berbew | 41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Size

256KB
MD5

322936ac474786a36330c9b805e4554e
SHA1

c8ef3cff488d941fe0dd01a30d3b65465efb6971
SHA256

41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f
SHA512

4d464311aa3d34ec62bc2fecaf338325de89a7e4cf4f3c2f02666a0df85ca73bc4da641c79faaa1eb9f1e366a3919557a7728a035cd180f514a4ab277369747c
SSDEEP

3072:esveZf4NYdSr/mceG7dDM1IRwMkUIunCaRdelrOyX6gu+tAcrbFAJc+RsUi1aVDw:eGy4evfNxunXe8yhrtMsQBvli+RQFdp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkhbdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fchddejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3572	Eapedd32.exe
1784	Ednaqo32.exe
1828	Ecoangbg.exe
3476	Ehljfnpn.exe
4348	Ecandfpd.exe
1916	Fljcmlfd.exe
1048	Fafkecel.exe
4436	Fllpbldb.exe
2096	Faihkbci.exe
980	Fhcpgmjf.exe
4024	Fchddejl.exe
380	Fkciihgg.exe
2852	Ffimfqgm.exe
1600	Fkffog32.exe
4092	Fbpnkama.exe
1620	Fdnjgmle.exe
2176	Gkhbdg32.exe
1288	Gdqgmmjb.exe
1832	Gbdgfa32.exe
4956	Gmjlcj32.exe
900	Gcddpdpo.exe
644	Gkoiefmj.exe
4856	Gbiaapdf.exe
3420	Gkaejf32.exe
1192	Gdjjckag.exe
1976	Hopnqdan.exe
4244	Hmcojh32.exe
2156	Hbpgbo32.exe
4032	Hmfkoh32.exe
4920	Hfnphn32.exe
4076	Hkkhqd32.exe
3092	Hfqlnm32.exe
2956	Hkmefd32.exe
4532	Hbgmcnhf.exe
4792	Iiaephpc.exe
4760	Ipknlb32.exe
2816	Ifefimom.exe
824	Iicbehnq.exe
4536	Ipnjab32.exe
3220	Iblfnn32.exe
3500	Iifokh32.exe
2860	Ickchq32.exe
3168	Ibnccmbo.exe
4716	Imdgqfbd.exe
3332	Ipbdmaah.exe
4944	Ibqpimpl.exe
4288	Iikhfg32.exe
2780	Icplcpgo.exe
3236	Jfoiokfb.exe
868	Jimekgff.exe
4724	Jlkagbej.exe
4428	Jbeidl32.exe
1920	Jioaqfcc.exe
2620	Jlnnmb32.exe
996	Jcefno32.exe
4188	Jefbfgig.exe
3064	Jlpkba32.exe
4948	Jcgbco32.exe
4380	Jfeopj32.exe
1572	Jmpgldhg.exe
4556	Jpnchp32.exe
1708	Jfhlejnh.exe
4660	Jmbdbd32.exe
2704	Jpppnp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Gkhbdg32.exe	Fdnjgmle.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Imdgqfbd.exe	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Jjbedgde.dll	Jefbfgig.exe
File opened for modification	C:\Windows\SysWOW64\Imdgqfbd.exe	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Iiaephpc.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Hnmacdaj.dll	Ipknlb32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfeopj32.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Ibnccmbo.exe	Ickchq32.exe
File created	C:\Windows\SysWOW64\Iikhfg32.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Mgdjapoo.dll	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Fafkecel.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Fchddejl.exe	Fhcpgmjf.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Hmfkoh32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkagbej.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7668	7552	WerFault.exe	323

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickchq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faihkbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkaejf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmcojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiaephpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbiaapdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbgmcnhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpnkama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eapedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecoangbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdnjgmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipbdmaah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednaqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fafkecel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffimfqgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecoangbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehljfnpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3572	2776	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	81
PID 2776 wrote to memory of 3572	2776	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	81
PID 2776 wrote to memory of 3572	2776	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	81
PID 3572 wrote to memory of 1784	3572	Eapedd32.exe	82
PID 3572 wrote to memory of 1784	3572	Eapedd32.exe	82
PID 3572 wrote to memory of 1784	3572	Eapedd32.exe	82
PID 1784 wrote to memory of 1828	1784	Ednaqo32.exe	83
PID 1784 wrote to memory of 1828	1784	Ednaqo32.exe	83
PID 1784 wrote to memory of 1828	1784	Ednaqo32.exe	83
PID 1828 wrote to memory of 3476	1828	Ecoangbg.exe	84
PID 1828 wrote to memory of 3476	1828	Ecoangbg.exe	84
PID 1828 wrote to memory of 3476	1828	Ecoangbg.exe	84
PID 3476 wrote to memory of 4348	3476	Ehljfnpn.exe	85
PID 3476 wrote to memory of 4348	3476	Ehljfnpn.exe	85
PID 3476 wrote to memory of 4348	3476	Ehljfnpn.exe	85
PID 4348 wrote to memory of 1916	4348	Ecandfpd.exe	86
PID 4348 wrote to memory of 1916	4348	Ecandfpd.exe	86
PID 4348 wrote to memory of 1916	4348	Ecandfpd.exe	86
PID 1916 wrote to memory of 1048	1916	Fljcmlfd.exe	87
PID 1916 wrote to memory of 1048	1916	Fljcmlfd.exe	87
PID 1916 wrote to memory of 1048	1916	Fljcmlfd.exe	87
PID 1048 wrote to memory of 4436	1048	Fafkecel.exe	88
PID 1048 wrote to memory of 4436	1048	Fafkecel.exe	88
PID 1048 wrote to memory of 4436	1048	Fafkecel.exe	88
PID 4436 wrote to memory of 2096	4436	Fllpbldb.exe	89
PID 4436 wrote to memory of 2096	4436	Fllpbldb.exe	89
PID 4436 wrote to memory of 2096	4436	Fllpbldb.exe	89
PID 2096 wrote to memory of 980	2096	Faihkbci.exe	90
PID 2096 wrote to memory of 980	2096	Faihkbci.exe	90
PID 2096 wrote to memory of 980	2096	Faihkbci.exe	90
PID 980 wrote to memory of 4024	980	Fhcpgmjf.exe	91
PID 980 wrote to memory of 4024	980	Fhcpgmjf.exe	91
PID 980 wrote to memory of 4024	980	Fhcpgmjf.exe	91
PID 4024 wrote to memory of 380	4024	Fchddejl.exe	92
PID 4024 wrote to memory of 380	4024	Fchddejl.exe	92
PID 4024 wrote to memory of 380	4024	Fchddejl.exe	92
PID 380 wrote to memory of 2852	380	Fkciihgg.exe	93
PID 380 wrote to memory of 2852	380	Fkciihgg.exe	93
PID 380 wrote to memory of 2852	380	Fkciihgg.exe	93
PID 2852 wrote to memory of 1600	2852	Ffimfqgm.exe	94
PID 2852 wrote to memory of 1600	2852	Ffimfqgm.exe	94
PID 2852 wrote to memory of 1600	2852	Ffimfqgm.exe	94
PID 1600 wrote to memory of 4092	1600	Fkffog32.exe	95
PID 1600 wrote to memory of 4092	1600	Fkffog32.exe	95
PID 1600 wrote to memory of 4092	1600	Fkffog32.exe	95
PID 4092 wrote to memory of 1620	4092	Fbpnkama.exe	96
PID 4092 wrote to memory of 1620	4092	Fbpnkama.exe	96
PID 4092 wrote to memory of 1620	4092	Fbpnkama.exe	96
PID 1620 wrote to memory of 2176	1620	Fdnjgmle.exe	97
PID 1620 wrote to memory of 2176	1620	Fdnjgmle.exe	97
PID 1620 wrote to memory of 2176	1620	Fdnjgmle.exe	97
PID 2176 wrote to memory of 1288	2176	Gkhbdg32.exe	98
PID 2176 wrote to memory of 1288	2176	Gkhbdg32.exe	98
PID 2176 wrote to memory of 1288	2176	Gkhbdg32.exe	98
PID 1288 wrote to memory of 1832	1288	Gdqgmmjb.exe	99
PID 1288 wrote to memory of 1832	1288	Gdqgmmjb.exe	99
PID 1288 wrote to memory of 1832	1288	Gdqgmmjb.exe	99
PID 1832 wrote to memory of 4956	1832	Gbdgfa32.exe	100
PID 1832 wrote to memory of 4956	1832	Gbdgfa32.exe	100
PID 1832 wrote to memory of 4956	1832	Gbdgfa32.exe	100
PID 4956 wrote to memory of 900	4956	Gmjlcj32.exe	101
PID 4956 wrote to memory of 900	4956	Gmjlcj32.exe	101
PID 4956 wrote to memory of 900	4956	Gmjlcj32.exe	101
PID 900 wrote to memory of 644	900	Gcddpdpo.exe	103

C:\Users\Admin\AppData\Local\Temp\41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
"C:\Users\Admin\AppData\Local\Temp\41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\Eapedd32.exe
  C:\Windows\system32\Eapedd32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\SysWOW64\Ednaqo32.exe
    C:\Windows\system32\Ednaqo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\Ecoangbg.exe
      C:\Windows\system32\Ecoangbg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        23⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        26⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        27⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        32⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        34⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        38⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        48⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        49⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        50⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        54⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        60⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        61⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        67⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        68⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4004
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        70⤵
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        72⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3668
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        75⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        78⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        81⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        82⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2008
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        85⤵
        
        PID:500
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        86⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4912
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        89⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        91⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        92⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        95⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1044
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1820
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2644
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        100⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        101⤵
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4392
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1412
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        104⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        106⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        109⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3232
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        113⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        115⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        116⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        117⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        121⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        122⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        123⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        125⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        126⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        127⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        128⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        129⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        131⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        132⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        133⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        139⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        145⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        147⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        149⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        150⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        152⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        154⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        155⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        156⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        158⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        159⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        161⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        162⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        163⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        164⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        166⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        170⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        173⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        174⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        176⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        179⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        181⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        183⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        184⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        186⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        187⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        190⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6812
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        194⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        195⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        196⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        197⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        199⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        200⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        201⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        202⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        204⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        205⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:6640
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        207⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6860
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        210⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        212⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        214⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        217⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        218⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        221⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        222⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        225⤵
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        227⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        228⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        229⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        230⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        231⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:7212
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7260
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7336
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        235⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        236⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        238⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 420
        240⤵
        Program crash
        
        PID:7668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7552 -ip 7552
1⤵
PID:7632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
256KB

MD5
a2c3fb2c55d3fba50076de6d983c9a64

SHA1
27bc58a53fd1fc55ee83ddee3c25794d88670fde

SHA256
8c34f4f780cba99e4dffea701c06502465f54bd765d21a2310481898d0f621eb

SHA512
956a92879622a2a3fd3851c9b54bb3ebb6d34c41a6639fccedb2011a378845d658ac8d68a5b05e950a4a928fdfba561230cd20dc753c1f664a970b84f706bcda

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
256KB

MD5
20e7ea0d7c77bdaa810d952b87798d5f

SHA1
52ad5f420b4a7663382972dc822fbf945b927d57

SHA256
eeb0a449b9fe09b7233c7fd25b046e90f53b4c3570793843a67f47e1ed1bffaf

SHA512
e76d0005d19f070e2e14399b5a3764a05e71b7089dca0db7aa27a15d351d124bfaeffc2bf5c816c202f30427fdfe77b86c08c98b1faf77498b1c82c2cf5ea061

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
256KB

MD5
3cc8040db79f5f8201de29bc2b56b958

SHA1
561db33676ca1bb7acf5c261c1f17025ff83e67d

SHA256
e60e3e46263aceb5067f05a841603e5d4c4bcbbf6e68d2f97073c41c251dc190

SHA512
3962d0aec8be258b2ed93e390b92c87ba32e05ec12cfb6518cdd29587b9d2a1d3abb0cb623c20b4e14ddf631938b5aa7aec780998afeeafe6d3ed4fc31826d71

Download Submit
C:\Windows\SysWOW64\Bejfanad.dll

Filesize
7KB

MD5
d7b431f2073f29119abb9222111019db

SHA1
bf977a54ceba9fe2d9018543786cba83c657e755

SHA256
51239d9c2e1638b568dd9561f2315e8b9915db01f3973f830ec6984735002652

SHA512
88a59aacf5f186e7b7ecfa840e01270729d375724104337ad19f7ae13ab1d7382bb88e3938cfefeb41a66c184fa0ca1cec530990e0a936734258dd39f8c648ff

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
256KB

MD5
c7a15ebfbd6d244511641fe562bef055

SHA1
17afd8d0059aadaeccfba08a9f2469b6924b90bb

SHA256
592ea016b08ef72d7a14992bb4a89cd0d297d96b5da02a4059b1f26cecc57f70

SHA512
a792ea7170e95f698eae60b2555ff8588b28646383d6cc199983242e14d2a2089360f958486be90789c748d3ce32f8e003b1847abfa68daa50674ef6169810dc

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
256KB

MD5
3da558ddd7bb85eff20e5d527c54e2a4

SHA1
6ee258330c5381dce67339a3c992f6dfdce70a6b

SHA256
9badbcac475564ed65e5a99462a3a6535c9ad413d60050457ad1cd7cb4594ff0

SHA512
74ba8e08a28fba074fc75153e2571a0f7e2a20d6f7b93ea5a6d2aa4eb2341b28d32c0766ddc8556545b6dab05b67c2f366326c1224c2eb21cc4768f50658f4ab

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
256KB

MD5
d59b8281387a43ba534fed9651fcae47

SHA1
fbdc8f8312e90b050b154d835b970570c06faf2f

SHA256
161086d5eefddf472925a14fa3060bcbcfcb45a6dbb9e6998e35128b30190d05

SHA512
13ba9ba9deaeb8b8354eba7ba49945c6e33630dfbb82ccf8c3bb4a5ea10f01679652a906d46ce5324bf8ce77eab20ffc8106713fdfbf06176857c4dea2583646

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
256KB

MD5
23a42ba5a9f866719ed4e81bccf917e9

SHA1
c468e1cac0e4e97df8d125513138dd6fae1e0bce

SHA256
87c4bb3d2779328e28fdacc87a442be5c6620f49add32656e5242fb7af450636

SHA512
760b5c63eba00070469cfd9f8c7b9228075500aaf7256659fff20154f8915b9168f15fb1816b592e0414927dda8e8c2ce940aa88e415bc22ba0d526f9ae211e1

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
256KB

MD5
01be6d6ef7076012c40a641f7b4ee0db

SHA1
ec4648246a5abbd42f5a155e317fbb680f9e7789

SHA256
281405a9c045e2360ec6f18a6a678716a63822f488750c0627761fbdff3704a3

SHA512
926c8d17a26b9b2c27d7691bf4bc22ee6307deb36456a6425f7ebe3700fc905d529fd339a12e341d24b8cc1f40ca9cbff99189802bf75741d013c8ab2d08b449

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
256KB

MD5
f9352629e592da7ab1c3ab11696d894c

SHA1
42b68b374d6ac7e6d547972b37912a498e9fd558

SHA256
196cdd138ebafcc1fd4cfaf89eb9632615a10feaca307d0be730d1c3836dea48

SHA512
c01c40904a10e22c0ca2895c96c0df402cb674872a83a33b0ebecc10ea1e6f0312919e6ed867422a7809d57a4d4e2df34f83c5209d7d1eb4e1edda6b40fd6155

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
256KB

MD5
f09a93d9a68385ba7c59e16df588172e

SHA1
c9b8c079e7521b43c757c051ae59a32f49d4f3a7

SHA256
887194495def178af824cb2845ed60ea62c732af33b08a34772617f9b1e6ae65

SHA512
fe8ae679bc3b6ff3914f47c1234d6c156c4fb486c68fec08c0bf2cd84e9f7bc3ce994661819ed59b1cdc7ca453f5e3e07ba8f077a46308c61a1ca5556436de88

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
256KB

MD5
0c3cc07d64047ae6d0cbba19f43ba492

SHA1
380d380eb1f562be8761f644162587b972efda18

SHA256
a3373ebaf74df16b0cff7463fb97d87c1801478c4a8a294f5fb105ea2da85ba6

SHA512
980a78099879bdabf6eb7545eed40e4a44882098c2a6d1e27fe10503551ecd9ec7a329ad5779e8a1aae27dd08928fabf54d9a8c8adc21c390b56fa7db4aea551

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
256KB

MD5
26116336db696963f26bc9280c637ba0

SHA1
4bc2b97fcd7604b123e812b19f19579e1b561028

SHA256
d1d87269741408fb4e14def812aa7de19d158269e1514a3344003cba0cdb51da

SHA512
18d216e9ddba84a004f659cce043a844bb7f405abc10dbc71a7250244b776a761552eed730f37ec5f0d510a0329d210b7d39d810c5f5f2f5aea4c57d5f377464

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
256KB

MD5
d41fed3227d57928dbd68fcdc629115b

SHA1
0a7b00398072ff3061be2101864d0a90f5ac11bb

SHA256
9cb6b76c87e87c62b9bd3d223fe1edd5a72c06187a9d5ddcae14f832d38816a9

SHA512
ffb787b58c6ed1be95b3b2b4a584e13309bf1d001b6be1cf6762e83e5778519e69c815bf776c43b349dd42e99bc9cdfd2e52daa6408b2166ede06c0a39b27b4a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
256KB

MD5
177c1ce42591ca674d113bc5942c4810

SHA1
21bd3f46a2fa3d79acb99bd8132aa1e65e0d665d

SHA256
6cae3cfc3f21d61acf59cccade42df8e3fc00dc212b7e7b612decb0dda6cbee1

SHA512
5d32d20a5cf5a9e7d12f5c6a310841530c067184b402f6ed903d3227020c60927dd44234df06d7140add8d199b0f8d8cc416f37995d3f7f153f0d4b69f662d26

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
256KB

MD5
ce1765ae0e42fe76df10d4ac1cc3c1db

SHA1
1d9c3c62985bd7d7cbd40ea96b860c6c96c41f3f

SHA256
c8552c224edaf1a30d16bbf48e3f537d4f85d597da824d4d3a882dd52f3e2cac

SHA512
90f27f44dc4d78ba84d0cd7815a783058eeb98db3c4ba7d9e817d83205ba6f54c039cf84bc408bcb9878ef3403a179dc21397bcd9e04908aef3a1d9b08fbdabf

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
256KB

MD5
a957b4e5fd25c52130e21852431776b1

SHA1
b7d63c2fdbaea47b74085cd327db8f7f59600d06

SHA256
e55211d8a0897e264e6df7215dc5bdbbfc7aefdf50319ba8f8474f93e6308e25

SHA512
a802b55e980f2009a969e1b0ae4a203dd18df2d03242e9f33960fd25034139482cbf3c331fbf98ddcdcbf6da79e67b5fc8c1eae3c104febb29557629eb2a8328

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
256KB

MD5
0824c57ab2cdf269150d06637589fe86

SHA1
ef6abafbcad9a8f7d74d22505eb41a6bf549008c

SHA256
55aab3d85e8a4b7121c264946a3be6534925dc1bcd79910a3559ff240e514b2c

SHA512
64d42e6180c979c5402baff4980c98112af432e291d54015c2630d1e068fa0f4d863e1c95d472cf5f4e8a223dedef1939e9eef08b18d391d25b24d2dcfd51d08

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
256KB

MD5
b404d26a4399f05dd85e3b45798ba1df

SHA1
6fbe9b63071b8c8df6dcea2d9f6bf34a4f39ef80

SHA256
383bb4403ec66a1440571e5be3212d8c3efcc1401f1f607c98ef7d1315aca675

SHA512
b1c6ff3bc3380622e4091bbabcf803e9b9711523ec14ced419d0f61576dbf1dff44aafdd97fa55cd54649883a00fb83bd132d7ea5fcd9cd380ee99500486a755

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
256KB

MD5
c65a11d036cb243ed59fd6cec6834dd4

SHA1
c316dbccf13663381692bc6dfb53ff71ebd4f40d

SHA256
f46fa89e5bde738a011e93de2e1361f7a07a80b6751395858f7fcc3ee7a205e1

SHA512
6a22dd327d5745a79711a4646e1091e1b1e7b68adbac79cbd1185dc984279e497d228fc578a80a892b82258209bd848584b0d38b8570832e020151a2fd3d327b

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
256KB

MD5
505ead5b3c8ef0363cf1f6c6aec813b4

SHA1
cdadac86adabe8a70c9081a1c7bdad300b59d883

SHA256
403652e7f2696867fca649f6265d333c6610e7a88fe6bfd7e9f448cc3bcaca3a

SHA512
bac9166adb97daa9ebb8bc748bd03d608ab77633e91da6b1b8f83aee8464a59f4fde5d8a72758627fc9bbe1eccfa9d4a83b43d491f0623aa5c048655be4ffde9

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
256KB

MD5
9f50c755e747c29ad80ed284a1b66660

SHA1
84dc6040df5dce85e42a56f91cecefa932a4c897

SHA256
f4bf2221573242584267e120f2c9028de53651c3ef511472749e839e2d1690d2

SHA512
6e1e1a5554574e884131721eecc9c42b44571f1d5247a0d6cec2177b6db7d63a87c8ef3a6ea88d1f3b135ee8cca91c95ce0fb48fef4690fd8a9de40bc1113240

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
256KB

MD5
03a0c1521403afc820085dfdbc250f09

SHA1
68d2deb5687f927b2699f8108dc832e0c5ec49cb

SHA256
3355283020a17cf93c95b58a82c84827cd7c3286ad9d0f5e1f12c4379a5f0d1c

SHA512
4dca6dc4593e7c21a309b198c2f514d29898e36cfa830180940e9d603f9e04fd8675e527b8798c657f4ffd254e91eec58a75867639bc5121e805d0b58d7aafc4

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
256KB

MD5
e67a86210c1ba3c6dd420f601ceb4483

SHA1
76d223330d9300d8fc9d1459eb5371a70296ff3c

SHA256
acee54c0d3549aa3273cad47d7572e6ead9b1bbbabec190c73043728fcce537b

SHA512
f8de263a5386bf47090c3447afcd895e1897bd07472ae26103b9697f9b8d614737ea34eb80f1c4d65f5f78a6c267e4649c6368f759bb622804b477d0e2874d62

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
256KB

MD5
1e54f21fb29dad98c3af3d8667ebf8b7

SHA1
51a3e0cb6166e4b5345d54fedc7b743e96d71ae4

SHA256
b197159d8d747ed9675da3ad38c9f17a0e2f10d4e54cfd55d0482a5165cefd83

SHA512
6be010c9b009890c2536fb04eab64f6ba038aa78b39b85f9aa55bf2b1d46356d234b7b216f6c44b47932ffc57f111b938f89c1cce605da902159d9b5c1ea4c89

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
256KB

MD5
35b9e42ceaa20e3668c3311928ad621b

SHA1
8caa925b3141f04cf0b153fef364bef2d9e2480e

SHA256
de1fdac89aa9c730a1902fec1e1be354a0f07279f1af8a20667b1ce5e851989f

SHA512
b3f5bd1907d246e39c80c6324796093b779f5f616a89bb7f5ccb9eaf9215c1da66ab538fea6c4fa43538ff9c69f65918701100e0dc7f73b8cd96a0cbdba253ba

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
256KB

MD5
5f63698e5f04a43b2435aea412ecfd4e

SHA1
882f89c22624ed0de92e574f586fb37c3099b4f8

SHA256
8c842d4e5beb7b9bba1ffc9552b16e206fa6e819932bf7c3737a7fd3fac8e8a9

SHA512
ed77f31c99fb16bde1e9777329ffc5fa16da7ac5825856eb0d82461375f7db5e966c1cbdb97ffdde9a48bf913c5559fd18a07d56bfe50325dbb66b4e7be6383f

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
256KB

MD5
06e58870acc11a0b7cf35bd5b9819950

SHA1
662ee96d8892a784fbfc2c177060af102c0ca4f9

SHA256
824cc1ad6642785fa9dc52bc474b3c0b399381730781d4ac031434eab184ebd1

SHA512
c588070ff3d61727954caac919de63b23b1c3ee901a07690afceba770dc3ef084341900e9e0195afda33c0df788e5dbc05b19557eaa0a88cbbeb7dd23e7a3ec7

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
256KB

MD5
08baf22502f68b262a871fbb5c9cae41

SHA1
76d970e0b3b3fe29ec857a30aa3e9f7a06df2bc0

SHA256
8b680030a63d35501337d24815024e230c43fb5d5542a5efdfefa48448703c8f

SHA512
a71281e76dd6292134b9bfdb1efee003aab26f700afee0f19e6f102bbca2b6ce99bc1607e73ebeae91422aa5929e59349f3b3c6b18f82dc37aae888dc7749303

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
256KB

MD5
ac0608fcb52a85d63ebd45f0f4ec6557

SHA1
e3155f405e6e98e4e3c3a6216f12b05ae225126f

SHA256
47d121eed0ec8c0660b8c7ceb7bc61d013c9502d5afaea83c73785bcbb60594f

SHA512
ec2c2c2f81c02b25b72825c8609fad6c3344df3e6216b60e1dd335d04f2b772f4159833e184b106d5a1cd7575f809e8b328fdcbc61fd76df99e265fc0edb49de

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
256KB

MD5
b8f74b9a2295811b8703d210ad5dee57

SHA1
155a5e24349dd79442063bcdb47668ff3047a11e

SHA256
4925669ddf24072ff9ca089cbb87db15732ed3bddaf99892a17e383a271ef269

SHA512
3b4f9ed512ed471eaadcdc26fc14f34c18bfe904fb376f155707f0455774e7e607630e26382ec2d9287dae6e6aff172032d89d15bae3a9fec3f78fa2d10c2dcd

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
256KB

MD5
149eb07cede31667349918c55dba5152

SHA1
01c22f5b09d69ededd98056013e9507828352e54

SHA256
c1957bf784aa75abc96de35c5a5b7d4b306f97f3eb2344d22b803dd6df2015a4

SHA512
09f7c52ff82f5788fa71956d3d7c9ae249e7c1b96f75ba8e192a65289179fa0ef23105923a6b04086f907b0a4dae0cc8d0c7cf77eb471e6666f23aba8d515837

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
256KB

MD5
484718e23e9a83a4943e1a4e6c7b1f65

SHA1
3961c325618e21b02f23b3691782897a7668e6c1

SHA256
cf42514c91cdf77cdaf01f0fbb1173072f093a212cae1f8f949afb612ced60eb

SHA512
a03f1eec8a82e3ad5c041f9f97bf4c378655e2eaba6613adb6be769b5a594961ee4cac6b4a9f121fc2f152099bb36f0ed3730f7c7598a950b3c2880152bb4b7f

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
256KB

MD5
60e99d4cb855d048353bc09afac8cea2

SHA1
1020a4c4e384af0efe7b94225fe191c12e7e2fbd

SHA256
ff8cd33e5a8dbac08f666ff47bcf516260351deaeb8206f947992b2aeca25568

SHA512
83ba2d3ff00b2e66bc31c3e6618f67a9a6ffeee185603575026c1dd2b9087a782fef13b547ce0b7bf8024aed18d91488991b94d25fe2b72ae6964e3b1fe1c54f

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
256KB

MD5
21c15866a032430daf30fd758d2f8159

SHA1
61795f6ddc8f982f0154971f6b87add4386d28ae

SHA256
3bd087f724b45106e096e28d3299d8a5cc6d7702be94c31c65d7657d80c36789

SHA512
a170dc9ecd7a6eec7e664d404d9e5b1304c103169cc3195a544d83cfa9869d5ecf8d0e9098ab3af7498871613f693b774d0570e85259dd44e28d96ead2575546

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
256KB

MD5
b2ad616bfd81bd560a019c62d2ad7b98

SHA1
a0598742577396c66524498651a08f5850fda114

SHA256
34a8392ff7f205506d610ca2319acb49f0f49fe6aa10f06b96e47a7512cf5d7a

SHA512
52828c37bea3233a43697a79965df0e251b5f3befa22e676a1efd22c71704a92cf1ec2f3dce7cb71f93fe72649a965f6a8a12467e4a425430543c12e0a448944

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
256KB

MD5
3baa88f52f384027216e9c924e85e457

SHA1
df6e5e1c9548d74f02aad386946af0c6c36058be

SHA256
a8e005e32de68c53213ac52d9c6daadbe74a6f503b8fbac1a522311887ae69c7

SHA512
5e684a8a9132b1dd6ceab72a05f5f056acddb93a66fa47c3ce9c4f016b5c354b50f890f362521a49f2be16c51a2d4e7d9828b3836d3df4a9be30f4fb88f92d46

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
256KB

MD5
8f1d7c2bb0513c906681cfe5fe09eb87

SHA1
be6096f952fc41d33d4fce39fb1130f414804bc3

SHA256
4af5c7253e9040738d5c04d6ae8f6c328455625564ca4af3e952a5c32cf2b4cf

SHA512
50dfadd35b0aa843464bd52729b13fd02d7112781116fe2fff1c945e7c0f373007b1fe7711dc7357f08d3477379f99d734f4e8f8425f3e4a8c26ff5b06e85315

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
256KB

MD5
d4d722af1d67a91fc982e00116d61fbc

SHA1
e7197c0ee99629b8b254d57bce8b216f47b22055

SHA256
be796c34930650717fd329d4231f484fcd2c45a47da12adff5dc79c49fac297a

SHA512
eba39576e5cc5de457cf04268bbebcc69043de14eb0b847c6e55a82db246cd464302fbb267351b69152bfe979a8131b7f6443ebc41fa40a81850c6b350132492

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
256KB

MD5
44fa367cc026b97cd719ab65dea0488b

SHA1
a5bc0b1f7b211deaeb50670ab406ed923244944d

SHA256
90292621e2e99928d87dfd37f9ada46729988282f8890a7b9795c52153c84fd9

SHA512
b9cc69d5b80aa068aa8842dec83e87cfa5e686f3940939fb9fd4bfded2e5bc497f95efc9b47a078455d0228d4717b5bd7dd76d9a8753f704c9f068cc6c92be0b

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
256KB

MD5
bd76e5583c6c5480f1e3ffaeb5a1cb1a

SHA1
ce9533f6c1c8cdf5b1b6ce09b574fde1acddf3c5

SHA256
51818f524f0bc74a6415f218a9b9dce523f628d178d363bd232b5a3f090e114e

SHA512
d05732f7b58cd30068137886709a2cf2eb1331955c43abb03c6c9c5cf955e127ddc4560a2d85dc51d7e9254f46e1541e89a717f5f064f5f11608569007902a48

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
256KB

MD5
12db1bb4eec2e5ccd53592bf2c04a694

SHA1
94467378920e0824b1b5fc1f4354303f6fe17fea

SHA256
dd9e2376822bc106098dc6c609dbfad8f88d2a83e1d9841f9cb7ceffd7646193

SHA512
182828f0e31886924bf296ebe115c89b41170901de9c77c7871f0da4e4b41d6bd5024fa173bfcb9ec2a693a1e55baf250387aa4b73b7ae27ec5db20b823debb0

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
256KB

MD5
96d68a9edf4a626a8e8fff529851fee8

SHA1
f06c58801e656eb1c2fea7fddad97b632496e80e

SHA256
fbb54d1578e0b246864b15f115eee302cd470f420e9d8a6b68575a4334b382ea

SHA512
067562141922ee6b2b16c87229b3acabf86b23d88f1c365d03ae97253d601e1a235b9cb5d6456bf9d5b84d7c659f6cd30dffebc6d5acb9940a38ee3d862740ef

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
256KB

MD5
63804ce6d88f8a512628e8e2c835f3c9

SHA1
a579818b17d6084416ef54a8e45e1b3afc928985

SHA256
6831a28567ae1729787faec932a674447b9b871a3f55d14a43406889bf7a542b

SHA512
a809e77c13d4a08afa96fdc53ffd887ec8831b37fac587ba9ffc1d6ee01d3c3e3601c3f9980caa7c8b3ac09a6a766c78e4bd4291f49c65c2e46b915ccff8b3b6

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
256KB

MD5
eb6d9a9a5de6381f9a352d5f6296e7b9

SHA1
aa85966915f7693462a33a9eeecbc9ff9b619a3a

SHA256
4015e3308b61ab807c5fbb9bf6821fd28c8bcbb41f873ecfec4686504bbfb36c

SHA512
aec79ea77198c571218e85099ba8c36dfa8aabe5e3c41777988b40f39ac93942ab9bca568421bf81b93519be2ae332a34bbd64db3505a995cfe4a9fca3ca606a

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
256KB

MD5
e7cdedd55698a5e3d35da6635ca25131

SHA1
106be054a016eae475e80cb2457dd6b5adc576d3

SHA256
dde38d56fd5f95ab04c44a26c465e498ac11c142f6bc9e5859144eb1cbd4a61d

SHA512
61b2b592a61404e5d16db31f347620a6a9e696ad09f4e131ba133cb8c4737b3e0a3b090960f7e1d1a52150a220df289e1004271ddaa5462940426b07d0b93c33

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
256KB

MD5
94b5d411d5d9986f9aa9afa4d5b1215e

SHA1
637f4dfd2293bceeeef179cc7964f7c7e7b5edb4

SHA256
0b98bde5dfe843e969d9f8e049bc1c76030f37118443bb4786c03c18d764e27d

SHA512
86e8b860b7f7178571827d1cd411c2f6dd9354175396db7175d135be777ec9c423ae8a30a8dc1963a2506216ba9f19825cdcd1940f9ced0723041b8a419324f4

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
256KB

MD5
9e5611724ae2391ed8c6942606babea4

SHA1
045771097de13183bd9549aaf93afea569ceddb5

SHA256
72d4a03f1e0fac99fe80a79501919055c438d526fdac64330c1aac64f54e0c02

SHA512
c6ee2e7fea1689b34742a37c60de479d981a532f5a7431cf527a15d6706533bafef385b3359c5a1cc29ab6d241c1c731fefedab8d6fa8b6d2cc9350fc8b81354

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
256KB

MD5
a3767864411aa699ecc91fc168871747

SHA1
54280395bbf996b97990cf3cf03256fb639cb0c1

SHA256
e850090da2fb5727b2414c2c68b7bf62a610a25ef9f05827a8f87d5a8db407d8

SHA512
6f80e8758d2506516ee5c3d9dcbb4b80307bf8cd29fa238460bd0db2e8ee52782e027340663813d7a8f8f6368b419b77ec4556f7c78f4ed8c7d6a28d8a848aeb

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
192KB

MD5
76b9ab10eb419a5b8a8c4a0c4e7aafec

SHA1
365ce4c401e5223c94d5fc9a84f098a55d72c3ed

SHA256
3022135d996897d45a964efc4df158ebe94d2e6216bac10ccdc0ae819bdde9d3

SHA512
8233ed09adbb5e6a3ec58f1507cc41f12454669dc73eb3acf78798136ea10f57c723ca7b5408805b2459a5af7296c69daf491a7e612a32c853a4014ba3887ff0

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
256KB

MD5
4e79ceb8031171481f57b19be1b64985

SHA1
4b90664985e8262548ed76b20b4b23826d466b7c

SHA256
7536e7d4b6e2c0c2f9d48fc85ce5d9f2ecd7e5f793a4387893b203b77e6a2a0a

SHA512
6459bafe8527ba55478e8e84f7f2649755483e68ada019be09b39a05fb4f62584a6d493224109199913bcdf09a34a8ad9766f901b8bccdf2238b00294f5221c4

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
256KB

MD5
ee248f158c22d173b55a3fee758aea93

SHA1
995ecb3c0f7a09f66957a561453e36bccf2df2a6

SHA256
b8872e0ed67c60b0ebea6d43c8359d58de320e3438fc2a86a352dd979ff690c8

SHA512
637915136799e068a971c272675f9e6ec1185b7e4f923bf1a27d9725aab906ebc67a4019f825445b13df4c49b39b81f417d6f54fe1c3fb9268e8bc81b5d7b6d5

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
256KB

MD5
c7cd33edc2e11c7248b01ebc1b848758

SHA1
89d9deb63c6c0c8da96e0ff7630c4811494978a4

SHA256
357b38cb016d35c6a958ae2907dd67a7f8139beba794d6d9924ebd7121e9d593

SHA512
96f711cb49073ae55fb949875a14e8f3c378d300a4f19c8733a82367ecf213fd6c1d6542343a58d6aba221f8438fa4a54471467d7a78680981209b1c28408017

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
256KB

MD5
61ca3ed499d78075093ade9a5f2fb573

SHA1
eda88edd5b7e05d63e49a22b356af4e339ce6be8

SHA256
62c87669dec71b183e7ef2db89e58a7f3e0810d818740dc751edd0ae9dabe245

SHA512
10b258e8b5253e617334a35813497c4709c6727e291bee46b5bc501b073deb51a53cf4a32ad5648dbfa8822778a25888fc02dd1af557c69e26ac8f0e8e4342c1

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
256KB

MD5
c692ffd0caec769065bb4125a8860007

SHA1
2b2396fad948817533f467511f57ec051520cfe1

SHA256
2e153720e50ce7bc4cb95dde86190039bf4e57aa0a864ac076de19d7e44590ea

SHA512
8b187f9a800e95dbb2a8d767b104ad953ff111ac03b0e33c63fc25fe29f521dc8eb21bb7c34eef91275687d8ec9cd93535820a45e7a2df51bae9aecdf39e10d5

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
256KB

MD5
366fab31ed0910e8bfabb7ce9eb01af9

SHA1
75d9e6f19d70ab56cbadc6e19909f5fb211d4c98

SHA256
8e0c5a099adb8dbcd06667e50b8e6e2db3738e0c658d9a9976beab64437c9ce8

SHA512
4e1e1bf0bbfd87b6063317b56434d3e94e3d9db8a0240863ff6f11b9974311c22b86fe5d4f0d51db7b6c9fae8d275170a6a3296b498419edb7e658a9595a5e8a

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
256KB

MD5
e2fdaed7fe853594009e7a1e57c081f2

SHA1
ce1aac184a168d8af9f8ee205e180c32cf3f730d

SHA256
15abf064a0c901255df2f054a2854fecf0cf42977943ae60b9d6f1471f4419a9

SHA512
175cb600509e0a1c13802f46e80bf2bd78b1e7c386deecc23feac84417ebae44049262f525fa81236e68d93a4c7362cfcabf71aaa41dc3fe1b66464aa9dd07cb

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
256KB

MD5
edd6d846f33e9b803aa61843697382fa

SHA1
93f7cc15872666c1d0ce335a85a799a97ff16050

SHA256
72bb923877c4beadce8e7eb7ef087b11bf9b154586a6c852c969c04e65f503c2

SHA512
391afd3b83d848895f113c036b13fd4debbda9c84c5d0cfaabc85194940baab54bfcb96fdc8a8655cb995ea55e55c4696dd6f543403f94b50521c50ce229e96d

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
256KB

MD5
10e6f7b3631bff59cc98a8b864a7bdbc

SHA1
fc245d34da7de312ffd4f56b887c7b4c6d0e2279

SHA256
74d597ae1b5aa71707b34cf8dbfd580138836ec362ce2008f6dc109c32fa22fc

SHA512
1502f27555b4c60e93661fbaac2983f80af3faee46769f824b0a510340c98321ab79a438e83868ed0f418efc083eb9016a27ae2a8c716d2e56047adcc3bf2cf3

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
256KB

MD5
b9040c3e42c491237314c52d1db95893

SHA1
ecefa419d86eeca0dfb826618c48ad88fdb957d3

SHA256
547ffeacf38822831f2b8e3bafd417b05767a93021981b0b74ebfde7b381508e

SHA512
545a988d38b9f14bfdd6a91c33d7a016de3dd75d6f5f4805427e3c2ec2a598ea041259e2624254a96cd7b9c67440f8f5397cd7f40497dad0812292309548437a

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
256KB

MD5
27d06ba9e738036d3256e40bb9b97b15

SHA1
7850a1c20a325c13ef7709e549dfcf1b95f61a55

SHA256
26db40817d8829ce2d4f3d1a628b736bc26e41d68cbd085af1f99ed5436aefff

SHA512
fc7cbe845fc7888d83d5eef3b996bd2da3938c264bf123de3862ce615b566d8aed134054335b58957334e9a9ed786a672a64de53d1a1c19e0e79191449b35a13

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
256KB

MD5
d1dc32201ac76b7d24f79eb91645eda5

SHA1
3014270387f8d8e8ee3002c9a35fb505ddbb848a

SHA256
452a1ad37f457475f75ac81d4c71e33640f3d4341badfc3f2b001bd2ccdd5139

SHA512
803673fe9d830b5d85e652fcc2d0e92dfb844069b25884e8bf5754e783e6ea896e02672a9e31ff02a58e8971fb9f5f78b24abd333cfba5631e4e107284cb60ef

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
256KB

MD5
f1beca882b81a5f5b9cb02e3730ddb97

SHA1
8c39d5987cc102c940c17b419815f21ca4dd190e

SHA256
fe06bcc5f8965a487ad709e0042b87643343ee3fc533f9b94c91e97b8c8371a0

SHA512
40436bb6203837749856fa48561300f92a8eb9abb7376c0ec176d345fa48136bab65f898364c8fca0d1c709999ba3aa1f6e955978529d58c73d48877cb501e38

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
256KB

MD5
ee2e5271fb6376653a66a65dec6cf026

SHA1
23894e1326bb3173e61d3487b84a035c3d50684a

SHA256
b77b0340a388af7097d28607596c979c6950c3c1354dea8e966a7b0c03ab93fe

SHA512
5bfa05dd36affc3714c1e10c073ba018a01d02f527752fff5048353e4a88584ebd4330843232b790e275b4a89bbf93bd8a2d4aa8011be0d05b11329b05df5551

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
256KB

MD5
e17c8766826a31f9f6fe7ae87d1cfda8

SHA1
3296eae4fdd0cf7bf9f6a072393df260303a8c32

SHA256
68dfd2ff0a98d7a12e180e721901590a96fdd95a7ba93c0890ece1fd9b642cb0

SHA512
d4305d4eeea33c1e1117e6cf5e48ffc439a7afafa648a1b3f9bc65fb19e45569a664e2e4266bd819015a44ac64c80f14eabb348dbb272b01c7191683a99c1770

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
256KB

MD5
01e567270a03058faf72afff297e17ce

SHA1
0317f77ad977255be88bc14db474f2732bcec20c

SHA256
39a9e5d08ff471aa8001de6f94df66d12bce9dc6212982279e3a3f0f8719b4c2

SHA512
6e0873a174aab5040c1df5fc01619bd924b75c6a94e521284ed67084aadf8f7be2b8792d72905a7265adb089ab25ee588af54afb0c98a615c70f0328668efd09

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
256KB

MD5
a6f46ff6572a210bc82a5c9006a51a18

SHA1
8e314bed4e6e8eaabf52a311f71677f1b9efdf3d

SHA256
d9515d241a412a7fc32dfac5d28384b94640a1bdd8e6aa35e38163ce9b9febaf

SHA512
d858fef9a2182fc09b25a97409fe8ecd22ee9791db07488b5d8ad53020eb1f985405acc67b8147a172c8f371c1500206d2d6a246c926e77a36eb8e5de4332865

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
256KB

MD5
3c3d3426c026378b840f06544a78887c

SHA1
1b616fd8efa96dfb2b1a278e25d266c75eeb36d3

SHA256
66f1cb8ffead9f7d0f9797407c0b777132acfa51751f9c9b01deabbf57d944ae

SHA512
df84db492d9267845004954760b45edcc34d82e67fbeb8533557af86a3d4e6009abcf270896e93fca9f58c79656636e38b017a5a95a5258e7077317c60e9a1f8

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
256KB

MD5
2a571575731ebb78cb5de8829284a42d

SHA1
ebf993300ae4189bfa120ffb5c78a6464bab8b07

SHA256
77fc2b83272e4b7e8567d08e958a3116a177d992158eec1ab391270b46237e67

SHA512
fec3006b310b912aa9e76f8dbfb2bdfe9e2c6bad828659b04e2c1de7008bbbe6f881a89a799d8864fe2b1b12832c5c99d1576a270bacfe440be76731bf48ba1e

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
256KB

MD5
2ad19f0602fd2506c2402474d2e40228

SHA1
d08502f02b45609158fb9ce9d403d4dee60ba1a7

SHA256
b057711fe8fe1e4090a347139af63256945936c36d9227cb68f72695452fb941

SHA512
1ef9d1b313ef743f2d554ee112a62a2bf0c120164bdb3e9b6f819c4c8b3e7a57e7a3db3d7228f6bb9a7e16c5fb3cf0e08284d13f03a6ed788eb29d5b8a2fede9

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
256KB

MD5
dbfb36b9446280a1cb834753e1b7e3f7

SHA1
aa3ca076b3880840792908398fe6472cc7263562

SHA256
29c7cf1702222479f5b9e6bc4b7767180e0b744212e7eb582a973cd8efc00908

SHA512
481b2cd1be5d2b5bc69cd1f026b7c50bbca99a3a48aa0ec3269c3809749e88fa994403fcd4e5bce32971b25ac2af29ab5bf3bf097c92abbd2da93a16c2c9beb4

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
256KB

MD5
0d7f8182079f9ac57be552a00f6603d3

SHA1
544b310e2f1947e3c11d2be2cd4717951ae089b3

SHA256
27b46ab1500cc832242e38cdaf515ee9b20cf472971df36b261792d87490587f

SHA512
1d301cb6db38bce236e34256fd0e0e2dd8143b818c949a636fbd0201a8529fdc9c7c59bb692446d8f831b80824f15077b18b9e696dcea3534f28d66ba2d4ab3c

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
256KB

MD5
bc6be658fa1d79d0ee915f167cb108cb

SHA1
58c91522572a783d5cf2e095793d2b50bfb85dde

SHA256
fe5b6265a22f4ca6c312440e5f774ebc62784b13596de45d611b2d402778ea06

SHA512
b2e98c1bf6c74999c84a11da29e835e1ec17ca3e5334a23f08e0fc804028d4dfe564dda4df8e1ae11e090e07c51630d76f69ef00461965914bba03cecf5473e5

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
256KB

MD5
ad86576053ec9ce23d083e3b90573270

SHA1
88810048aa077ca9b04e8596fbc2116ee9be8a8b

SHA256
93c96f5cbf2492912593947c2ce1bc5abf15ddb8d92c28b441b52a9976ae655f

SHA512
fe05cdafa6ecfb965f16ae798378691ba0027fc6c118f686a62bbc93d78f7cf00ea9a66cb80b5ee38a6efce307670b05ff5111add4bfcc0ad428f9304d9d2d28

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
256KB

MD5
bfd4e3d3d9a75faa9b86ae46435600fe

SHA1
9ecc4fef8631d4fff88f40773ff47b6fe7b6e4fb

SHA256
33a4a20599bec094bafbadd638f97cb8ae83026c311e6953fda8b0a64092c5bd

SHA512
5a1f8a9468b51badcaad7aed27c9da6cac6768581c2086c2094994fc146b2c333c13c6a522fbd2e15385935f1a6d9f3297678968285c3022a8493eb595d4544b

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
256KB

MD5
86a0b38a70bdb62780eaa4bf466cc483

SHA1
38daf919f7d54c29bae86b1bb559b175d37e038f

SHA256
207b89456b74937cdd92cef3957ed7b7e092a7d781ac8c20f5a3a269141e0542

SHA512
e1fa99f8d913e1c1d10180876c8d06f7ee42690730bdadb178c7fac69e1d7e92a085de663e7814ebed4d73fae2f22721acc4a735c384227be9ff9322a2677b70

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
256KB

MD5
7b8174167caef15c5d790f20f479ce58

SHA1
0edb385c4133be501c161ac67876e261fcfc130a

SHA256
4c36cd7dcd747fe513d361a32ddc3b64a832a97c212b7ad925c0683ab6890806

SHA512
352336c2444c3f86cc15086797b065e9b585826467a4cdb3ebedebc5109c8895d5ee67190a067e330b2b8f101265aaaeec9d73f16f23f3d176b45fcf1c9fd4c0

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
256KB

MD5
9388bd1e0eee3546e5c0e0a9cec9ff49

SHA1
faad56af304b62be51d4eaeb3dae67486a2cfc50

SHA256
468dd7c8674c06bea10681a3a3539fa6281fb4e51d704d585adbc92ebc783777

SHA512
d588fac48fb8839ca059cc7ae9e07a849b065bc058f1e39241f2071d03821affd3dffe6ea98f72d51bca7eb20d309f78cf9612e71fe7375369af51d0f5b7008f

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
256KB

MD5
c4d057321c936f6ba51b5ed4aea66d28

SHA1
4a51579d8d8fecc966306a488d07bf18148708cd

SHA256
6037bd80cd7ddda1938b9642c0217b8d682dd5d1f941699568853e5a9cbcaf95

SHA512
0da6e7a0ce7cacd1bb8a2c4c32afa6f8b99db3778cba3278bd44777d122316b6a2362976070428ef977ecb0010f4ae46725c293f71e4f539233d1ae3fc23649c

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
256KB

MD5
824f5d0ac29773bc64d068508fd81932

SHA1
d42ad373a07e44ba7628375ba9338b8ad5c16158

SHA256
c09d8755bf945129a460a9372241afb63631cc94445df659fb7e7be7f81ef35b

SHA512
80e64673f904bfab2ae73b7356a3ad6affc5792ce0865675fcad2a9597a5e1005b01038f81dce8a844eb12e8783822a743ea7091a65bed1b1bf04491001d1863

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
256KB

MD5
594a7c3883839a427b68694060e8ade8

SHA1
1ce37eedbf11987007dcc576b898d668df1719a3

SHA256
2a90c64e18fdf8d7155cb0775ae33223646d360a3a3eb1cf199be6ffc8e2380b

SHA512
a8c26e3797ccab9174e66ccfcbb16cda2dbd6b77c1e6bcec07a45d4d0f026a3c9acd0225e615fe3b47901dd420cacf05f8c10ce4663c3179e7c59cd15cbef887

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
256KB

MD5
4a6d782f97a60198018ab648670f4a19

SHA1
bf6adb5ff20e94a6b3ca6bd6081e8d6d18320bb8

SHA256
06e9a5d9657d03a213fbb5975e79fed8c21ca59dcb7e61537be74df972501fd2

SHA512
406ec1816795158ed6854ddc8d2cafd408c46d46afd5c2a74e1b1b722a4f9a9b60a95d0ac36cb5205b1fecaedccc4d301d21af8574f51f11e5ca5b22a011fb9a

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
256KB

MD5
b6d1f9b1c23dfe3a97c481cee9feafe4

SHA1
3955e04a3eaa5b5f6bbd53db22bfe274ca4e87a3

SHA256
55588de26c9f7d942fe46198b8ec64ac036713d1169581d662a9f292c3b926f3

SHA512
11be29f074c666918dea5e7780865d3013bb3cca54fb8aa4b6122b7761b6430141fb112be200b4bd003947d3b8c46b55f01056761d9b1a32c5384235e79be4a3

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
256KB

MD5
db6a7a5c0e7aa20b88223a330dd214ea

SHA1
af43cbf25bccc5464d385755da6c8f8d91488092

SHA256
d6b8571a413862da6ba713690d896d83d32564f1e725e3c832aa725c112da330

SHA512
c3df986de1c74aeebae0617146fb8b97d9054cd73b49789191e55913757ddca32e0fc3a4a251a50f12aa818d1a3c5d209b38654edeaf605f06aeda76f35e888a

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
256KB

MD5
5f1319e0979eb01e05ff58f9c1ccd647

SHA1
a7dc9b6f8a7d64552b71bb4508d895bce44fc2f8

SHA256
337c437b0191f724eab61aeed159f3a62df8c0f9d2dc1e7cebb317aacabba8e2

SHA512
c2257823ba361ad48b5964815f35a67bd8ba05d9361b4921f6f7836e8143da9fb6e51f2006a9565e9cebd78f951dd71240f4e6d96694d81b503598af56cc6351

Download Submit
memory/380-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/500-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/644-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/784-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/824-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/900-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/980-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/996-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1096-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1116-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1216-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1308-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1416-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1780-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3332-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3476-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3476-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4032-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4288-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4348-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4556-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4628-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4956-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads