berbew | 065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae

Analysis

max time kernel
124s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe
Size

128KB
MD5

5f821548aaee1f7e5cbad3ba191341e6
SHA1

a746b8acfcec139fe6bd833be47d0222bd708349
SHA256

065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae
SHA512

7fa0a7ebb34ca4525fb3f52dabdcd58e347d16aeca6cd21ead7922b3ef5a91860b7bc0d952263d318dff1016105d643ebbfb847e22692ab07e52d9df2f360b94
SSDEEP

3072:HSnYYS9pq3v922TBZ8bQf8Hpl3VIMDV3FQo7fnEBctcpn:HSY3pev92YaQ8JlxDV3FF7fPtcJ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcikejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepleocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglkoeio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iajdgcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkaclqkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekajec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koonge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqeioiam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapppn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifmmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaclqkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ganldgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghojbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fganqbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbiniff.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
628	Apaadpng.exe
556	Bgkiaj32.exe
1108	Bobabg32.exe
2240	Bmeandma.exe
3552	Bpdnjple.exe
5028	Boenhgdd.exe
2848	Bpfkpp32.exe
2664	Bgpcliao.exe
4552	Baegibae.exe
5080	Bphgeo32.exe
3144	Bknlbhhe.exe
1468	Bahdob32.exe
3496	Bdfpkm32.exe
2616	Bkphhgfc.exe
1284	Bajqda32.exe
4680	Chdialdl.exe
4876	Conanfli.exe
4448	Cponen32.exe
3964	Cgifbhid.exe
2592	Cncnob32.exe
1940	Caojpaij.exe
400	Cglbhhga.exe
1812	Cocjiehd.exe
1504	Caageq32.exe
2276	Cgnomg32.exe
4088	Cnhgjaml.exe
3464	Chnlgjlb.exe
4768	Cogddd32.exe
2216	Dpiplm32.exe
4716	Dgcihgaj.exe
4336	Dojqjdbl.exe
3376	Dpkmal32.exe
1752	Dhbebj32.exe
1260	Dolmodpi.exe
4360	Dakikoom.exe
1272	Dhdbhifj.exe
3124	Dkcndeen.exe
1436	Dqpfmlce.exe
2912	Dkekjdck.exe
4880	Dndgfpbo.exe
4272	Ddnobj32.exe
4920	Dglkoeio.exe
848	Ebaplnie.exe
1760	Ekjded32.exe
3052	Edbiniff.exe
3988	Eohmkb32.exe
4808	Eqiibjlj.exe
1568	Ekonpckp.exe
3056	Edgbii32.exe
3044	Ekajec32.exe
3816	Enpfan32.exe
2360	Eiekog32.exe
4772	Fbmohmoh.exe
4384	Fgjhpcmo.exe
2844	Fbplml32.exe
4652	Fkhpfbce.exe
1964	Fqeioiam.exe
2084	Fgoakc32.exe
3668	Fniihmpf.exe
2140	Fganqbgg.exe
644	Fnkfmm32.exe
2584	Fajbjh32.exe
2092	Fkofga32.exe
4592	Gbiockdj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Iolhkh32.exe	Ihbponja.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Mpkcqhdh.dll	Dglkoeio.exe
File created	C:\Windows\SysWOW64\Enpfan32.exe	Ekajec32.exe
File created	C:\Windows\SysWOW64\Debbff32.dll	Lepleocn.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Focanl32.dll	Eiekog32.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Ihkjno32.exe
File created	C:\Windows\SysWOW64\Idknpoad.dll	Iimcma32.exe
File created	C:\Windows\SysWOW64\Dojpmiij.dll	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Lebijnak.exe	Lafmjp32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Cohddjgl.dll	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dglkoeio.exe	Ddnobj32.exe
File created	C:\Windows\SysWOW64\Ggkqgaol.exe	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mbgeqmjp.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Ecpfpo32.dll	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Kekbjo32.exe	Kcmfnd32.exe
File opened for modification	C:\Windows\SysWOW64\Mapppn32.exe	Loacdc32.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mjlalkmd.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Iajdgcab.exe	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Ibjqaf32.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jeocna32.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Khbiello.exe
File opened for modification	C:\Windows\SysWOW64\Likhem32.exe	Lepleocn.exe
File created	C:\Windows\SysWOW64\Laiimcij.dll	Loacdc32.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Kemooo32.exe	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Njedbjej.exe
File created	C:\Windows\SysWOW64\Iaidib32.dll	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Gbiockdj.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Hpkknmgd.exe	Hiacacpg.exe
File created	C:\Windows\SysWOW64\Jahqiaeb.exe	Jpgdai32.exe
File opened for modification	C:\Windows\SysWOW64\Lakfeodm.exe	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Ofckhj32.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Pjoppf32.exe	Pfccogfc.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dakikoom.exe	Dolmodpi.exe
File opened for modification	C:\Windows\SysWOW64\Eiekog32.exe	Enpfan32.exe
File created	C:\Windows\SysWOW64\Fajbjh32.exe	Fnkfmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ghojbq32.exe	Gbbajjlp.exe
File opened for modification	C:\Windows\SysWOW64\Ilibdmgp.exe	Iijfhbhl.exe
File created	C:\Windows\SysWOW64\Pkffgpdd.dll	Klndfj32.exe
File created	C:\Windows\SysWOW64\Kbhmbdle.exe	Kpiqfima.exe
File opened for modification	C:\Windows\SysWOW64\Fgoakc32.exe	Fqeioiam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6520	7968	WerFault.exe	325

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mablfnne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joqafgni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfbkpab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpapnfhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fganqbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koonge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqeioiam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gijmad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfiokmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jihbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haaaaeim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlgoek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmfnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpeiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckkfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofefp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfepdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khiofk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nblolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbojlfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafdcbge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgdai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomjicei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dakikoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hicpgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqefjpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edbiniff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlalkmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpkknmgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hehdfdek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipkdek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaonbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpakj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookoaokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll"	Ghojbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlglnp32.dll"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edbiniff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnokmj32.dll"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idknpoad.dll"	Iimcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll"	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll"	Hecjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lomjicei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll"	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbff32.dll"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiacog32.dll"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapfpelh.dll"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekajec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdihk32.dll"	Fbplml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll"	Dkekjdck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnkfmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 628	1880	065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe	86
PID 1880 wrote to memory of 628	1880	065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe	86
PID 1880 wrote to memory of 628	1880	065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe	86
PID 628 wrote to memory of 556	628	Apaadpng.exe	87
PID 628 wrote to memory of 556	628	Apaadpng.exe	87
PID 628 wrote to memory of 556	628	Apaadpng.exe	87
PID 556 wrote to memory of 1108	556	Bgkiaj32.exe	88
PID 556 wrote to memory of 1108	556	Bgkiaj32.exe	88
PID 556 wrote to memory of 1108	556	Bgkiaj32.exe	88
PID 1108 wrote to memory of 2240	1108	Bobabg32.exe	89
PID 1108 wrote to memory of 2240	1108	Bobabg32.exe	89
PID 1108 wrote to memory of 2240	1108	Bobabg32.exe	89
PID 2240 wrote to memory of 3552	2240	Bmeandma.exe	90
PID 2240 wrote to memory of 3552	2240	Bmeandma.exe	90
PID 2240 wrote to memory of 3552	2240	Bmeandma.exe	90
PID 3552 wrote to memory of 5028	3552	Bpdnjple.exe	91
PID 3552 wrote to memory of 5028	3552	Bpdnjple.exe	91
PID 3552 wrote to memory of 5028	3552	Bpdnjple.exe	91
PID 5028 wrote to memory of 2848	5028	Boenhgdd.exe	92
PID 5028 wrote to memory of 2848	5028	Boenhgdd.exe	92
PID 5028 wrote to memory of 2848	5028	Boenhgdd.exe	92
PID 2848 wrote to memory of 2664	2848	Bpfkpp32.exe	93
PID 2848 wrote to memory of 2664	2848	Bpfkpp32.exe	93
PID 2848 wrote to memory of 2664	2848	Bpfkpp32.exe	93
PID 2664 wrote to memory of 4552	2664	Bgpcliao.exe	94
PID 2664 wrote to memory of 4552	2664	Bgpcliao.exe	94
PID 2664 wrote to memory of 4552	2664	Bgpcliao.exe	94
PID 4552 wrote to memory of 5080	4552	Baegibae.exe	95
PID 4552 wrote to memory of 5080	4552	Baegibae.exe	95
PID 4552 wrote to memory of 5080	4552	Baegibae.exe	95
PID 5080 wrote to memory of 3144	5080	Bphgeo32.exe	96
PID 5080 wrote to memory of 3144	5080	Bphgeo32.exe	96
PID 5080 wrote to memory of 3144	5080	Bphgeo32.exe	96
PID 3144 wrote to memory of 1468	3144	Bknlbhhe.exe	97
PID 3144 wrote to memory of 1468	3144	Bknlbhhe.exe	97
PID 3144 wrote to memory of 1468	3144	Bknlbhhe.exe	97
PID 1468 wrote to memory of 3496	1468	Bahdob32.exe	98
PID 1468 wrote to memory of 3496	1468	Bahdob32.exe	98
PID 1468 wrote to memory of 3496	1468	Bahdob32.exe	98
PID 3496 wrote to memory of 2616	3496	Bdfpkm32.exe	99
PID 3496 wrote to memory of 2616	3496	Bdfpkm32.exe	99
PID 3496 wrote to memory of 2616	3496	Bdfpkm32.exe	99
PID 2616 wrote to memory of 1284	2616	Bkphhgfc.exe	100
PID 2616 wrote to memory of 1284	2616	Bkphhgfc.exe	100
PID 2616 wrote to memory of 1284	2616	Bkphhgfc.exe	100
PID 1284 wrote to memory of 4680	1284	Bajqda32.exe	101
PID 1284 wrote to memory of 4680	1284	Bajqda32.exe	101
PID 1284 wrote to memory of 4680	1284	Bajqda32.exe	101
PID 4680 wrote to memory of 4876	4680	Chdialdl.exe	102
PID 4680 wrote to memory of 4876	4680	Chdialdl.exe	102
PID 4680 wrote to memory of 4876	4680	Chdialdl.exe	102
PID 4876 wrote to memory of 4448	4876	Conanfli.exe	103
PID 4876 wrote to memory of 4448	4876	Conanfli.exe	103
PID 4876 wrote to memory of 4448	4876	Conanfli.exe	103
PID 4448 wrote to memory of 3964	4448	Cponen32.exe	104
PID 4448 wrote to memory of 3964	4448	Cponen32.exe	104
PID 4448 wrote to memory of 3964	4448	Cponen32.exe	104
PID 3964 wrote to memory of 2592	3964	Cgifbhid.exe	105
PID 3964 wrote to memory of 2592	3964	Cgifbhid.exe	105
PID 3964 wrote to memory of 2592	3964	Cgifbhid.exe	105
PID 2592 wrote to memory of 1940	2592	Cncnob32.exe	106
PID 2592 wrote to memory of 1940	2592	Cncnob32.exe	106
PID 2592 wrote to memory of 1940	2592	Cncnob32.exe	106
PID 1940 wrote to memory of 400	1940	Caojpaij.exe	107

C:\Users\Admin\AppData\Local\Temp\065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe
"C:\Users\Admin\AppData\Local\Temp\065ca3300226849c7199a64e17cfb6109afafba60e0334250f0c01a8d84a7cae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\Apaadpng.exe
  C:\Windows\system32\Apaadpng.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\Bgkiaj32.exe
    C:\Windows\system32\Bgkiaj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\Bobabg32.exe
      C:\Windows\system32\Bobabg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        24⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        26⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        30⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        33⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        34⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        37⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        41⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        44⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        45⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        47⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        48⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        49⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        50⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        54⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        57⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        59⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        60⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        65⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:224
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        69⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        70⤵
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        72⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        76⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        77⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        84⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        87⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        89⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        92⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        93⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        94⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        95⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        96⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        99⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        100⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        103⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        104⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        107⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        108⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        113⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        116⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        117⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        121⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        123⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        124⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        125⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        126⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        127⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        131⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        132⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        133⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        135⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        137⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        138⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        139⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        140⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        141⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        142⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        143⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        145⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        147⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        149⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        151⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        153⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        154⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        159⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        160⤵
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        161⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        166⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        169⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6272
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        171⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        178⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        179⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        181⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        182⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        185⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        186⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        188⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        189⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        190⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        192⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        193⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        197⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        198⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:6400
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        200⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        201⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        202⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        204⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        206⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7176
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        207⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        208⤵
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:7312
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        210⤵
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7408
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7452
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        215⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        216⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        217⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        218⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        219⤵
        Drops file in System32 directory
        
        PID:7764
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        220⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7808
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7852
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        222⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        223⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7980
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        227⤵
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        229⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:7348
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7448
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        232⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        233⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7628
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        234⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        235⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7908
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:7968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 420
        238⤵
        Program crash
        
        PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7968 -ip 7968
1⤵
PID:8100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apaadpng.exe

Filesize
128KB

MD5
befc3d1540edd3e5d70dc3e8248ebca9

SHA1
8d99720ca0d658b22273ab0debe64dc86e8427fc

SHA256
54d2885edbb98f5027770ae44f7e76c2005a7be8b3b9f5d3efa2e4b95e9205c3

SHA512
edb8e7a3be802109c57e3931ddb927046875531228b49509441c5c2d38db82d9436ffe665ad2109eb2b1ff7b55fca596efb39e37d139aa4241fd038bd7d187be

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
128KB

MD5
7121d91c0a2a67a2732358940cfcd711

SHA1
eab444d1577f99e1bb8324b0a050fd1630548533

SHA256
db5e4745074f3cf1a7c9be200aa21ee570cd397d646d6b422d33b6afeccaddb7

SHA512
1184a2428c001cb198859b356c438071d6330776ce8fb2f51c0b4e512138cb428a86e8f81f49c1a160c394b9a668381951f4ea7c3b7a239d2e4012962df71413

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
128KB

MD5
f093ecba581a4af47a52ef5b15fd8eba

SHA1
c4d72b4a550ff55d8aa0d81aa0707e8087707510

SHA256
385586ab2b4c2d695618bd2215a184905a1dac93dd8730aa6f87724f112ae019

SHA512
258c64dcb43b49bdaf7b9944dde2337ceeb6dfbad75e3db67a2e72b2bbf6af9479a3ef8bebd84fac57956b02bb3c3ca4e35b4011a3645fd7786bbc45942317ac

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
128KB

MD5
9e714bc4a928e95b84f210c4038e2242

SHA1
2807fb3a3161ceb667d4ff69150d367e56d6a582

SHA256
bcde48155bdcc32be9ef4bff7e8a2b252edcabd46043eefcbab4b442aec9f9d7

SHA512
b5a184b0c0526ac570bdfe9497ce6bb3f94c3f4a9f917850aba6e9cffc722edfaae8eca6d957008edc2d8d728f3d18c77558b70658e3e03b7cd21f97d2f886c9

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
128KB

MD5
cc33b60569872c995f13856240d3c2af

SHA1
6788bdb204ea2af0b2b6cc4aefe5c716db20d3c9

SHA256
23bbba9f913ed7698f69c13f3ce3123d93f9ae38fa0c1dc27d97d34a0f10527e

SHA512
bd655147f497d9633a70a8b303c52f4a609b855844469f4933b0f0ba80746e3e47c7bb48b25bf873d2aa1a47c9ae94bdd34204dceac4bbb5461658fa8cec4796

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
128KB

MD5
db036b93176afe4f3e57fe37b4306a76

SHA1
445ac5efcbacadba4a608a102b3b2a5afbeade88

SHA256
a5b44eb88d889ae365b75b798f6438c35dcb4df26c349be10293e95d1e276ab6

SHA512
50b970e199448343f9d36822094890a3cf2ab8a1a705c04c1ec66c14ff79d6af0912e4e62c539df15f09bdd07132ff061390827f4559b1d6684a10a31583bda2

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
128KB

MD5
01a88742206ef53f26fc8f8c5ddefb27

SHA1
72815591ec3c3bd9494ed338df50716d19cd1299

SHA256
70a15b6f13241f7d3703c2410399814b4fb3bbe13e57d40b3f3413dce1d9aab2

SHA512
01cc3e0efc31f576c82640c960a97d28a5949ef86cf14a06322ad73005ca2f1820cc7efa9d3c247c95eb5a294564783df13d7ded84d7574967899ac1ac5874ef

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
128KB

MD5
00b6914c7751f948e73193f906698323

SHA1
4598ab1e0e4919a17e62640b5be0682e5a24d97c

SHA256
3f9bc2661b9251368b6afd36555a53421f71e5044268c66d60feeaae4cc855f5

SHA512
38038aee1b4992c8aa6376baf062ddf76196e47fd851f88da33faca5ba0b87fc7d709fad200cf993cf76dd61520f4f1def4a89bd91a6d0797b10ee937f461bd3

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
128KB

MD5
adbb1152d5ee96bc4f7e9de65e1b0ae9

SHA1
ed811592af133a502d8a5fb62eba0145f3392a61

SHA256
659f8a0843e22bb580c9bb1425677b6a1582fe977c87d668f61d98b7ad3bc16e

SHA512
80f42621066a9b0d38830758c51ca6cd8a0a0224f59b22ad34a6df3db28bb91169a651cb18ab3721b3307daf2a8ede0c481c66921f03487bf6f5035390778c9f

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
128KB

MD5
dd18628fd76cccb7f1dc869de72f1869

SHA1
41e78f93d632637d730e814ce6a1a9b59cc3dfa8

SHA256
9269b5c79a48c4587b526787eccff59934d82b056f6941f579282edffbda0f34

SHA512
7453b334e9975b40b9e71271e1e79015fc50077917d098d8f4ad120c82189fb2a832346603c7bcd84387cd980207e67e791529813e5139a9bf0ef529bcb24918

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
128KB

MD5
e7c93573254a486a22b46f6f02c71e7f

SHA1
4bbb0d2e2d60753e9774963c1bff2ea4a0a99add

SHA256
52ca1579d5e734fbd2d3c8f12d40d3c37dee2f41e812f69fd6ad5ff5cc61ba7d

SHA512
e3fb275f0c278d1d1abc2fdb005f2de1ce0c841d138d989767f5e404484f8efb00f0c345c8b01192dbb2a5d6a38ffbaec60f9df0a62a1ef281c2716f0963e464

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
128KB

MD5
42b64da05cfd93448d61915b10507b3d

SHA1
175037c926d36e794fd31f5eb5574266dea7d69c

SHA256
c701e1cfbd77079d160b19c4dc179e3d0f03e3e3c92bd05db1b08842bc73a6e0

SHA512
c3806d6ae1adeb938f1afc12e343edce7f2fcf9673aacf15e5b181e4c2fe01c14bd43e5a5587d34168fe734713ebafaad8860744044f026709a5491585f1e6b4

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
128KB

MD5
a8f0b539371f3fb1bb642288f56c657a

SHA1
4b3720bc2b9835fe8ad1f1a5a9af46f0b733b3cf

SHA256
19f0710d3d83220aa696bd9db959b282531d67ef3595b8e886357d1fff606f9a

SHA512
96f72e4aca39c19856872bfc0c15d28336694d86bd0e06f11bbba46e1de44d5a303de4fdd153d4fb3374cd4543aa750d76dd634edc3bb1074483413da2c7c410

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
128KB

MD5
d46b17df73effe839211a3ba0639e987

SHA1
af01bcb1cba95bd7f84f5acbf16cc38b5c7d8528

SHA256
d7ab5f46bdc27f79e2637d640321f3a2b1114182dfaf22bea77717e2ad6b9a12

SHA512
2e2db4f84ce602711ed7a28f278c44c266332d8033ee5c99b0ecdb8d958b0d41c5331809e4e5e62d6278482b4d973f5297608429b64eae694caf692cc5ed97bf

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
128KB

MD5
8e67fbc4f570fbd7b717b5f05bbf7be1

SHA1
598ec7f954cc6b50b5e2dc9fdc53d187c73784ee

SHA256
d81fe385a9108f6cfb4247f418a3890711cbd31ded8b4397bcb214d9783fdb92

SHA512
f5ae7096a396c8f08b0b717983bf3be04b8178d5ef0726a95f949c39d0bef4763b63310b2f1844b5ff0250f1dfb726775448abf0b976ad505293233f6198d2fa

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
128KB

MD5
00577e7eaeea3c50dce76851eceddd99

SHA1
863271c0d4ef9b6b17b2c9d41398d7e13b70de36

SHA256
c6362396418a48f09b16977ef664aee55e1eb42c374d596489ec6b3ccb4a0192

SHA512
04ffe0a42d772af063d592580a9eef7232f46b8f82a972081595218a32f6ea842d6ccf24d9756e7dfd5c6e2846c59d62335a519e5074f5351036b307e2f69fe6

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
128KB

MD5
275a5f41c7eea0efeefb65a7837c7c65

SHA1
44498bb76a0fed1f557dcf084fb569b7dbf8d4a8

SHA256
f36676a4b563f620e1ad46e810b26fab2a571f7dae682b48f1c015dbd0029a83

SHA512
baf128d4653b102e9a719bd4d53273774b625fc77f3656c5267e8a43005e1292f9e7039e48bb41ff87bbe881a430ed5236e792dd2b5ca38d805cf0fca6ef6edd

Download Submit
C:\Windows\SysWOW64\Ccoecbmi.dll

Filesize
7KB

MD5
f42d4e1eb86a38e0deedfeaa76581e36

SHA1
a8d5646fb5422e6a53eb0f09a92f772eae3b49f6

SHA256
ae7572c05af6b0defef849de2271dc709b7a92282a8b7bf22a3cf131ddc313b0

SHA512
63b44b87f0c42cca78689f375e3ee40a570bdc7c1b2eaddf0fc6412839f28af4ead196551c41720e93adbd002043923a8c64ea9407238f38fe96e6e4795926c0

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
128KB

MD5
adaf3a9c8d1bb76ab865294984e3712e

SHA1
1839bb2c804e58986186f2acf8fe3c9f8cf66469

SHA256
30c12725ea8cb6fdffa08a8a83f4199caaad1a8d23e03859b2d481b232bbe6df

SHA512
42cfe65430126c5be2803280db46bd3d64136d50cf59a66cd711000efd62b035a37208a43e036a618015457c1cb501a343555ba8c9e8384b705b26197870e661

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
128KB

MD5
1a4d56dba35f5e65ed9162b675be063f

SHA1
f586d945b25d12831c3017321b02f9120122d637

SHA256
fc82c644f5fb1cade2fd493a48920eab7c379ad67308baed86fc81a2657b7b70

SHA512
3308e850083e5724102016361f003a5fe5abc2abe0e2a4c790b4b8374db6b52263e06c91624ab6e091696986378d9e5848db4373db64e399b52e1ca27cc0f1b4

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
128KB

MD5
cce23aad9da5e5bc70c54d04293c139d

SHA1
18320a36d2a35473fae2d9f90b9d658ddc63b4d7

SHA256
cbe360c467c0221745ea0883b3af65a24d6566e8d23867542b36ecb9ecd11e18

SHA512
94597428270ea7f15758b76c252220b29a101e674f1e69490155595e7b1fdb5d839a0a0ca68d16f4caec20f8962e3f42c0c434c7980a012547641541eaf88045

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
128KB

MD5
a8bee3884eca7bd3b23b0e38595061e2

SHA1
5b2ae317e18374b732078f781a3edffc50768f46

SHA256
2e10378373f618aff95ca3011a154df3609b6bf4d552c5316098cf77a539d01a

SHA512
2dbeb2b6299aee313d84a68bc263c4a8581e4843432ebf54bc5b94f043499c9ae57bdc9a599ab9e3e9a9f5726de7b6d07a9445814d002d01d9dd8ea4eaea9ec5

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
128KB

MD5
8bcfbaa972082ccff58e81091bc50ca0

SHA1
4bf358e66eeccd6927b463a80622db63afeaa383

SHA256
a3bb5eaa37b1dc7aeb1a20e3ecb0e2934b3161de39f3d6e0be4f64fddb5b8ef7

SHA512
45a1ec8269aa79af1088e4afec3f872647585dd47e73ab617700e30f16af47578a2e91810ec147cb2a07f5970c3814f1c1abd4ab400464857ec4392989eb1fec

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
128KB

MD5
c7ab091795b0db1327625354b718dec5

SHA1
3df702b621787cda4d2331f821f8510e2698b580

SHA256
660d1cee0c11782f3311ef1a74164d61a3c3f8fcb6b4aec9f7baec44d779c1df

SHA512
4eb69968b88f15ebc4c3eee902506b436ecc75b6993f60bc0d9acb080df90dc741511b712726ea7b25d0ceae9e788750330bd0d2418f0f771a4da998fe57f78d

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
128KB

MD5
a3f0c39da8b163d314601517baf55447

SHA1
389cc9fee66d73fb0200de07d45eece41b993f47

SHA256
713c6bef7ed2da34410a8098f4ac81eda03b0b74073db29e6a7eeef836c1b941

SHA512
321051654b9278df40edf5175daabd160b76472386a537341a945147a619cf1d25b3b864f03c8c6ddf625c82c2f83c6ba93d64136d48570a2a02153a95672af9

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
128KB

MD5
f7c0f1090f1037f2b1fe1ad02a6bc778

SHA1
9d4afb9bad6698ebc70efc01d1f181139ee40a82

SHA256
e3a3cf2e1f247354f6886aa65fcce7eec7bb8f9910843a8b1ab4cf2b093a18dd

SHA512
af9750a33820c1008a85af9c1374a45a09f83444541ab0e034995702be9691be910408e97de5f74864af0daea82776dec1cdae780dad6e9ca8a0cf061011472b

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
128KB

MD5
5c0f211b9ff400107f198587fbccd9f2

SHA1
4cbb5aaf046479a23a5a9a888c3d9e4ba9eafcae

SHA256
4a72f3ae31477c5136eb6e596953571f0c4afad9da9edaee4fffd323afe5be4e

SHA512
b82fb10b0f333acb507f0f65ad11a93e3cfc7432a9279fc4ed32f3fbb685cd6690db223b0741caa9d9e1a5a9614cef365bcda8446f9cea8998656181b256f95e

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
128KB

MD5
a8467442910edd82d978529f16dfa15d

SHA1
69624050ce2a2708e16482e1d50abaccb55c9f07

SHA256
0658c8f7ce724a27df096d470f718c1f86d820c4ea91505e34ed431d85b418e4

SHA512
f637bd03a9aa50d7c61400ca91266814842d50dec27a79fcae0535a8ab5c82811913901c04612d50c38638fd6e000a033b9556adc22a48a141f5476dc7115c7f

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
128KB

MD5
a700d2c7229f158ab29f5ce5c572b401

SHA1
9a733b4aac7ae2968f2ae483149ce24a716d38fa

SHA256
20231b911e189dc7b16e6b1bd394253056b0c7f6c6ff817f46ee1b63df707a65

SHA512
e2c21f8602d8ea4ab3f0d8f2d9b887c4588c077d3e59b216ac986e57dff3548a40141a454756eced57566db8970cb54d9ab6bde073b7d4ef0ef884a650d00a58

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
128KB

MD5
104181096a85583f535c6ec384e9ed28

SHA1
6e312a8240a52d40a50c6573289583ad5f5ae42e

SHA256
5816869fc99ffca98119b379458653b707e9623a2a92076ee8186dd489cfad7e

SHA512
ce2c917e38124ae36a83e74b0b782bbf0d561247f5d87c62612c4a9f6f4612767462ddeeb1db84bbfd3d4d1026b1045f6a2e24faecc5377bcf5d1f5d93c62b5d

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
128KB

MD5
98481fa49cfd990a00f7b9dd4be88aea

SHA1
58c4bc79df24c5dfb27a09b5b91f35e0f45b3c17

SHA256
ac74d83c1493d2249f7436571b2e84e307981a65031a088c4531af43e4729b44

SHA512
e39b2d1f02148ac61b44250ce7971957368dc08ad898f80478375977c6138518808ce3e34aa97e09a7aea8e9dc3b78c4d819755cd0ab0ef7c31eac5694d1ea46

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
128KB

MD5
60ed8913393813a8a4282f64edca4fc5

SHA1
f5df6c3f2252734ae52e48145cd2f9fdf5f03c12

SHA256
f5edf386dc529fb3a8db6e4c531ad26fc6763e71e88267a9e7f512ce9b927875

SHA512
92708e67dfb59e3ef7654546f17b437ff654d5ce327e94f996c1110f980701e5e3630e4ed4878ebb3fb089bf663f02eaa469357604c129bd0f75f26acbe89e81

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
128KB

MD5
80d2351e97947431b184c595ab18bc1f

SHA1
9f296ca9ecfb83096f0204cf4013119c095430b3

SHA256
9cea7b4d86d653cea402f2a036e5785d6432d8dc25842ed6e4344b41df4c559c

SHA512
f72e6d1cd369917a1ad8719bddb646a3afa3fe51714c51af4c686728128e577f47dd34b5131e91d5213e924f8b878e62ac32efcf151d213d32fc984d8c86fa71

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
128KB

MD5
7544e62ad4f98554c354bf340ba68806

SHA1
4d115221fa972fe86e5f6fc805aed3b15177fb82

SHA256
7e5131ac4a7b8ef597c3d17370b266357bbdf70110f8a4408e1596c560c2d38b

SHA512
0aabbeefcd95d06bc222c59a6c07b58a70a8fa23b269025bcc2c675955cc7e5dbbcbd001f6be33673dc63c499d78fd924c2a8c63d2ccd6f04c9e4df3d41939a6

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
128KB

MD5
5f6f24e4fa593f4c4d4897bbec4c3533

SHA1
750830708734d3c3718abe27683e8c5b33582936

SHA256
dad88097fa427af5db66c51afe1fe8495bb8972fee6aba37390d4b0af09787ab

SHA512
cfd0629aaa14984f8a67329a7ad38e94c950523819666942078a4da6acb837c5bfdcb074e9935bede21cb7286208f875dd30fb8ad7864f884e2f4d1cd80f1d1d

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
128KB

MD5
80abb52964c9ee72378f5482384fe9f8

SHA1
59d979cfaafe3df84526ff91db0ffce797f3f8e8

SHA256
bd3908388475f8903dd5c1ca61ef03b77dfd6fa77f801d863045c2632909a907

SHA512
43e95ac59b4bd09b188b1f3947744b18a03bd3b3bd42924bb19ba473e5a70b9c5d56b2e2c6f99199a5b132e1124ba0ed22120914f1bab079d095e46ce49fa1e4

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
128KB

MD5
9fc451d1041545e4a026dd66440f8170

SHA1
93e49d95a74c0cfbd510657c9ad3d2dd4c4a957b

SHA256
6f43c33da950d7cf26cecaf788ee2bdf65577bab7ff891d4e8103b29fd737ba6

SHA512
83c5d3f8825c3b87cff7a491817db90a01b5d018fc2ef982607e691ffc17fd6e4fab5911409d1dfc11dca8ec3daf7367ac67d3f2f1e04d364536d9d35dcebf89

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
128KB

MD5
29c6572f29074595fc7453edfba0f77c

SHA1
82ca700322d541dab14639042faf6fa89f8dcca6

SHA256
0517e061faa71edeb8643387c2ed13f41e3c72246cbef2429aafa5f2201c9ad7

SHA512
76f4638aaa67ab81ccfc66cec99c2084967babb76e29724239489ff4e483b343bd4fffcaa3539f4022c834cdd0b8f210370981232230c259e666c9682bd004cb

Download Submit
C:\Windows\SysWOW64\Fganqbgg.exe

Filesize
128KB

MD5
beac072f81a610f21969c1ed0f81a7a9

SHA1
e050351a95dd486712e61f78efd39f253f8bc0fe

SHA256
6c12f45a832a9e15a4b331d417cbefe9cfe8afd29e00e4c3c0edcda1818e46ff

SHA512
f6108876d3c3d0e49f90c16b0a3bcab9da45783c332275526a2e084285597e0c46192fed7c2e3bf952bf60df20112c0fe7277851bd3dc9dbdf699e4b54eaecee

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
128KB

MD5
91dc7dee5549fced1890b22813947179

SHA1
e946638b275007d612f3ed16f8180790df78544d

SHA256
d2583150742331dca94e95ccf83d1f3c112c2b42903a3bede898016133a3c746

SHA512
cfab37d55245ab3eb401458ec0c28597298739112990035e4eef60dc858fcee1c20dfafc82993fdb84122d978a04f5fa4910dbb73ab7427477bde284dd55a9a2

Download Submit
C:\Windows\SysWOW64\Gbiockdj.exe

Filesize
128KB

MD5
46af3bb6e2ebb4b1ca298453a6044cc9

SHA1
223f55abc4d01dc3e9b3049f04558e499d1cf623

SHA256
c61a75d40b4b05aa3c0c3e42747c7a4324de62b0b55d88aff07b531d361223f0

SHA512
47377b4af5a788ae3a80c85045128e5d9db63042a38377d437b2eaeb9081a44e8181ba09546886f1ccadf8a849f35b6d090d9338d60a497386d76557cbf0ee5b

Download Submit
C:\Windows\SysWOW64\Ghojbq32.exe

Filesize
128KB

MD5
255acfa403d3970499a85b8385339c6e

SHA1
964fe19ecda64dc21d058c23ed2cfc4fcf17c46d

SHA256
80082cf52d1cba49d3f14df5cd78495b0e3b44266229cacf83e76e7cfa64acda

SHA512
6a09de7207b03928c52a0aaf861a9fba62f46c67e4f8dfdfdbc8042861b0e7f64f5dec22db23dc41c24a7fbe437511e44e07c210279073f3d32b9bb3206e6937

Download Submit
C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
128KB

MD5
8322ca17ce1eab572b3236a2bba5fd27

SHA1
a636c2e8ef4f2bc15c2f40912643c39955828293

SHA256
48602d5b05772fd68941bf0a008ca1ced0b49d63b6ba1addc72e866f109afbea

SHA512
d8f17881fffd453f3c702cea1491498383fb4f957e2425a53ee872a0b2460afe2befe9d04ab91b87b9a466240070d6ae0e94407e1b8a6c459bd3ed0eb0a6586f

Download Submit
C:\Windows\SysWOW64\Hifmmb32.exe

Filesize
64KB

MD5
573405de3f3a76e8295a5d5d3b545350

SHA1
5f573cbdf294b22a7d6b207c6073b036470b2c32

SHA256
bbec1dffb965bcc4da2e754ca5c1fa30c5b552e18339c9a610d487ae69a0101d

SHA512
a9b1c378c0848cb6955ecfe218d9c4507c1dd001826225ca3c35ce4d807b59a13c3f59a4b3e2b5d9737315f011d846507443c327d7632e6d8e148855917c1970

Download Submit
C:\Windows\SysWOW64\Hlmchoan.exe

Filesize
128KB

MD5
f10cfb9529ad80e1be9861a3b420cad9

SHA1
ee839025e0a81914110d267ded70dbc8a7880116

SHA256
746fa776d934b2a2b962f8249b6d91306112fe79e4c24525d6271646ed2b58c0

SHA512
0e842365e2e41529feede821749006866d8621ac31640de7cc4de45f7500f5f5c2e50c152257f062890fed0fbf830edfd98c4e759f67d3198445f63342b2eddd

Download Submit
C:\Windows\SysWOW64\Hpkknmgd.exe

Filesize
128KB

MD5
d9f63a4d8da931b7bf26e201a647327a

SHA1
88b5fb1a799e86ac5aa1707b919acf926548dd88

SHA256
20b601bf8147c9e9957ce873dc8bb246ebd9d4d954d1f7b75f863bc123868c25

SHA512
f929d803e78dd7df0ec991b0787faa25edfd6d8e62cd70d3a99173f471b0a798d93e7478de9273e127fa7470c0ee40bc7e86ab1ee82badcc2ffa4ef51888a817

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
128KB

MD5
732cb0fd1e6538da24a009e472535d96

SHA1
9e686b7b79c519ee5baf8318d2ecccb4add35b07

SHA256
14e5717067ddc782084afac387aee9b4a93b18924a8975596bc956621090a8bc

SHA512
97cb48d88a7ace727ceb7b36f61a07b1fe740c390172d3bc680b2da8719dc43179c1e10bf3935d2799688cd395b5104960ff9077cdbb6d8e35a69a55fedd4964

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
128KB

MD5
8ebe0c2d692dedf7330376b085fb3315

SHA1
d083c60004459cbbbf86e65350561f84ace64877

SHA256
dd3d0fa40f2b284d4d6c68b85617a4f961fdca3ff294df9d9b170a73df576787

SHA512
e24b1f71a31de0820ed6a849cc729c3a975ee8a11c3eac813c0e3f51445c85feb7e69c6b2bcf399b6b1fff2db8240e986b51629c24dacc2115880338c8bfc995

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
128KB

MD5
3bc5c6593b545705c8fd95d9d2f616f2

SHA1
885e66525882111d48b758625eacb6996292b687

SHA256
5d0ed58157ff757421cd371408aa8d0be084977585d9815e2cd3a5d4e5a4cb14

SHA512
20b7e0857f1701648632443d63533b21666f408b02156a8ac4c8875f0914e10caad6d038fe977b62a81d160482cd2d68bdc39475f9436c14cd519535611e0fc6

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
128KB

MD5
c19898307676c60cc53e002a9eb8addd

SHA1
90189504129788743b7688d1d58a850f2f6ba7c3

SHA256
1946e53147bce1f232c3ba9a091193f66fc4ce1c2e15a1d0b3db0c6faa4efdb6

SHA512
2a71ba9974e140830d563ccbee78bc8c2b0cce88eece33feeae0750a1f1c0c2c1e54d3201f82ab99c67a655f8dc5360f6a8680fb55b9aec30da84efb0f5ae64c

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
128KB

MD5
2167dd8828f8eeb70a5c389d570a1135

SHA1
2a8f471867d68659c1a5eb1f8a865f3fd146b7d5

SHA256
82976e412c41a158132fc07cace6644285e412ae2c5b17189b717fa2fe6c8862

SHA512
900c7e28c235d6d24441fa65ef89916ee88b3c55d52029e7239a4e1161ba1db8971c30d6bf2e4ace08f88105f2225aed47178c1cb4f85b35b356fdf8e7d15ab6

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
128KB

MD5
dece3e7e08b25e62374e67d6a4933cb8

SHA1
5951d247d80b917e25798e4f4e436cbc85dd7d7b

SHA256
9cb93ef25f8f404d9cebaac2f46e1d484806de0ac343e8e1e5c21952e1b611b8

SHA512
b8d10576afe08d600e2a273622d136331c172fada197f72237b9a05268acfbd3d6c3266c6d5914d50aed8dc97d754fb6580f38c2673b4dbd4717028e1059fb61

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
128KB

MD5
54d2eb9460ac718b1b0d08587c8ed0a0

SHA1
cd32808c057a09c35fb8c38995b3d109163c593c

SHA256
014272da285e35f09fee33f28d9a7c09e95130422969d721c4c1d63be1979667

SHA512
583f4085105fb0406dff2d2b3f5f0a668072ad5c5cf5ccf25c7453f9e75ca73576b75b066af754656faf06eeb2e983313107c56767d02b0f70d817ec7b845e5f

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
128KB

MD5
f51cc461c4f077661bbdd17a772a66e2

SHA1
05bce3c9b958d2628b979385b4ab20609dc41ab5

SHA256
3c70bbd254565c21ac6ce1e17e09e28d87d1b50a38d05f306a32b15a8ff9487b

SHA512
cc6ffc445bbb43c9f1f2a139a1acf36a8a2ac3f8f292eafcf5e4c10c7645052fd9cd9b4d22af8cfe2004b8efb8b3968818c4450cff87bd183ad8b59e63d42588

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
128KB

MD5
7e041574e8e54ef8fac52fe02d026a4c

SHA1
4aa951c091f795c2cc63bcd762111e0378db4f28

SHA256
4abb60db06db0ab36ae996e776fce19a81aab7cc7e08a5ffedf8fc352ab3ac3d

SHA512
4280a769589825d43c1231c17abe81bc60ea0116dbc23ffc59edb9da6736a86614edd768676564fa1ef0f2082a31ac5728baae10dfea2d6747f2f6ef183ebd0e

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
128KB

MD5
8064e784cd5e265d9476a03cbeeaea5e

SHA1
fa9853a8bd23191a9a2017b1d4c941744f5bd7ae

SHA256
3b9f01a6f0577e7d6ca70be638368a3d5b0030954a700b4d538b405b0c193539

SHA512
064eca9f1c3315644b7abae796ce9feb5f2cfc46dc68780526a182b7264247420be4aa2c6f91385a71efe9defb835457a21a088f1827145f1a88decf10520af3

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
128KB

MD5
f05590e3c06e7b334357ecfc97abbb75

SHA1
66c08b4515c917af88a43782fd3227cd9ed746a4

SHA256
061ef660098dee27fd4f7bffb462abb6499e136d74e3ed03fbe9881b68ec92da

SHA512
65220d7f17300667a82c19c5aca4eff0fb0298b382473e47c78584213805b1a730ac0660726a2b31cb9accedfda75593f1772278f8d2a00df15fa7337e955244

Download Submit
C:\Windows\SysWOW64\Llqjbhdc.exe

Filesize
128KB

MD5
75c0dc7640a0dcf4aa17164c0fe092bb

SHA1
d0de88a79ce49d6d11988d2dac02c2d4fdcfc733

SHA256
63f581ae3d2379630483c9fdddd12ed48c3e738e73630d481c16dcbf0229af3b

SHA512
7d43c13caf927f0a1e51bd4a93a18eaad853f912ba7807d229874276b7a352b039a40c1093f740f0031dc44536f9534b5f35e90ce8022c89f6c9e30ec76e512f

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
128KB

MD5
0425cb85851de414ee18c86a864cf507

SHA1
2d635792934159cae1fdfd2311c4d16adfe3eeec

SHA256
452637806b5e3d997a47064b3e267c1ced482aae6132fc68d449bbe79f81d3d4

SHA512
50134160eb0306e2e3df5589e3218095456d9289fa75f90aca5b5e3c6edd2a31524d303612ba5c49c3c2bafdc3cf6a07552a570df7c673c534204b60532a2651

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
128KB

MD5
bd2451d4263b51fc15089eb9e8a7b09b

SHA1
71c4200e2d59f1fecc4187566a4e84929832a16e

SHA256
75b03d14cc9f0c2944dc77607bba54e3eb555a885f0f6cbf29d6fcd2c9cea5b4

SHA512
cb6a376cf6cd95eb97fb7314a2290912fd9f408b0eee4179306779e0eb7737effd5552482230bf75a11d8cd12cb6c9ba215c3d9b568f2b8dbac4b27bcb90e994

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
128KB

MD5
340eeb9c9776572c359b219506537105

SHA1
81cacef530835d573e984efeca6fc639772d89e5

SHA256
0cf6cf4addc088b08552210ef5be4441b35955f222cd96ba3c79107e980a0aa3

SHA512
1d98c313150be47f7bd63ba6c9dba75b266287fbf950574fe4e065993a5cdaeab84cfe763bb61943c0a9d32db4ff7b851739066c9db094efe1ae8368aec975c8

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
128KB

MD5
20658ef19671be7f53f2178b3e44eed7

SHA1
2f3083557d928fd829d26c5a0d259337bde69507

SHA256
1a78a431e3378c152bb45ad95c1016cbec175e3a1b5add55cfe3bbb8e79040ec

SHA512
f54c456432ce6b7afe214d756f3d2801e1c2548ad24127a2124098c7e8c1013b11b51aca4c879dde9867fa6fb2a8ea1858c61301a8c08be59c764008694d9ebb

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
128KB

MD5
0d530c1901fc6e4c7a25a55c69651fd4

SHA1
22c6cf5af25374687a0df1bedf1c88bcc1397a2c

SHA256
5f710e22ce6bffaabb22f841a6ae0dbb5dfcac29259ec2a0ac74f9437ddcd3e1

SHA512
707a74d2857e877128799160ef94bd11e6bddc41dc0ea816fd806630f303f292bf032898249d7b92705021fcad7244cb72ad31642d5021b8122e9e7459d7c02e

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
128KB

MD5
05435faef2119485a091b9db26b59025

SHA1
0c27199fce793830d3a93a9db4c849aae6422ff8

SHA256
4e737468b3e1c2dbb7a7c477257a90a72253417b05311446f5520ebac9d026b9

SHA512
16ae9fa1d1aac83354358d815bcdd1ef8148d9bd24555ee17e8c8e58e87a3c7cb636bb71352e097507544a60eaf9cf3936b5fd40ff346ee1adb3853f1bd8c793

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
128KB

MD5
e0fba7ff490c3171aa2ab40e406d7366

SHA1
e62195d5bd398703b3081483a5b435e2c6ed6a54

SHA256
4a3628361e19527f5fec0c0f60b1e350df61830add9d4538475f5365f98a794c

SHA512
feed41eb1dc3758427f2f40a5314ea42a1b6357466411f853dd79c4db3f78307f8722a526ed1ad449ad53b7499b40207f06559aa6764ed866890bc1cbeaa0022

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
128KB

MD5
49545ab227fb207c33fe8265e2a81373

SHA1
e68c6cef6eb2691afce3bd00f1f86eb1bcf108b0

SHA256
75d6407e8bd84e697f400de494840dcb00017f97691d9584dce1f7037bfbdbe1

SHA512
b95537b5d8a8162c89e5bd88b01821cbe44a53fc611658ba543a58d9d4b90415cd3835d409328afeb8f844a583e31be71305273f5e1c76a9304686026a692961

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
128KB

MD5
5e89e3deb4ec0ae64a4da9f3311664e3

SHA1
3d71d1ca5dd2808a4aaa12c2a036eb42f325df88

SHA256
c35dc92ecaaf0a0f4472e411af1104d3102392e1a0e6f9456032c876cb6e08de

SHA512
882be8183d54a2b50354e2f3ba56413efbad43374e60a036e11ca1b93f30a21e2595a124c107bf03b20c475a54855497bbf99694f9a445c536a455d3fdb9352a

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
128KB

MD5
278a99e1f237dc5f935dbde81456b4ca

SHA1
cb0d5850643dd6562b84c8355d5106c477a48157

SHA256
7aaebca4559f185479944e2a12d9b8dff89d67f3bad807ee4fa76d5f44e5605f

SHA512
4aea4b3afa6e9d3c4896156622259896f20747280b10102d17bf0c3fab524648fe7055783a2a0acc027dcefa93172ff3c2fee433b041d8a70268bbe4e3e0c09e

Download Submit
memory/224-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/644-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5176-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5220-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5304-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5348-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5392-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7852-1663-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads