4256	Klngdpdd.exe	92
PID 4256 wrote to memory of 400	4256	Klngdpdd.exe	92
PID 4256 wrote to memory of 400	4256	Klngdpdd.exe	92
PID 400 wrote to memory of 5016	400	Klqcioba.exe	93
PID 400 wrote to memory of 5016	400	Klqcioba.exe	93
PID 400 wrote to memory of 5016	400	Klqcioba.exe	93
PID 5016 wrote to memory of 1336	5016	Kdgljmcd.exe	95
PID 5016 wrote to memory of 1336	5016	Kdgljmcd.exe	95
PID 5016 wrote to memory of 1336	5016	Kdgljmcd.exe	95
PID 1336 wrote to memory of 2032	1336	Lffhfh32.exe	96
PID 1336 wrote to memory of 2032	1336	Lffhfh32.exe	96
PID 1336 wrote to memory of 2032	1336	Lffhfh32.exe	96
PID 2032 wrote to memory of 1844	2032	Liddbc32.exe	99
PID 2032 wrote to memory of 1844	2032	Liddbc32.exe	99
PID 2032 wrote to memory of 1844	2032	Liddbc32.exe	99
PID 1844 wrote to memory of 1756	1844	Ligqhc32.exe	100
PID 1844 wrote to memory of 1756	1844	Ligqhc32.exe	100
PID 1844 wrote to memory of 1756	1844	Ligqhc32.exe	100
PID 1756 wrote to memory of 2228	1756	Lmbmibhb.exe	101
PID 1756 wrote to memory of 2228	1756	Lmbmibhb.exe	101
PID 1756 wrote to memory of 2228	1756	Lmbmibhb.exe	101
PID 2228 wrote to memory of 3220	2228	Llemdo32.exe	102
PID 2228 wrote to memory of 3220	2228	Llemdo32.exe	102
PID 2228 wrote to memory of 3220	2228	Llemdo32.exe	102
PID 3220 wrote to memory of 4828	3220	Lenamdem.exe	103
PID 3220 wrote to memory of 4828	3220	Lenamdem.exe	103
PID 3220 wrote to memory of 4828	3220	Lenamdem.exe	103
PID 4828 wrote to memory of 1836	4828	Llgjjnlj.exe	104
PID 4828 wrote to memory of 1836	4828	Llgjjnlj.exe	104
PID 4828 wrote to memory of 1836	4828	Llgjjnlj.exe	104
PID 1836 wrote to memory of 4916	1836	Ldoaklml.exe	105
PID 1836 wrote to memory of 4916	1836	Ldoaklml.exe	105
PID 1836 wrote to memory of 4916	1836	Ldoaklml.exe	105
PID 4916 wrote to memory of 5092	4916	Lepncd32.exe	106
PID 4916 wrote to memory of 5092	4916	Lepncd32.exe	106
PID 4916 wrote to memory of 5092	4916	Lepncd32.exe	106
PID 5092 wrote to memory of 4468	5092	Lljfpnjg.exe	107
PID 5092 wrote to memory of 4468	5092	Lljfpnjg.exe	107
PID 5092 wrote to memory of 4468	5092	Lljfpnjg.exe	107
PID 4468 wrote to memory of 2216	4468	Lgokmgjm.exe	108
PID 4468 wrote to memory of 2216	4468	Lgokmgjm.exe	108
PID 4468 wrote to memory of 2216	4468	Lgokmgjm.exe	108
PID 2216 wrote to memory of 872	2216	Lingibiq.exe	109
PID 2216 wrote to memory of 872	2216	Lingibiq.exe	109
PID 2216 wrote to memory of 872	2216	Lingibiq.exe	109
PID 872 wrote to memory of 1240	872	Mdckfk32.exe	110
PID 872 wrote to memory of 1240	872	Mdckfk32.exe	110
PID 872 wrote to memory of 1240	872	Mdckfk32.exe	110
PID 1240 wrote to memory of 4864	1240	Mgagbf32.exe	111

C:\Users\Admin\AppData\Local\Temp\e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe
"C:\Users\Admin\AppData\Local\Temp\e865ae0a260bae269398e59ff7f19d361aae92e859f60e509baec5d2e23ada00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\Kebbafoj.exe
  C:\Windows\system32\Kebbafoj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\Kimnbd32.exe
    C:\Windows\system32\Kimnbd32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\Kbfbkj32.exe
      C:\Windows\system32\Kbfbkj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        32⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        35⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        38⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        40⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        49⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        50⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        55⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        62⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        66⤵
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        68⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        70⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        71⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        72⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        74⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        76⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        78⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        84⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        86⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        87⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        89⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        91⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        93⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        98⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        102⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        109⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        110⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        116⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        117⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        118⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        121⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        123⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        124⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        129⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        136⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6224
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        140⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        141⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        143⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        146⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        151⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        152⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        153⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        154⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        157⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        158⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        160⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        161⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        165⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6764
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        168⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        169⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        173⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        175⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        177⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        178⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        179⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        182⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        183⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        185⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        189⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        191⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6744
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        194⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        195⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        196⤵
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7204
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:7248
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        200⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7292
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        201⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        203⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        204⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7468
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        205⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7524 -s 408
        206⤵
        Program crash
        
        PID:7616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7524 -ip 7524
1⤵
PID:7592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
378KB

MD5
ad2ab7d31fb1e42fbdde3f006f28ab7e

SHA1
9f43592fdca0874fec4a95d9c052189938fe9d44

SHA256
7b4f9baa8eb3cafe3e23946dfcb6122b579b40048698248a804043b132bcbf6e

SHA512
8566fdab2cc822318dbe7e0f0800d4a74649908db1986f21c8366e08c05fba584d1d40b7e5a87a55159db5eddbfef02fa8f54104e8db453243d58581f24d514e

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
378KB

MD5
714f2d3bacd3234f079981a378e836b0

SHA1
cbc2bbf74069cd39777d825a09c310431230e4be

SHA256
ae51271fe8fedc511dfcaa0f1c2c79e2c65a5be52a0c97f564d81a4d9f066755

SHA512
2fc42f2c240a39120a0fdf28f49495ffa88d08eb8e105522b673a5868e4bceef859c0c5eadab585f10abebd1c1b79455b0e702615ce1d198ed975aa4eaa25e3f

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
378KB

MD5
0a100aa10897f44a1e4eca6bcdd5bfb3

SHA1
b06939323ba9ca15e8d4ae1765f62c546688f561

SHA256
4d56a01b5460a107ca529fc309e27d40652a85547e95d1f80b8df55a9419c5b3

SHA512
8c7342a2140ad12c87622eb76639e5fd7fc720f5882debb0583fb39bb7f5cd801e9d3304d7f338f8c8984f76b023c7d7008e0e4c1a109eee5ac4f7fd8832e3b8

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
378KB

MD5
91b6be7087292310f9ee49c6c873af8f

SHA1
a8beb9c9f197ce729db23164dc36b8d738882fff

SHA256
f057ecb2ea298e482a19882a9adfad63471222ffcc155ee90dc0a738f6b4c135

SHA512
fcdaaa0d0afe27c5373fb66f34dd2040d053a5a33e83d1b9f9a925cfaf0a49f78a506b51580cd83e191f18d32bca7fa9a1f73c424d120bd0f341edfb6808fcab

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
378KB

MD5
115d2dc845d083598459503fcf5c7ecc

SHA1
5e630451634bd24b5985055ec2cd9b948374bb0f

SHA256
90e593157630a38161b5fd928444cc863945d18cff2d49c3d50faa5020f5d7b3

SHA512
1aa44e3eed93863242cc9915281a3a95eefdb4867b155a7098fb58803ac6962aca60f0fb6c789d279c7bf6d05686b63650deec0b99c5edb5086a0d31ee464570

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
378KB

MD5
a4d72b6abf39d3b051b58686d85ddfe7

SHA1
b90012b5e03e60355a7661b12249ddea124b8b54

SHA256
2f9b77d3f73772db2846a38a2175b60059f8a1c946094ebcd17750b96483d8c5

SHA512
173b14077563e9e66fbe05ba440f63d3f9e4908d75c2ee97dbf17606d769d15cf5c8c65a5e1846d5f6991adc4302a7f244da1980a917d2dd838e6515b17908c2

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
378KB

MD5
a464776568d116e55654c86d0363b63e

SHA1
751c6cc63e1c14142df4c7d693ed733b4627ae2c

SHA256
af3d58eed1cf88eba8c1ebdbf94f18b3a0707ae9aa27a4daa7dfcb298d5ad953

SHA512
27e5a5f1f362cef3a70d550d054227ebbf14be7a82316d5ea7ac0a8cee80cfc64b19088b90859e4433bf3bb466b307bdda84f84a359db05512c1a3e867db1b25

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
378KB

MD5
adab578bdd5e08c36acf5aff6f4f4edc

SHA1
8e8318986be33358a95c2347afd43d9a77580b11

SHA256
b786ae76a1e2049b80dae11c0e968ba6402ee623e8f6c4464bb847fb6e5088a9

SHA512
17fa73891661e9165ad1f1b619c8e7657579dc5459a343bac973c23c92671d185be5b5b50bb6c4f72599ca09c352287d3efaaba82736e735ca8953cda532a641

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
378KB

MD5
e6c7b6b90f8a0a6f2749e7b86c02a2db

SHA1
c8e6ad1f15d3626fec2608cfb0a5845da21904f1

SHA256
46999ef09bbdff47606177c2f9d6f025cc16fe2879969bbb2b6d0435b7900b63

SHA512
6a1355872882267b59d58844b536e73901f6fc22a6301f5f6508bd6cbee022fd38f547ff7087c39daf68632858762862c705f9105817330650d81468f5f09c06

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
378KB

MD5
db7ab191fcbc7d2844ced100359a8ca9

SHA1
ff3f04fa371d0fa341cbf5ca126a36f0a34573d9

SHA256
2b5b6fa83cccea73b6dde1984c0438f1f7c75e5cc0478f5a9eda8d3f799af5f0

SHA512
71747b89a318ece2f6f2efe871365817364e29588883d817cbb15631f70cef524d1fcfd60f59c832dbaaf7e17549ef66f19dda9754285b9ac624c64640e5c218

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
378KB

MD5
4bd4c42d369ce561ba5db0f071182ef4

SHA1
ed5b348cfc7699e2db0e1e119e3fce8d267bc707

SHA256
32573a845410b0d9d54bfc2ef95858346a48f003d6c68e378f5cfe511c065152

SHA512
2cbc4e5d8ffb00121297d38929550425f8462ce9497c8d835ce5dc7f2eeccf45e839868f7acbb26f357a93f237135316f26fa21802db359ddbc9108b92bd4c88

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
378KB

MD5
4208c0ff2a701601d666771050f2fbe3

SHA1
9c462f2613c005cfb5416572427f78a10be4d3b6

SHA256
824e7d0b027675703765d0e5d4cb0b1214e71b2cf997a0459ca663d3a9b490a2

SHA512
cbd123a426de5ad5ca896554925f6398f2d8aae7b1ff5faf1390cfc5a48d2b44e3728dab95b49c1e884f7384d984dd87c8607264b64706c10af97c9468eea286

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
378KB

MD5
86ffdcc61a40e7ed563c2a9b8d7fb7fd

SHA1
1bb2f65081952d186cedb9e4f8b7bcf92d8813ae

SHA256
c2542bf271cf7263f59e135c79c35d4eab03e22d749ccbdb596a39887914fb54

SHA512
d5d5c73d2dad6ece6ff7e47af42e73dd27835d276fe61d856531666e97a144ffe52c0d809dbe94309f88d3713710a5606fa9b701673eb3445ee388998f1124a1

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
378KB

MD5
f200768f9a31d9bc5616f4d7dcf3124a

SHA1
ce187f27393e963afdbbbb2576071f0716caf299

SHA256
e9142c25523fdf3cebf29d897ecf2b4d29b61abc7bec3329b437b864da002d2f

SHA512
a8cd64a95583c0d2323d8afabe393204e51d5002f90ac8f0953a253394f7d914979a1ea5448820f1a0bccb9b4611ec85279fd2ee702b6b6b36bec7e7eda13f11

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
378KB

MD5
bf82724bd50855a2b737fbbb52cca670

SHA1
03b0d5a4a638eb0cb68804cb2b7dbeda4263b4fe

SHA256
797ee32a46ce9ba0416277a340c995bd32274f5bfa12cf2917e80655b5a35eb4

SHA512
0ada0f595716b585103beafcd76bdc7c899b45b0ab411b158a8192202c7ecc4e010542b32e1f785eb9b0afdded4ec0cc6d58be097da212604954f037f73e9eb0

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
378KB

MD5
d2d7ba34961fbb6db8e7282420fb8d11

SHA1
81a4a750002181296415d591cacaa32d756503c1

SHA256
674ea54538d9b89b52b885ccd82db62d11b3e5030e053357a8e64d8cc41db1fa

SHA512
bcbfbbb095320222ec9df24fb5b932228679329649e9f43fdd747d9393e1524405132e703374cecd78bb682b15f04faeecffd8bce1a358dcf2b80bf47ea475c6

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
378KB

MD5
6f335cb4478f0d2bcf8d3a03fa8a5a38

SHA1
4f1bc88cb01402e588e7c8507c6956892c7b1bb8

SHA256
705b49157003b8206cff5cd3c550ba2db27ddf903b3209b36ca264d5bc7cd1b2

SHA512
756f4c7504a1bfc6a29c825e808c4c8d00b7a5afa82c59962081b9e156e5122eef6555c1e010e76c97122c007473e2bbfdfb2231debbd997d29b8eed1e59fbe6

Download Submit
C:\Windows\SysWOW64\Inpocg32.dll

Filesize
7KB

MD5
b2edd4718e83db51b296b68abc6d9f6c

SHA1
0841c1fcffe04df520831e9c7f780111f7a49e87

SHA256
5f18e375184106cd390367c531c0e7ffceb469e682565cf75d6922914f8c548d

SHA512
58faafff91ffbf8b49a7ca4d9e50281d9863a8f5b69e1b045aa2c6636ccf3d3653d9634dccbcdf33a882f29377eb9e1faf6f932fce6694ccb420cf53f0ba6406

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
378KB

MD5
e94c7ef853337985c6b88e6ab464dbf4

SHA1
edd731b4168cc850ca3d53d63548265fef508268

SHA256
141cda1f6db34dbde5ab011e193385ec6beeec428c3654702bbd3bec44f04825

SHA512
554b3e16a0767b9b86d7d293ea68f14126c298a9f926384508c1a7f8805e964a8f127b14e8f16d6f0b5fd2f970f3c4984a5d0919c09be2e76ffe00a93a62393f

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
378KB

MD5
bce1ad8df9ff18538c21052e4c6819da

SHA1
bd3370df59a17100a574ba04128ad8f19548fb6a

SHA256
a386ac73f15499958a350282b2ca669558e262715bfb0cbbe6478c8b5de29d58

SHA512
60cd9758c54cfa910c1cac2160f7c69d0fc0d0399a622c1046a92b0cedc002a31448d2c0357367c346ca75e7cd7ada0cb9a8c8ec9f4341e6a8fb412aa8a3b58d

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
378KB

MD5
5b050051f07697616c24110250f3cc45

SHA1
e751308578fe4a5056ed754f2c9e09c894525e1f

SHA256
198f33cd08a4e704c7e7bed65cfe8b6b9b9ad7970b897ce8bfe9e2548ec7d7da

SHA512
0ff5490a13454717e381b2c19d0f115f1fd729092de892eab04f49a0b267186d9aa494d97c8b7712046f2314a2dac4a8246033f01f2353d8f17ac3034c8d9187

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
378KB

MD5
acf71bff3bb8b4f23b7767df553d35a5

SHA1
7f3b76ae4ab95d845c563066ebfcf3ee8ca1d8b4

SHA256
6bb3176f90d1e34c8aa9bdbb9f2a0495cd18b778d20116d99ee2ac9ac02bda4c

SHA512
9b48bf328a09dde849ead8669ca0cdf6573eb596bfdb3bd862ec10b3b23e0d861501e9a001afa37cf089ae139abcf5e60f8f606dd4d7d87b1b812330930229b0

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
378KB

MD5
8f95f53b330aaacee7fbcbc93976f908

SHA1
629dd4cd8b5c5f7369b06677399b7d2e1d6d7b02

SHA256
c2709594b5a1116c3e61ca925e8de031d6fe88bdaff9fb27351e534db98b3085

SHA512
a78c8f3fb44061f4da1cc197804147c773e8426999336ad18b8cb81dd3db8a636a283fc0cdf18f34c8171e8b90f8967abf8d640e23bda2a706d6950d74edad40

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
378KB

MD5
8b663e83b0cc6561a4d50ae1705dfeb1

SHA1
7cba3691f9819376bdaa7d573ffef55ecf5c664d

SHA256
33d237a4ff3d8b2ca9bc33579412b1c529f5770678769f0518928a047338cb6c

SHA512
f05b8aad8d350890c2b416f431d2db82db6a7836ef383362e540696b710c0b2d82a8022e80d2cf0e8de9c85a7d2046fbb2661a8c08d72a19b533db7dd74702fb

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
378KB

MD5
0e2f9f7fd9d561b9714d41bfd322b64f

SHA1
0d020055f4ef7217578644f04a5c4ac9940f4810

SHA256
176322694c0fa137d68ff072eb2e83810abe722fc6eb7ae5da22b5ab52ee5765

SHA512
148ce405c096b7219ec3beb8a0c0f4b8a2c07f5980570e9a90e8cdc7f804fb7940efeb43fa05477949ca64d367e85a0d108107b5e5b71ec271e33c1c732393ea

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
378KB

MD5
f1e5b10a507e3f7962bfeaca30d5ab3c

SHA1
3ae8f2919065b7070124489c8e6fc84f17dc3b39

SHA256
5f9cc21443d482946f2f41ad049d52078aabae35077c4f578f8d14248f3ba9a8

SHA512
0c4d8b3ffbd627586d9ead8e6d3e72128ece262963db1556ab9c32e4e4f723f3e7a2fc88ad1f8809cd98a44e9326f2f28f75bb1dab125b319383f4c64b93b009

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
378KB

MD5
57ad31fab1d24584b1774afff9447769

SHA1
4fc8412889459d38eec5d57cf38a769268cd1d82

SHA256
12585b57ab76842783c5382be17961baca5584bfc7bbb778527f4038ed357141

SHA512
9b9ec5e41e3dc2088020e01872cd88583ed2c068e7e9c1fbf03bcabf66f19d49becbfcde401ed03f2b2e6f23f8d2ad9b15c77675443a4a0786ef146937ff74af

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
378KB

MD5
681806c58fe4d6fb391d0897d4d7a376

SHA1
d2c95c2c4faf13065f2e3e4cd560e5eb7489836d

SHA256
ecd7d10a971d8e13bdd6a2e548fa050b108e1280c844a7355ee09445cdb8d599

SHA512
2955c6b10562cbb5adb2b5a15e638da24be1057f8dc301430e6ee4bf7a31bcda7c2772854b8d0ddedce79c8e894bcef06505e690515ff02bc6d813e265f12bd1

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
378KB

MD5
f4c12f9b31ffcd0188398b370133bfe7

SHA1
ee6bb524be3f85452b56cf737db110acad8edf01

SHA256
597559bd879dbb9847de027d8457c9fd3070d3ecdc0f210b92b851284f56fc3b

SHA512
b3935376fd209a6b118813296abb8896f3a848da3322235c8f31544ed751128786d4fb3f345749d84c7b2ee02062d86773c7bf7c48fea31681d9f1debba89e67

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
378KB

MD5
b79a49eb895f4c5a2c3aec8953923ea5

SHA1
860eae7c833b38fc815e027d98abe64b11da27dc

SHA256
b2fc5a95bb2695bbeab9b081445d85e83ec117901347661ad62eb5e6d86fc532

SHA512
9c9a67ddf775cca874de18e514319b5503012dc69239c6817d471364a039ee258489689cd22b5da168e326282831af4f3edf6146f127f13b56a59895694d3fc9

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
378KB

MD5
70b4698bcaa701b1f0ccd0d19bf54a47

SHA1
66053a7447637d9ed84c7ce851d292d0efc3ca9d

SHA256
633d24db65158fa06aec211619ec6eacfc46b0283c254d50738f591f1683d3e5

SHA512
09550e1bca19ff1f41683a6568056aa7fc3a77eda42872339cb806783c4196485336e18ad1567032979861da959f8cc08f9161fc12b600743e39278a9c966960

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
378KB

MD5
409f07a671d460356d05e9344f763c03

SHA1
7c0a65011671fc039b2bdb9311601e2a23fd8649

SHA256
15dfd988ab6827833b716cfe3a9f5fb048848ea5b07c6d1498a959ad7b5a96ae

SHA512
6176f4c649cf3dee470075e6bee009fe81fe08679beecf8e2a825e8a19693d9853787213816140540342351d1fd977ed7b47fbe01046232feeb7b0c7a8d0b96e

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
378KB

MD5
598dbe8436f50cc7f4dc105960850738

SHA1
f0612ea052da06e2d13243f64caef034a08624b4

SHA256
1d639a908b66d4301104e1ad62e0b179dbc9a05d8a119ffac41f90c2e539b69d

SHA512
7d3979a1c86f61bdf8458f5129c00a1c6661ce12ebe8df17b7dceb9ecb1e949df3664a4bc125bf7aab965df1945ad70ed228539e193ecaf9d54c0a21a4337d02

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
378KB

MD5
731bd8cabf245c681dadd8326960f6da

SHA1
dfbd198392fbf517471af6ac55c786187aecd70b

SHA256
3b654896383031b5932339069d1423f4834c8749b0bba53b4fcab5f12884f1a2

SHA512
acfa82a0d993699d27af1ff11c11448e0e4ed84fc44721eeb0b49ad3ff3cfe31455f6c280e3b30a370194a02ee884a40426c075bc9d16212f33e713f9460fa0f

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
378KB

MD5
a08b7db7ca7c9b7ff082b7389e3192ef

SHA1
3f9eb4f2e5088b2fbe539478b61f14e373eee286

SHA256
97ecfd5f74879e4463bdd9ce95365e1ade3737f1ff22d9b1ac238b16f5141b92

SHA512
4e1d03e4fd0cc6180d7fef64967838a8477f009a454b1ccf98502250526542a864f6693318024db9a245936c51cdab9644680f430198b2e882d449e309ad8197

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
378KB

MD5
323d209bcc814986c27dac780b2aef0b

SHA1
9fac892949cd41c98ea69d254ac9d00e5b081cb9

SHA256
7946dd9515281a807671f62f0dc30fa837d1db7120c096dafccfac64372ae155

SHA512
c9d5db0769b03c9a34163ee543bca29200dc2256421488457bc33e0048e60b9cd0b325c59f4eea859db97cab1bf9d4b631928b293ad39bd9b467fad2a3a5299b

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
378KB

MD5
53d61a752bb7dd5730f5ac67fb44dac1

SHA1
1b1225d6eabc8a312e828c18a4da9ecde39c2ece

SHA256
0e05e45d184a41743c28c6aff63a71cd5453874a8d79917c69e91bac120f03c8

SHA512
da01e8d465bbabc3e9b195934d1b522f85317bfe043e855c20479067e232daef145998687cd5c2eaf92239281646431bdc576d3491aabc52cfa68e5b35c30225

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
378KB

MD5
dd46f93c69d8fbd943b321e264b27b11

SHA1
2c2b8f75af245d47897f4f174a6d50a3a5b2f91f

SHA256
1bcf773cbd68d6651f30e102c6be8b74156d6fc8dad466ea5f9dd8a36cfad28b

SHA512
3a02a73ad0ddd8d6cc4a62d57d588832deb1012273059147abcb5f52ae6737ef1ffe810bbf70d8f2bfec3f52e0651eeaaa81a62500d25c35568f6ce0f6074886

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
378KB

MD5
4741ef765050553deee991bfe2601416

SHA1
8e3fc55b11ee0cf5f5ea5e0ccb0e0f87a656e93a

SHA256
67f728f57c404bafb8cc3f320b7fd139e33587f8c9e0f4186f5eeab3bb2f8002

SHA512
4e88fc7a7b5615213344701bd74518719ee41cd76dcd9ca3d922a10fe96707ecb32921d59f84394c6dffce5c89d33b9366611f7b58283007377cf954f63e63fd

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
378KB

MD5
5c4e299abcefec98a3a9fe68fe2dfe5c

SHA1
a85bde1093e3818b490db3df2d89b12726b47fa1

SHA256
a425f34548b9ae2713d08cc51db0fcffb665d95312f5e6e3c67d89012338bac5

SHA512
b7b4ea1b427b6311dd7f786b44120ac57a71df06ffd7c83644e72b7b49cb526e8d69072d87aef942aa71695a3584d9089208d5f31e3fd0b0f44d7fe3e75ce4ae

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
378KB

MD5
ef2a99631742e2f76edb3998839f507f

SHA1
ec61580477d2067116b13f6b93c74f25faf66df9

SHA256
0a0f40998a41025f8d4c16d90d7564563436080c2d3e28194093c64deb38bfd3

SHA512
441b43006eeeafa77f1044cc080a367bf556ba77182c3b6b7d1db5e377145e2c4636187d586ae519f5ba48498637c11799cfde5c80e9ee34e073ec53d78beace

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
378KB

MD5
252b1bf05515995339e92cf56a4cf21a

SHA1
6c379f1ff7d95661d7de6017cc197140453f6085

SHA256
817d7f0058858aa6dbbef3daba9923154b77a4eed0b317ebe69fa5f90a99a4ea

SHA512
35c3ac6620d02bb8815c4fba1b57f16f6e481db35bcd69e383abaa0d7acd14d7dbafdf9cdd5ea4a9f26fcfc187f6f1aed6c062ec33d691d3e9b139fe44530ec1

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
378KB

MD5
1cd914a3dc41ee48b81f659aadef048d

SHA1
bd5c43b1329fc371202a12384a3dcad2843c517c

SHA256
d876a0034b1cdce88dc03aef0d2ed26e64b8c489e7aec5e04514b758e9acce7b

SHA512
f8ff14b0986929c3a5c877d08b7863467790bdbf90c72172109335c6852e869c11bd88cb7b24a1a63fcb46338ebd773a20653677f45a13c3694ce8d18686fd37

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
378KB

MD5
cf32cec615c80ecb8e981e9293744cff

SHA1
c4b0ad3743c1fa53aa56e8b69858d701856e37e8

SHA256
1919db9fbba01e7c15fa70626f2ee6c6f656b1051d27a3330e913b8013093084

SHA512
98977f7b4b5f552bd9c321e0a79827ed86f8c742c86fc46b26b82495bd63234eec9db596821538bd2f03ceb47dce6a042c5e3398a968ffb5caf5190d241f97a1

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
378KB

MD5
cfe3ce0c11651a73f3cdfbc7288765c3

SHA1
a953bbca80937d9d8bfb1f2e9a4f7e235bf7c09f

SHA256
94911e395e6cdc467d00891a3139f79f0c449f15b1f7a993232b5906e3965648

SHA512
a790a406a9c62ae4eccd1cf1a0aa6ae4169fc585ee4be8e510021c20184a4a4502dbfd6aff455eade5744560e5f6adeeeba21de8ec79e54ae80e9c067e6e32c5

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
378KB

MD5
ac98bfe2a7b75b673cbf14888c2ede95

SHA1
087adcc7110539d92978d569c963f278ff35cf0b

SHA256
2e8d1c5506b05068eb0cad6df4a5216ec8b509c4335c6079ee33664739604426

SHA512
df8170103d32c0012f4116379dc48b1f56e0d37e78aab54877e1cd011a2dae60526d500d5a903c0b1f0e9a40f3bdd3d8809a0dd1d845e78d2a68d5b061329423

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
378KB

MD5
e8632b07b7a9508db541c4c6c56dfa54

SHA1
c61ead304b770dea18ab0c23f1dcffcbef156fb3

SHA256
2776ba836e15bbebd6191bfcbb2ddfba201805de6a748ccc21e9c3911aecd4fe

SHA512
c41097f5dc27669552cd2bbdbf8317ed208862947bdb29c1ff931538883895a165b86eeea65a9b5af8b1c40f4e51eba95b72af99c9352329c3cfbe92f1f746cd

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
378KB

MD5
452a1cd8ad7c05f8a86db663ed6d5fad

SHA1
c0e1b4621cb95f6408c38f83ff0106c10ad04dd5

SHA256
422f23847c69055b78886f5525a4649c5a68efbcdaa5cb97255ce8a417525f19

SHA512
75d09a9a8c6fbbc012083f3e7c2f0dbb2377675f7b40de1b3616f0b60dda6554aca540f6eda59bab4b53d9495b579413da42b11b92d2dc8c08a61c4ec12beac6

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
378KB

MD5
78598ce4e1b85d90f063b2570576d27f

SHA1
75bb8ccb2e18a48bb6dc38d754e4c15cb996ddee

SHA256
50024e1bdc4e90315663cbd4409dfef16f8ea31187c1e3f6b934ea2430c176af

SHA512
8355330479435181fb09ce2f299295cd2060b3abcd8b2b3a4f48251bcc2082c0c900b6efb1bec564cd27ae0baa5bd635f775bf60834ee9554ebccc25534cac5d

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
378KB

MD5
7064f2b2a778c33c1b2e3068a5855cde

SHA1
738f280941d2922f839219a9e1509b9d1f743aa1

SHA256
cb3b908be633b7b5f9f2abb9109ff0c9a648095f5bee907e4eb563e44f2ec039

SHA512
54f9f9c0ea7f509c43b7ebe7dc1ac6c3288a615352624c6f6d4858ff74fa72d2dbf367bb56607511cc98093d77aeb7543eeabb524a2f5f067a8dbc74adf9eb05

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
378KB

MD5
bececf9c487973634bce03f901b935f4

SHA1
3d7585eb1f73af78a3d800091224abbd8cc7bb0f

SHA256
2b0dd442f5608b1b09b0a8af3851709a400b8c7d5887cfa956c12b4b7ea4cd9a

SHA512
2e91628e035a63ed68929ec92255500558ac7ebe63e1d6eb773aebd62280a60733ceed7e70a9db9f4708b83ea8a62f59fc7d56c0ae41a20823bcb468a4ca2710

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
378KB

MD5
9032f0e1109bbaa25d025d66be419327

SHA1
051334143154d267b395ad02b900797f141e53c0

SHA256
272b82d1dcfa7ee5a664b1373e20d097363d708b105accf6015c9dd604c86a85

SHA512
ba239e341ac0476a810efe000caf056aed00e0adf170423d866361093f94d6e14db6dd5c95b8f1cb72111ddb82476d0c4abcaf0c58c898e058c4e0f4fd3760b1

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
378KB

MD5
598d094ff372d13d8fef3719dd50e958

SHA1
742898292a71b8942328da3b5d6b6b913627eaba

SHA256
7980128e6d292f322d5da79a0d242ddc8d6fb0a37b9a452a76dfe56b4d57cfb7

SHA512
34f601245977c1b82e961b617e6db7d34fe97846c0122581808bdd03bd5fbb1f66e94666608eda35550644cb60693c20fb891ba0bc34f923e940ffe0877906ea

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
378KB

MD5
3cdaab39fc2cc4a7bbb9a98f73a78e2c

SHA1
733d73eafda611c48012c97c284dea80c6f5a357

SHA256
b5f46a8ba57b0be77009dc7d83dd2d7dab0c3c671f4da3d2df1e7826ac0c4f83

SHA512
a23f47db0f6db5cdd084162c68d30292750059f42d6d5e0f01c644088f7c1c85b87b1e5ec95e3d8578d5d93568f1b4790f0e1e49ee58f903d2ae6ada24c6280d

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
378KB

MD5
266a589c1c85a1ebbff381c356fb56a0

SHA1
0165170201ee3728573a9bcf73f877fda31a2faa

SHA256
cba57a5054f98ae872b9a43dcaf0452c5d7359d6c6ae121943b6c59f9ad5cd15

SHA512
dfa3c78760929660c993a391bbc07dfad1d63a2335bf828c67416ed78f4d8bcebbad340ee4165b9e533146124ac05d434e2d74e0e81e8b11c1ec970b9b07727b

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
378KB

MD5
1c423581a12b18937c30b03b10b04c23

SHA1
00f46d5d7c2d62f326fbca84e6a6b44c3d132711

SHA256
2b7f8c1ec2e9f1bf6ccfb343d24feabaf335851540738d63680433d193f8b0dd

SHA512
a11c56f9955a3586dd5bc865b6a6f2b2b568cc3d6f9acf11eaeb37272f6c27f1d9847473a60e7a1061ac7fc3ff343a8689b272f7fa7e556bde0345cb84eaf201

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
378KB

MD5
8e32608a9ce516626c24fd96790cd139

SHA1
563a3234d778bc5727703d821a1cea781f38b54b

SHA256
4fa40ac3d35d3a0a05701486ef5164be4254be4b136abb2b1c8da634f87eb5e1

SHA512
728088e91ac0180792ba7f90b635af609f67811c59e97c51bc00fb09a82a58ccadbc73b07a6d23c40ee114fc63be6afe85cb8539238cf493364a2c877c4ced72

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
378KB

MD5
41451e0d37c16c67ef0c409c3726d574

SHA1
99e76d79289faafec270483cd989707a9875c990

SHA256
53acdef79b9bd6acc14f4a00b451fa4a8cbb7f9b0ad8ea41a37de4054038d487

SHA512
ec12859ae76ba5db5db85dc5b97212cd55f61b06839a26cebace68b725ec43d836a1aa023b783a28ee78bd5ef89191811110d1007c6819cb07ff0fbe3497bf80

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
378KB

MD5
fdff9b960351caf532a20e5d7b1d1798

SHA1
7be5b9a87eb88fd2e15cff43bc62958495732a9d

SHA256
1b0bc9d97232195c62f2402afdd496bb9bb41f3999a04b6a5b8086af465c0cc5

SHA512
c381a0ee1ff5cdeb6a6e5fe454cc7dc731296a35d291102d48a2aef597e93f583f2a66b3e61f4a192ba2c4031e267ff5bdba5febf6ad7bee6e32349c9db7a565

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
378KB

MD5
ea1238aa4fd95f4d0a37fc420a1c5885

SHA1
56076785136ad3cec095f6265f1077f6e66cb2e2

SHA256
7cf13e53595dea5f6da4e265cfc6fb4789d78289f5325a3a5e058226d2fe1686

SHA512
94eec3e28e698475d418c5f7100c715e66227d77bc1e2629752f1d1d686174d624950928c83eebca472d6de340e9a4ea5f802e037b5a8652592e8dc4fffb500a

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
378KB

MD5
90234d3ff233fec56bb23e66ad6ec214

SHA1
08833e49378f94a069cccb8624a777b8a15575cf

SHA256
819bef2251a6616abbb079c1cb18cf692d2899a65fdea4657c5093a0c8181256

SHA512
15cea7509bc21cab5869da914794026c47eec0834c8af643c52dfb136b87a85d3a816a01ee4376e38128b6dcf34ffedc75a1052e8c57593f1839684ec7b24f04

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
378KB

MD5
c8252a9aa5454f0437a591ba2fbbbe5c

SHA1
ecbf2485c091b6468f3e883cb2137793848d0d3e

SHA256
9888b982784daba4cbcf215d756f20054d54666b0ed5065b01c24cffc51a238c

SHA512
4d837e2d6a56f8ccfeb705e303576032d24c2c93f43e777c082fd863d7248fcb7274dbbfe0dc45885cbc0e2a13e7424cf1e3c08d2880b81452419d8b4c8495d5

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
378KB

MD5
124d4ace0019d04301ec7f65b8ace60c

SHA1
c7582b830ca55aa4792302c7e81f986fae234fdf

SHA256
0e011740fa9aa232265782d2d7249aa5d47b04a7cdb6779b1dd01ff73cd4cc47

SHA512
cfa21e93afb3adcc6cac81f9bf5f519fa899ed674a80e85da4597815ae283f0235041c35c03e5523ada46f8c215388a38e2e36c193c9b0f38476256951081466

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
378KB

MD5
b97d22378b18ce89384a75c99dae747d

SHA1
00900b210e64c8f55267931bc6a25f29f668765b

SHA256
da67ff916be3f0da06b3ee1b342f9d6c44666ab64992228731d70898fdb0499a

SHA512
089b9e39792c94a4a7f22bbab00fa7b00032fb09269e30acccc080b830dc8c6112442f3e966d0c719b6eb097265876e2dbe887f5fd81750a2a85a4741059e34b

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
378KB

MD5
604807c6fdec7f4b31269a799d865dce

SHA1
f36d8fbac6501f0b221c620193bb650f70f9eb87

SHA256
e4d8d403de253652d7ab82f9923667ffbb6c16a70d6ea161882f1df664e0c135

SHA512
ca62023a3ee4555645fab3c559d8643cd1a997ccf89d5604916d117990517989f05977719d987db63f673ff6b2f9b068a7fbfca11775a44d545795b0dccfedee

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
378KB

MD5
c1348b59b1d7530b76cd84089a547a4e

SHA1
167a6bff8399f85d7e4031bea99bfb0183a6ec6a

SHA256
6ee857459463767b9dc91db505d6f2c8da614d584eec2c48238afbdbe84863d3

SHA512
2e3b7a23de2b93d6b18ceade73d301a20ebc0fdc45505d88df88c408fbe9cbedf86b038b01396dd52bc4194dc4234fb674f24ff8ad73eae1ba3a2075acb06fc6

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
378KB

MD5
57512e8a0135fd373ee6a4069d74efdb

SHA1
bbc7fcfe55c268cdfafee31d8fb476a5a68e1319

SHA256
33ec786bc801c0af4743609c2fa51e8b2dbf59c5972e7cc7e0be5489506bd3db

SHA512
ad90e1cbe95721506b05769c6de25cb3964193500adc371db7176492c9f2c5ded6dc5c1bc59f4058505679ae3cec2ec4d9564aebd3e8b6bb0beaca7c1107d43e

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
378KB

MD5
d1409aaa887b0035284264becca49bf6

SHA1
6e9769d59cef35e97e7981a818eab9ca581c60e1

SHA256
64626879caed398fe1deeeae5cb1cded1e3a0faf540808d89b489570b1fb443a

SHA512
fafffce58fd3c0c26a483ed441bf8cd77a416a89f24c6241d2b5249c3edb66a94c4ad057ebd914cfeacebc930091c409aeeef047147e90be4faf382ccd154e55

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
378KB

MD5
d62110f89aaa6a8623e9dadd0d1b130a

SHA1
73fd0485b9d6e5918e5870c39adf8d152699c215

SHA256
c01d6de884dce2f44c801cf18c5d9738cb11abe85b03471aca2b0318a27a5660

SHA512
4f9688403660fb0b8737edaa8208e2f3557f1bfb35be10ae486907d71031884f424eda94618e5f5ffa7511a0a264a49196e8d05b2a8ac509f751868c0f55e3f7

Download Submit
memory/212-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1304-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1336-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1372-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1824-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2224-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3100-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3196-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3284-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3332-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3808-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4184-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4220-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5056-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5060-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5092-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5140-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5180-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5220-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5260-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5300-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5340-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5380-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5420-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5460-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5504-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5548-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5592-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5636-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5680-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5724-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5768-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads