berbew | b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe
Size

96KB
MD5

af690f360cd677bf2befe9b0b9cc3f60
SHA1

d0d87fa6b74ae062cd38d4c852527cd9efdebd80
SHA256

b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627
SHA512

473140fe9668f4312c3354dadb2d3feac0c59edc682b0678a1e88b448b933999eb793975c99fbdace73385f9b1d812452156ada83d38b1bb42a84a9a1a7ff119
SSDEEP

1536:tuNdNsVUyMsi/BQOb7CQMOzblV6xw2MSJ4rBr+AduV9jojTIvjrH:aPsvEXCQMOzJV6xw2/J4rBr+Ad69jc0X

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gijmad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egaejeej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebfign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onocomdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqhjggp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Damfao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemooo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keifdpif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2984	Mfeeabda.exe
3296	Mnmmboed.exe
6008	Mqkiok32.exe
5088	Mcifkf32.exe
4904	Mjcngpjh.exe
5148	Nmbjcljl.exe
4816	Nopfpgip.exe
5320	Nggnadib.exe
1688	Njfkmphe.exe
5828	Nqpcjj32.exe
3588	Ncnofeof.exe
4188	Njhgbp32.exe
5204	Nqbpojnp.exe
3712	Npepkf32.exe
5184	Nnfpinmi.exe
5060	Npgmpf32.exe
1556	Njmqnobn.exe
1568	Nmkmjjaa.exe
4488	Nceefd32.exe
4604	Onkidm32.exe
2632	Oplfkeob.exe
3524	Ojajin32.exe
4612	Ompfej32.exe
1268	Ofhknodl.exe
5176	Onocomdo.exe
1508	Oanokhdb.exe
2500	Oclkgccf.exe
5212	Omdppiif.exe
6016	Opclldhj.exe
1756	Ojhpimhp.exe
1068	Oabhfg32.exe
676	Ppgegd32.exe
5676	Pfandnla.exe
4012	Ppjbmc32.exe
5972	Pnkbkk32.exe
976	Pplobcpp.exe
4520	Phcgcqab.exe
2416	Palklf32.exe
2944	Pjdpelnc.exe
2064	Qjfmkk32.exe
4076	Qpcecb32.exe
1760	Qfmmplad.exe
2484	Qmgelf32.exe
352	Qdaniq32.exe
5404	Ahofoogd.exe
2856	Amlogfel.exe
1596	Ahaceo32.exe
628	Apmhiq32.exe
5844	Ahdpjn32.exe
1692	Aonhghjl.exe
1644	Aaldccip.exe
2752	Ahfmpnql.exe
5712	Bhhiemoj.exe
4268	Baannc32.exe
3164	Bkibgh32.exe
1420	Bpfkpp32.exe
3328	Bogkmgba.exe
1680	Bhpofl32.exe
5756	Bknlbhhe.exe
4304	Bahdob32.exe
3664	Bhblllfo.exe
5324	Bajqda32.exe
4424	Cdimqm32.exe
2032	Cggimh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gpmomo32.exe	Ggfglb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	Gghdaa32.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Ieojgc32.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Blqhpg32.dll	Onkidm32.exe
File created	C:\Windows\SysWOW64\Dnkdmlfj.dll	Amlogfel.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Oifoah32.dll	Ehndnh32.exe
File created	C:\Windows\SysWOW64\Okjpkd32.dll	Finnef32.exe
File created	C:\Windows\SysWOW64\Gmbjqfjb.dll	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bhblllfo.exe
File opened for modification	C:\Windows\SysWOW64\Ehndnh32.exe	Ekjded32.exe
File created	C:\Windows\SysWOW64\Damlpgkc.dll	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Cohddjgl.dll	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbiockdj.exe	Gokbgpeg.exe
File opened for modification	C:\Windows\SysWOW64\Qpcecb32.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bkibgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fqgedh32.exe	Fkjmlaac.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Fbgbnkfm.exe	Fohfbpgi.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Iondqhpl.exe	Ihdldn32.exe
File opened for modification	C:\Windows\SysWOW64\Jaajhb32.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Kllfakij.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Onkidm32.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Opclldhj.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Fqgedh32.exe	Fkjmlaac.exe
File opened for modification	C:\Windows\SysWOW64\Gokbgpeg.exe	Fgcjfbed.exe
File opened for modification	C:\Windows\SysWOW64\Hioflcbj.exe	Hpfbcn32.exe
File opened for modification	C:\Windows\SysWOW64\Kcmfnd32.exe	Klbnajqc.exe
File opened for modification	C:\Windows\SysWOW64\Lojmcdgl.exe	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Oiccje32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbjcljl.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Kofljo32.dll	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Nofefp32.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Oqmhqapg.exe	Omalpc32.exe
File created	C:\Windows\SysWOW64\Hodbhp32.dll	Nceefd32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Ilfennic.exe	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Ibqnkh32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Kcmfnd32.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Gghdaa32.exe	Gejhef32.exe
File created	C:\Windows\SysWOW64\Clmmco32.dll	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Phcgcqab.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Qmgelf32.exe	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Gghdaa32.exe	Gejhef32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8100	7844	WerFault.exe	344

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolmodpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jadgnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaqhjggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gijmad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnhajba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbocfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfidb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifppdpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfkmphe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhqcgnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfenglqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Finnef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egaejeej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekonpckp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqncnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbkkik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbldphde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmgelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnamjhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkhgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfennic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbjfjci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgonidg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcifkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieojgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqggh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcclncbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmcpoedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjnnbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heegad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocnlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohidbkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcoccc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljdkll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkekjdck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eohmkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfqnbjfi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpldbefn.dll"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll"	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidinqpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haclqq32.dll"	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll"	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll"	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nofefp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll"	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehndnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll"	Omfekbdh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2984	1148	b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe	82
PID 1148 wrote to memory of 2984	1148	b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe	82
PID 1148 wrote to memory of 2984	1148	b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe	82
PID 2984 wrote to memory of 3296	2984	Mfeeabda.exe	83
PID 2984 wrote to memory of 3296	2984	Mfeeabda.exe	83
PID 2984 wrote to memory of 3296	2984	Mfeeabda.exe	83
PID 3296 wrote to memory of 6008	3296	Mnmmboed.exe	84
PID 3296 wrote to memory of 6008	3296	Mnmmboed.exe	84
PID 3296 wrote to memory of 6008	3296	Mnmmboed.exe	84
PID 6008 wrote to memory of 5088	6008	Mqkiok32.exe	85
PID 6008 wrote to memory of 5088	6008	Mqkiok32.exe	85
PID 6008 wrote to memory of 5088	6008	Mqkiok32.exe	85
PID 5088 wrote to memory of 4904	5088	Mcifkf32.exe	86
PID 5088 wrote to memory of 4904	5088	Mcifkf32.exe	86
PID 5088 wrote to memory of 4904	5088	Mcifkf32.exe	86
PID 4904 wrote to memory of 5148	4904	Mjcngpjh.exe	87
PID 4904 wrote to memory of 5148	4904	Mjcngpjh.exe	87
PID 4904 wrote to memory of 5148	4904	Mjcngpjh.exe	87
PID 5148 wrote to memory of 4816	5148	Nmbjcljl.exe	88
PID 5148 wrote to memory of 4816	5148	Nmbjcljl.exe	88
PID 5148 wrote to memory of 4816	5148	Nmbjcljl.exe	88
PID 4816 wrote to memory of 5320	4816	Nopfpgip.exe	89
PID 4816 wrote to memory of 5320	4816	Nopfpgip.exe	89
PID 4816 wrote to memory of 5320	4816	Nopfpgip.exe	89
PID 5320 wrote to memory of 1688	5320	Nggnadib.exe	90
PID 5320 wrote to memory of 1688	5320	Nggnadib.exe	90
PID 5320 wrote to memory of 1688	5320	Nggnadib.exe	90
PID 1688 wrote to memory of 5828	1688	Njfkmphe.exe	91
PID 1688 wrote to memory of 5828	1688	Njfkmphe.exe	91
PID 1688 wrote to memory of 5828	1688	Njfkmphe.exe	91
PID 5828 wrote to memory of 3588	5828	Nqpcjj32.exe	92
PID 5828 wrote to memory of 3588	5828	Nqpcjj32.exe	92
PID 5828 wrote to memory of 3588	5828	Nqpcjj32.exe	92
PID 3588 wrote to memory of 4188	3588	Ncnofeof.exe	93
PID 3588 wrote to memory of 4188	3588	Ncnofeof.exe	93
PID 3588 wrote to memory of 4188	3588	Ncnofeof.exe	93
PID 4188 wrote to memory of 5204	4188	Njhgbp32.exe	94
PID 4188 wrote to memory of 5204	4188	Njhgbp32.exe	94
PID 4188 wrote to memory of 5204	4188	Njhgbp32.exe	94
PID 5204 wrote to memory of 3712	5204	Nqbpojnp.exe	95
PID 5204 wrote to memory of 3712	5204	Nqbpojnp.exe	95
PID 5204 wrote to memory of 3712	5204	Nqbpojnp.exe	95
PID 3712 wrote to memory of 5184	3712	Npepkf32.exe	96
PID 3712 wrote to memory of 5184	3712	Npepkf32.exe	96
PID 3712 wrote to memory of 5184	3712	Npepkf32.exe	96
PID 5184 wrote to memory of 5060	5184	Nnfpinmi.exe	97
PID 5184 wrote to memory of 5060	5184	Nnfpinmi.exe	97
PID 5184 wrote to memory of 5060	5184	Nnfpinmi.exe	97
PID 5060 wrote to memory of 1556	5060	Npgmpf32.exe	98
PID 5060 wrote to memory of 1556	5060	Npgmpf32.exe	98
PID 5060 wrote to memory of 1556	5060	Npgmpf32.exe	98
PID 1556 wrote to memory of 1568	1556	Njmqnobn.exe	99
PID 1556 wrote to memory of 1568	1556	Njmqnobn.exe	99
PID 1556 wrote to memory of 1568	1556	Njmqnobn.exe	99
PID 1568 wrote to memory of 4488	1568	Nmkmjjaa.exe	100
PID 1568 wrote to memory of 4488	1568	Nmkmjjaa.exe	100
PID 1568 wrote to memory of 4488	1568	Nmkmjjaa.exe	100
PID 4488 wrote to memory of 4604	4488	Nceefd32.exe	101
PID 4488 wrote to memory of 4604	4488	Nceefd32.exe	101
PID 4488 wrote to memory of 4604	4488	Nceefd32.exe	101
PID 4604 wrote to memory of 2632	4604	Onkidm32.exe	102
PID 4604 wrote to memory of 2632	4604	Onkidm32.exe	102
PID 4604 wrote to memory of 2632	4604	Onkidm32.exe	102
PID 2632 wrote to memory of 3524	2632	Oplfkeob.exe	103

C:\Users\Admin\AppData\Local\Temp\b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe
"C:\Users\Admin\AppData\Local\Temp\b0f3e7006c1d9d3b35fc10499617425df97203ae325ef96341813c7d298cf627N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\Mfeeabda.exe
  C:\Windows\system32\Mfeeabda.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Mnmmboed.exe
    C:\Windows\system32\Mnmmboed.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\SysWOW64\Mqkiok32.exe
      C:\Windows\system32\Mqkiok32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:6008
    - - C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5148
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5320
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5828
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5204
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5184
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5176
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        27⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        28⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        31⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        35⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        39⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        42⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        45⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5404
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        49⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        50⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        51⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        52⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        55⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        57⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        66⤵
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:776
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        71⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        75⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        76⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        77⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        78⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        80⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        82⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        83⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2980
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        89⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1192
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        96⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        98⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        99⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        100⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        101⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        102⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        103⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        104⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        105⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        106⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        108⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        109⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        110⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        111⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        112⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        113⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        114⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        115⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        116⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        120⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        123⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        126⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        127⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        129⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        130⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        132⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4416
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        134⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        136⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        137⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        138⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        141⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        143⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        144⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        145⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        146⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3452
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        148⤵
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        150⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        151⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        152⤵
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        153⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        154⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        155⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        156⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        157⤵
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        158⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        160⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2276
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        164⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        166⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        168⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        169⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        170⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        171⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        172⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        173⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        176⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        178⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6908
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        183⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        186⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        187⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6176
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        190⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        191⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        192⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        193⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        194⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        196⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        197⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        198⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        199⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        200⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        201⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        203⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        205⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        209⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        211⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        212⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        213⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        214⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        215⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        217⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        220⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        221⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        222⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        224⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        225⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        226⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        227⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        228⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        229⤵
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        230⤵
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        231⤵
        Drops file in System32 directory
        
        PID:7424
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        232⤵
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        233⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        234⤵
        Modifies registry class
        
        PID:7556
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7636
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:7688
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        238⤵
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7776
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        240⤵
        System Location Discovery: System Language Discovery
        
        PID:7820
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7856
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        242⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        243⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7996
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:8040
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        246⤵
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        247⤵
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:8168
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        249⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        250⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        251⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7300
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7376
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        253⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:7500
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        255⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        256⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        257⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        258⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 412
        259⤵
        Program crash
        
        PID:8100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7844 -ip 7844
1⤵
PID:8028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
96KB

MD5
ed8d23e8ed4a3bfef1926668c8c7e9aa

SHA1
fc440697d33eca686eb06847663686a37e732cfb

SHA256
a7c40c2e92e9bb87e1b9e005b494e8e0cf7456a39a577649be0a91608a153f8d

SHA512
8983a8f5537694bbc6dd5e6d0512830dcec4629c6b4a8436a6c6105298130f3ac10b020d6ee553f11aa159c68344989ca809383c19252eb5c55e4b49e4d2ed09

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
96KB

MD5
394ed0cb05e9655fcc0dee27b9f9ca95

SHA1
2de4d2904e7afd3a880964900102473254245895

SHA256
b81ec1e102fcc72f11825ec9c4e7ad70448794560cbe84149b1c3e1e8d2471ef

SHA512
6b4fe46647188f9d1ee110e7b39785d694988bdce85e27a69ae87e41e76f6b5a7884308cb0d13851fcd32aaca81fc44fc44392b9df041c6ae31b04c51b76ba4a

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
96KB

MD5
a4944a4c1ace5c05fcd452d233de2a7b

SHA1
bb9c48ba989e4382c18a0d080236ec6fef83aaa5

SHA256
f59b51fb4c3372fd0bcab3cbc87e2e8032aec8affe40b98335b20d39e0045543

SHA512
96192c2937bc58d6732c469d17396fd71d4356c2e41ac67f0f739f15718533066bb990877a462721e35a58748592bc92eba73d679c7ed7e0f8c243b72d8c508e

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
96KB

MD5
f5a97451ecbe0379e75d7f835e6ee458

SHA1
f272c44753a3483cc86c1f6da40bedf64bcc47b2

SHA256
251e330f7ccde59e04c388d4af7c3f135fe4b9bd1b68682dd36e8b9db0009c9a

SHA512
569b02a2573d5ded51b5e2a8e4d5f78bf77ea49a7cedbf749772c0640f25ad446e195ed494cf5f6c1c7f05eb6f9d5e1a67f1f878859e255fb1fd401c759012fd

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
96KB

MD5
87b7e574f1468474f32ad24de526bed3

SHA1
7f306c7b8cb90215133d973a18ae0eb8f776d23c

SHA256
0597d3e2e3fd27aa41f1dfc88b99b4a052a575bcf8f4339cf263c5c0e3c486b3

SHA512
31c86a602798c3b3cb25384a271361e4019d94f2d7c7d7e5514a59c27677b6f0003fb23e1650ab337074620ceae41c9a8021667d1ffa43fe6db5b9a4514f31ee

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
96KB

MD5
f21b0b8b89cffb07fe44de2e00c18260

SHA1
0f90841b2059ef6b22a02a0aee578e43cde029b0

SHA256
e56f7f6fc0ee67227a94afb0aa2c9a5a41e32d3ceada8ff819523192c423309d

SHA512
c15f4de492f584adcc213c575e3640dc32cd0024f05b6c86ba98490174ede4ef3e11d981f0d2ec7c089053a11f23644a4097ade33cded27c05ed2eb1f36513b7

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
96KB

MD5
a86e37b03f7d8c6d43b5243c7af6185c

SHA1
0229b53f909f91d69a7de1749a04fa78a9546aa2

SHA256
e3a6b25bef2e060597f2300ddea7d2f64de1dbf570af2991a5a5c41794ecd880

SHA512
1d1d45dd6547a29f8329e471724fa1648cfee4b9e3900457adff95dd0a979ea5e87ee55eb46e484ebf038614fa0bb87e11054d78e78d9cabc7398df3e90df942

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
96KB

MD5
9a40cb125bbc82e95ce1f2b09127428f

SHA1
b28211889269b497ccd03c3bc8d7d3f2f3b0e0f6

SHA256
497fc589c3afd499f77a7c8b917a5c6186d851dd0b51244f733a8f24b65f46ea

SHA512
e2f22271b3cbee3047832ebb4c05f79c41a200c2a748bf6eea765d3456ef9dfb0efb6d43ae83bcaab8f5384cd5cec6cc789b6bd91cff299040d7b004329a87fa

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
96KB

MD5
bc1e6ac0f0caef581972ebe4392a32cc

SHA1
c3f42d3ee8d81caa34956925076633d26c0b8939

SHA256
bd315a1fd4f253a0a629b66849896dc20d6cf45e7b2de3edee67fb3fe38f4827

SHA512
8b2884f2f6c162d195d6fbd355cf8ca2964910eea4129bdc416034faa794d65db2d4f25bb157d2444592ef1fc22b3517a9c9096f1d54baedb21ec5fcd3c96679

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
96KB

MD5
b527a19682ba313285f42f52cc9f20ae

SHA1
4d0f79a596839adac772866b6bac3676886c010b

SHA256
2b87b9b75e4af604f375d1e82471d0e51874dd9715b4c419717bc5c20caaaaa7

SHA512
c79898062b449f0a6ebd4bd1236b13d602faf1eed23f2f1468b1ce7a0adfba2976484962107c4104d2a0bf09b2848e50b1097a0811c884466c30ee8e7e042d30

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
96KB

MD5
271e3fc99fb9fa1d0a5214eab1d91682

SHA1
3b12ce919eb18f5512fa381531b0dbde5a6fda26

SHA256
738ee1bd4e38026da6eb9eb74a6c4ae451b0dbc6f1e58d3892a5424a9adb4fa8

SHA512
9de294bd6bd90ce6dea1eb17d49fb823b9f081d1bf85e0d5492b52722b6125fc8880ccb39ed3af8273d0401ca2d8c72da4a52716751d1fb9f5e74b2e76fc9952

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
96KB

MD5
66afafb97c92ecb8120d6d1efb35f313

SHA1
c7356c5e3d580bb7819a929c0dc551204692bb0e

SHA256
43f916b7a00c3b66a02911d1f93883c9a4af2e146f5e1b6abf9735ee9d68d43a

SHA512
0013f71bf20f1c36ae761127252d98de9d1d59d42a1f7f8860863b9c225c7e0b268291e6b096435913d705bd6c043c5e6b6e3015a3fb70a6a3a9145c5113859b

Download Submit
C:\Windows\SysWOW64\Edgbii32.exe

Filesize
96KB

MD5
c8937c5feea1f8a4d4c5c31ea9c8c4d3

SHA1
8e162f6db0d57877ac4ce76036bbbff9e3136086

SHA256
7a06f4a9670a507ccb22b8013810ccfbc84061523225e6351671ca9d1346279c

SHA512
607dba242ebd7e7ab2f53606a18d00b1fb6dc49d9f52ccc42186a96344262f68336d0df412c50f52c253c35d504535a795fb71b1f12d014792dca9940bb9fda5

Download Submit
C:\Windows\SysWOW64\Fqeioiam.exe

Filesize
96KB

MD5
2a5a3c77bdd4c8416d5004d8662e0804

SHA1
1a9f54982ac3fb7ccc1651b60b3048e05db74d3a

SHA256
383e1036598d6b5040179f15b44a516a258eabd549bef71ec43133c58fb35bb7

SHA512
60129042b92ce4d2612009d45de15c73a005593eadaa2590fc1b0de42329f7a7f6d66a7f1af11610ac1a9715eda09d7c2249987e25d96e5dfe2b2380964766a4

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
96KB

MD5
9e508cd24cb811cac219a5092f1bba81

SHA1
49b5e7bfcc71b83853dd527d93d06103adec9fbb

SHA256
889994948692bc87db89263a646d7dc0922aef697ab3a9b699596578598acd7d

SHA512
124f76c1abaec7c18143fa59a53598c61b3afe26f4c3747ef87d96abd124f558d86636804a4bd2571728f8ff0dfd6d387b0ee4adc424e5b41a440e42bb485765

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
96KB

MD5
01d0a761ec4e1b2bef282bf52f77e96b

SHA1
66d1f27ccbccfa3c4198c6483c4357def58864e7

SHA256
a1db4543c8f194671ee1536a37cb8dd7cc498685f106aa471f76c944c37769a8

SHA512
032791934bc365c15ab6756220ad9dae40ec7b46ba6228b67b38c6ddf3deef3a0422cf5bda91961ce9823be33421ee08a73d5ee8eb3b64e100e65eb16576668f

Download Submit
C:\Windows\SysWOW64\Gbnhoj32.exe

Filesize
96KB

MD5
215cb82273df68a2dce0853fb84740fb

SHA1
227dd42c7700f94b9cb23b72c3f5af0c5ae99f69

SHA256
27a0321911158f0ced38093b8e3fd456bfba4a1c25d5cff5811e7e8f549537f0

SHA512
534705c3aa90187f095935565e6cbb3981cfa90d757fb553d7b697d7b8888a7865eecc7fbfd5c3469d7ec641d5a5c76b567f4696878b7a8eefd10e8c0f00dfac

Download Submit
C:\Windows\SysWOW64\Geanfelc.exe

Filesize
96KB

MD5
041e7d7e1b91ef63218ccb693a8e4e6f

SHA1
0998f0cc5a400bd7a67f035cb2abb94ec813a5f2

SHA256
c2720f047732d63e4c32f049df05780016d5039ac52ec3b9fa4e8d73bcef45a6

SHA512
29cf8d9b8e1bb135da2ed1a373eccf9d0017b8616f651ae33aca6a617667b64dd99d63f2dc22527a0f5fd72f7362b44d8be7cc98293aaf0ad0632f722e5969de

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
96KB

MD5
f4a28401d72fabed8599cd6596f97b47

SHA1
fb3eb0a244c4e1a1fa7999d3fb3c1eef3f9cf8fa

SHA256
df9a9601518ff82acab8f2900561d4b54453724b954e67fa8841e6463feecbe5

SHA512
2ed71aa4d88c37a8afb2fb50bd417ec6a2525df9367d977ac36f11f307414cd2788d4a2c891d88470d5968d27555f7711aedb26ae60ab07d2184c8e811f41281

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
96KB

MD5
3dac132c3ac577c5ffef7424dd260d56

SHA1
74c0ef6d847a346d9a7d0d9ae8301ff6f9747c0c

SHA256
8eeff6b377d91cb105e946790eb359d230d9b80691bdeb3613fc0263e41ff15e

SHA512
28e70b19e8aeb6ab97af4761a0b6a151edf5d1434348355d0eb106179fbc59b613f8a9477435e95d636676e10d324aa09197917ac19c765352611d5caa9ff6f0

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
96KB

MD5
4a263f3a116e33139b62a70196d84bce

SHA1
a5df5a0752902ac65bd6a4cea70e3980a738bb2b

SHA256
1e246092bd353a1e0113e910b6c1e0b38499af3ac88601a2a7a8c806d5b79f16

SHA512
ce74cf21a7c363cd0b22d46d8edfcb9ee1b9fb6c22445cb42541d6ef7891d6449e54eff2bd7d9e53d22183e61eb33fb30f91694348baaec2b5ba58e11323729c

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
96KB

MD5
a32f0ec5df590445f0286d85fc11878c

SHA1
82a4e79c8f5072e25ae20cd066004b0826c992c3

SHA256
5d4f28e068c0522a804031d4f1e9af019a306dd7931888040a47f2359b0c9a17

SHA512
4031c6546907cf37407355ad299b89547134f9b0f113e44aa9f318654b0f8c3a9b22fb74d50c36b611ed78454294227e905271c796bf05d837a6cefa8a8ef98f

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
96KB

MD5
090e7154ae340957142baa0b20c26c2c

SHA1
2e2d51e8801423bcd3093d2fb07ae179fba35521

SHA256
325f8d12caff7ff21324be6e551f2cb09d7d5387de57161f70aaae9707b03d19

SHA512
314779e5977bdc06385e857ea85cd8affc151db8f675b326d0b5e55a183f03baff38bb3fb92d9c07de70623eff3d23bd84a7851266e517956884eec8de3ec5bb

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
96KB

MD5
07415ba17768abf5ab6668e1b2e1f712

SHA1
d8eec35cf91de6eef443b6f9acde79daf00f5371

SHA256
5ac0ee51b96c06e4f8d5a78f7fff0cdb879cbb21f9baf3e26e6837991f26744f

SHA512
6667d7068e3745918f7b802fe1503c9a50a38af758bbeb00d96aab17b2f700dcd78f21043a318104eb394dca96856b433f80403646c4a7057f20e2a5633a107e

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
96KB

MD5
f1679a26228105609f368db44c2f85e2

SHA1
66f53473bdf5fe9801c2b3bd67525f767500d734

SHA256
cb117c8426dfdb88da5c9f04841794a1e6aaf22ee1146608cb4f44266fedaf4e

SHA512
91fbef8558adad61b762b1116997b271f3e323e59e03a09e5506a43921163198f71cd5a84ee99b0361440e88c43e9f2d7d8419c5ad16850981865c2596d2936a

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
96KB

MD5
b84cb150a944b01534ffc6a7e0f3de09

SHA1
0a501fc407a4c898d37456e01918cd4c6b785368

SHA256
2acefd1778053eec54bdc6fdb91fb096ff528309e7c297eafedadebc9d01c0a4

SHA512
c80f92350d30d270bb4f10a35727ddafbe35749582ee29fd292ac7c023e8d302d8990dbd99faa9654434c845d9993f482b67480cb78b5a3807b61e9c67fde04e

Download Submit
C:\Windows\SysWOW64\Jojdlfeo.exe

Filesize
96KB

MD5
183ef3ec01b1fb5aa54dbb8fb90c4801

SHA1
1fa7d32c20e6d50db50a53d6c0359c7e910ddff9

SHA256
1363b83e86f2a35cc64b20fc4739f89d6441d93884cc3cd878cd4050ba1654fd

SHA512
53d6e2b5257f58b412d4cde4415ccf377738f816df6c88755050f9e4eaab7b5f2a4da109a6b1a7275c96485715e3bebf1f88cb4007f52c9b441ea73d361a4176

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
96KB

MD5
1ffdec4f21479e959eddfa28ce3c81ed

SHA1
03fa9ea58f8fd665d3e0a0dec9ae78488f74e2e9

SHA256
f03e5f9af8d778b090d4b9e07181ad21e5375cc2c6e9f3f6b7a35610e10aafb6

SHA512
7496b446772100d8fecd2498d1352502196b3a94cf0c78d0d6dbbcd871bd1d84add5ecf0a0f9f0d0ae59ae2bb50bfc875d42e99e86faaf092b47128204e9de59

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
96KB

MD5
80e0d7e5b9c3a29c22ca8dbdde5f19d4

SHA1
7d39869cb8f4836a95f5f6cd29331e2ef3276d11

SHA256
62781eb9926a8b303337e5b6d8abf1a38fec80adaa3ce986ac2ae0c6a7f1e93d

SHA512
dc48e7bb83cec3344b05434fec6b46e5cbf2885fd5b85850122af56bebb3f5847bce13756860d2e8fa8554f12c8fac6637819ffc78666d93546540f0ff249c27

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
96KB

MD5
aeececd9cb93d6c8a1e888c0600c8ef3

SHA1
1a847cd4425eab865d546c23199d483a2091c97c

SHA256
78e7a2e797439597cb8a0c71dbe592a08d3668db286a9a43c3e5142c4a22a5a8

SHA512
89187d840e626eed2480b91ac306da46a491fd288b5ba43ebb23b395c073162241dcdeaaf6e0009c3d81ece7de4ac612b5aa2739a6f25c0bb34ac558c39a97f8

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
96KB

MD5
d407f3ce4cb7e76dd99840c48f99f4ae

SHA1
889a394e0fb800e16b5eb33b45d4457eb9afa220

SHA256
14161d7b552f395c6b497af19951bb450a6b3fee323cf6e4561f078f41e6566f

SHA512
74a3663dc7a40d312126e96aa3044438cc13985c70ac15f628d847392027c0dd258ce412660c69b651d64a3f106b22d5a48b1620954ab1cc9bb34b24f0995e5d

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
96KB

MD5
082b93245633b6a244b7a8e92e4f29fe

SHA1
0e4f5797aab92300c32507475cbdf862a1be5dcd

SHA256
e5efd54123d01f8be9e17f83f89cdf3be85204088a6857f2fa978b34d7708b99

SHA512
bfdea8e340a5c3f26b8b16a10ea9c15dfef99922e29df33e27ec30c2a1858c8653ede6ee3cc5edcd09c549cc12faa1511399717fb7f33fbec57c2b21871c9959

Download Submit
C:\Windows\SysWOW64\Kpqggh32.exe

Filesize
96KB

MD5
a265c3ce266ff29aea6b6bdbcfaab8d4

SHA1
3059d359aae1a011338f1936fdf277f12a47b03b

SHA256
ee3b2d875d412035ddbfffe6e9a56476630a933002b7cda930d5ada91f6b1b8b

SHA512
abf3d272e444b86ac0f8ea65b11896cc604a2e89921087701657c5c1cd68e34a1903459b41185e3fa10de9e65eca31d2ddfae630ccb46a48dfe68c412a868338

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
96KB

MD5
005ea62f78f5b592e3e047dce198fe0f

SHA1
33fec70613b38cf96f549527432df5aacf3916e4

SHA256
0fdabbfde253bd320054d2c0ced9a934c2aeaa1c9829a9aacc27ca4ca915a387

SHA512
7d6565d89b32b6c8fdf18158a451f8772b1466497ab9f892ec562f2c86ff49cc9b5112227c8d60988b3e062110ccc404c87c3572a5552861b07464b81dfb2967

Download Submit
C:\Windows\SysWOW64\Lplfcf32.exe

Filesize
96KB

MD5
81e3ca1d528df6cc4c86eff027480c09

SHA1
c099c7141ece2384469f23e67f0fcd240c944ba0

SHA256
5251bb8575ccfe84a056c6d7773c9a0ad024eb4956d268bf6e62d2cdbccce21d

SHA512
4ef33ecd65a9d69eea9858914b36cdb658c61a0bd61740ac01c218a9ea09bb159b3b32931805d8aef499f553b4cb8a403e46e199ffb4c515fcc6839ba2b7334a

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
96KB

MD5
0fdf1ad5b7788611e81ea181bbb0b59b

SHA1
216c980fe41185158181312277808cd4974f422e

SHA256
2e856219e37100447d9307e6e407ef08e4add656eccda102b4760e3b54b71299

SHA512
50f97e8064a3a737bd26250613fb45c5a1b93179a5e84370e7e601ee0afebbc6385d3bb59792913288f91b6f34b49db45f75d6bfbd81c9f9de1320a5f20cac2f

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
96KB

MD5
b49dd6f6976d9ca99da8079877a9a6f2

SHA1
d9b39a9ff5931dee0a4232ce4344d0a5fd7ecf93

SHA256
49c317b5b15e75824b5d555dc3a4993dfb6e2ea656f9d3659e6e40d9bb5c1abf

SHA512
74239501cb462b37c248f4b32fae1a1bf84893c61c401d6168274601e0402b07d3259939b9a2b9e9791a4c605c43e2f39ee874174a83879fbf7751fb0208b4d8

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
96KB

MD5
ca98813ce122f56d89f5dcea8f4260bd

SHA1
8d7f4ba99a4d2b743f15eae2b0f0cb1c5f56924c

SHA256
08342c0e9abadffa067f043a05e8fa73eb007e62156852aec1b0ac606807dceb

SHA512
2ef2f1f6ab70eaca08a1b4d8764d9a69514b0b8c220fcb8861ece0611000724f86f0d02806d6d0770aa02c702fee8942be10452c2bdf8ec612e294d8cfeb3c89

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
96KB

MD5
d08384f81dff7697cccb3a69c911929e

SHA1
0a666d9ce2ad436873ac43c21e089a4b9c94bbb9

SHA256
0028c68de838de76c7fd6ec0ea1a8d9ffe44f800ef59ceaed9b5a0f2fff12375

SHA512
053fc1e865a6129eb0214bbf1d4d4a53fa45fefde1742aa12d7c48c443262ca5d901d80e12e037214bc5a4cd13aa76a138fd2dec8748a31a3b764cf4133b64de

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
96KB

MD5
e565e1f25ea0f961a486eb91a0628c86

SHA1
9bcd0a576b9a027c2640f466131be271a2c61203

SHA256
115037643eec4144d90dc602f2b5207127beaef7bb1334043ad96400fbb3e13c

SHA512
37b3d48a6e8d23df18acaf7802ca387af8344e99df09048a6124481e3ce0f5f3698b5d00dcc79516d8f7a134b531fe4aeba0a7d91fa270c127cac76d1edc7d4d

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
96KB

MD5
2951411177528b0a5ce5ee75f8b64275

SHA1
3231d3147b627a00c4e7ffddea85058ba8aab9ff

SHA256
7a95008eb15d643ea376d2396a668970995524a8c80d657d39d2d98d5fd2c7b0

SHA512
170c352d3450145e640fa437c89a7c4013835152f8e62143b18f224a2c6bd700c61e357213db2d6d17150ffbe6113c160b8d81957a6d775f9dc2c033d47367ff

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
96KB

MD5
a328920d876b07b891e191e2045d033b

SHA1
fafaaa9aa3bca448fdd0f95a65a664c0c67873b6

SHA256
12eb75b168d006930f4bab4ab8e3f229df565afe2ea313b250a7ef363fa472e5

SHA512
9fb191c28d98f239bbb6216bf73515ccd339899c1e9e212a575bbc46e2e622320001011f1842b1e0521a7160c2604d9c736767bba800008634f5d384881d36d3

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
96KB

MD5
c5ff485e2ec61caa857c9842497abd4b

SHA1
b6129f83dd93bd81b66c1f12358513b2962e23d1

SHA256
ab679ec64e6d068347e22fe60bcbfe3edad99b38e74072c1aeb8a8df5012ef55

SHA512
f325928e946276f99a475537fae7a8a6546c20d3ebd6f9f9c62555666b99a1b9e96798bd864ba2157ce309e12c26f388da423b433265b59bd09c05c7bee6ee0a

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
96KB

MD5
c841fc8a6a7b4a7ea23a0086c923f2fe

SHA1
68d31b04861046ee67a8f67172d9198875b205a2

SHA256
ae8ca5d377f08d1f18ed18a1d05534922f213e0dae7ffca2f40d58aa06049759

SHA512
a049929c0f9ddfc4023460858ef1747a64393b497ef319a7770931d815018b47e7aefe4b9a875f034937fc782449632b44117982caa71d6415354ffc77731ccc

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
96KB

MD5
bd2ccef93799023a1bdc425dcf0d2de0

SHA1
ac8423d10d58ff89309367d27898a1edbce07c78

SHA256
7f8dcae7272016dde6f77fc01220b78ac15890ba395b996c8b6c3c89f809ddfc

SHA512
37231909efa606b525ab0196a126bcbf5cbb9675d52eda77d132389c8540d0fbf2f31ae8a1605503f8d60a5315f5d5ad910259041171ca383dc44859cb6d1648

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
96KB

MD5
eac9387515f6fe92ac7b8d7c2847ddca

SHA1
c9c67112fc6870e70c0ec8a0b1d886e57d7dc29f

SHA256
1c18edb30ffee4a86f68e663f5db87ca4f36c6b5d6735bc740e712995f56a133

SHA512
b8353048f4cee3a6a6ed73023daf7394be2eb49c4c77675fde0598ce33f42079d2485e4df5f6953f620b5a02a5355b2bfad167427da6dbc496dd73f9359b432b

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
96KB

MD5
5a44f473a796c194814dfb6e47a495a4

SHA1
118cdfb9cca93410779649e9bac94563b8dc4762

SHA256
1526e06c341c3ec8fd5cb995e27f6dae7efa5859ef8aa53b66b8ddee0b2f3c07

SHA512
1f44a1c5fa5563e836e8ec196f421ab60756cbbf94d18dd8064344613304062201480af50f9910b014cc734c5ed264423862bb7fd151e5fbe02a859ad285ba66

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
96KB

MD5
476b9f03f37cb8b7fe80e043ca6cc75f

SHA1
536bcf3938fbe912ee4be491238523f1d09afe0f

SHA256
cae698ba60fe2d62a5f36a952e760d26b1dd80e85d2e6b3d0b8496db275d250b

SHA512
1c2bdc72d43b8b3a67ebccb75b6f6918faa26c2bb8492579375008c2513a2dbf197f16a57eccfedbe9fafb870fd57ee55175ae3d6fd1d5d9314f98705ecafa2d

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
96KB

MD5
572f5f6ca4cdb58804a136d2394d43ed

SHA1
395dd628da3ad6b8b8af26d4dbfb55d7673f5d6b

SHA256
66cb52a43e4ad17dd495eed02d551618c52859f9be15af94a454455320f16348

SHA512
a5f66eaddd0a5aa304d74a90cab50e82a0f6e435f1bd87534cd5e846d359bc9b426cf643b289c49fc29138a71e3538e972e1ffcae45770fb912c8f8d4794785a

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
96KB

MD5
dd2d644bbd2b4ee972954c269531fc46

SHA1
eff25c4eef23499fd4d0884b8691eacff36a9780

SHA256
598a6063df4b042a021083e570e82cc87c2cc7a3b4953eb26aedd84f7550aad5

SHA512
c441af92b5a3c124e42275f35b3502a0fe4ea243e617bf3e276e4f1ab350a5c2d88ee95fa77e2aa2b72422bedd354062c4154c7f569cd3394c153e7a33acd71b

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
96KB

MD5
a8b83d4838e508af8aa7c4f1fa1f67b1

SHA1
b445ae9123abffe764a58772b3ef2232ff0c0d70

SHA256
f09b0e77e8ecde67d0fa03486bdab6dea6d24adcdd1ad5e24599ed9dd05757a4

SHA512
6d1d677826ee0afdeb9634b08d9df69196581ccec0e87b4d6dddc82b2ea269eb9c22b641cfe48c4aab1e4d91aa71df5eb04ef1515c1fbc00b0d0e545b8cc6b06

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
96KB

MD5
f446ee2137e8cf2f0bc8700ee72ba9fb

SHA1
4c7cc164e2d5662ed34922f8b7b74aaf1ae2300e

SHA256
09c0cfa48cdcc6dfc00d5f5ea6dd7484266219c6b164f9e167327ed6a3d9a094

SHA512
acfca6ee84128192c3734ae8e87d57b4f043a51bbbef5b0e9759e7d8b67b093d4d9aa123dfe64be3c94c381815b529985aed31d6d67dce62ce60855d76d9f7fa

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
96KB

MD5
008e175a7eb253e9d2fc987a2c4fd809

SHA1
710ee7219a5b2ef57bc3851ada5cc9d6fbea0b39

SHA256
032fdd49b3bb665f0748d27329a3f8e4447c1cf6588df29c21a147c619165a33

SHA512
497f2a38a08c2ddaec5e0b95745386ee2f483c50f71b0f8a76fab6b032754f644ec451632a69f9aed3472a56561dc9682f29243192acafae7eb6dcd6f4691b90

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
96KB

MD5
bcf4bab3b023e1ba8b8e3fed47ef05b7

SHA1
33b60c8d4cd8d86ef8e868a77173458b2445916c

SHA256
abf694560886ee0ce65e883612a6f884ae7d763da77fb7617440bf35964a3cf2

SHA512
d8293d57cd8a77cdd3ca54c4681b8abd09497d1814dbf08d17710d89a82d3a80527992faa9a7ef6f95653d06513a58fc6986a793cabb1555440f0ae084f0d19c

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
96KB

MD5
b9e3255ed53ef3c52fb54bbaf57a8378

SHA1
25b1c74a92973601303a210a1a59ededc109e568

SHA256
2a3f9123363e8c9fb916904eb32f6fa415a72e0724a7940cd9c0a1901917988d

SHA512
63bfe45a9933208b39488d97af46cfb5b3f6362a06223094c54810a26536e7a67284e5de9954a73d6c9807404c6c9efed0637b95e71da42f7bf2eab918d4e227

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
96KB

MD5
d41af36153952a982a4521b1d87afc91

SHA1
87553aa4ce0ae564add1f3155fc00ac8cb63a257

SHA256
5e9f12011d298e46badc03f1e6aabf5740d044586be3b54b2ed7fc1c8edfeaab

SHA512
581a87a20e6f5e580cb82744cd979eda48c03b8f3d9eff2eedb407668021e79fa03525d8e8636e70e091b248f859a6bd326b6c309694c663f1a9590388b0fe49

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
96KB

MD5
b1690c37bb7e617be30f7f74a6fbd720

SHA1
69b45ff7d2c5b9a8c09fbd1e889aaa9c15e8201c

SHA256
f6f1d8d1dd1bdee2115b13c789455ddc2050bb3679e5bdcde39254270e688ac9

SHA512
1a3b307a75b10c9b9b2e26d07af7bb03c84f0608a84beecf36dc2927f16ed17de8e17f0622bdc7a30a092716fd33509820e47db46b56b6d22213bb950e947960

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
96KB

MD5
df09b3938b079c3a51d09ff0cebc5358

SHA1
19c1c311687eafee1e61d7993ebc5ec3e5161dfb

SHA256
18b10772b0ff5d802e37f51d2a3e2e6dd365ed5790ac4c4d6b8ed9ed207dd0e3

SHA512
5a4cb7bc6512a7859c04b6c28cdd62c72cbb12d8ca370b46afbe475302648963eac75781f4171e9b67caa73bd2eb509e525d1038efe898098774134f70d6a470

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
96KB

MD5
7447174ebd07878997dc22aadd548cd1

SHA1
b6d4d2363b6d5a52d3c60beca5df82d55b7058f4

SHA256
521db0abbdb6c085c0f9aadcf0e54611ebdfceefd90fed8712d1f6916fcf51e3

SHA512
5740b4cd880a0a6f80bffed157c500a94999f9938d6ca983ebc3bfcf282269893da00e7b032265c2fec4f0f632a2df23f1e8f21cf163b94d160a61e7979cd2b0

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
96KB

MD5
202cb4eaa32fc3c6acf6981e17cc5ac9

SHA1
db0845cf919e0e15f5731930bec9e7b273a8d6dc

SHA256
459d3eb46c5a70ff8d781a6a796e538cadbdab9a4cea1eef6c3aa8fdd54e0f3f

SHA512
d3d5b889f38b8993bb9af02e29ec8b4359a70ddd7843457f0721126daf1d5a28d84ef6638c087dde3a8bb2ff9cb710f4883390b32dac20e825ee9add381e5366

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
96KB

MD5
96eca77c6e41939aec23a5a03ea68346

SHA1
3572404378f33796a777afdd0dac4e2998842fe5

SHA256
350c08564064c1c0d231ca112d4d0cce192e67d1d9d29b926db2590cbfc1edaf

SHA512
7de2e6ce31faec211979724c0891279f04120a3bc2607c063811796d2f295c913a5f3a04fa784071d495d7748bcd32956d3db7f78b3dc1ea75164e080e080168

Download Submit
C:\Windows\SysWOW64\Obqhpfck.dll

Filesize
7KB

MD5
6777d40482f40ecc69af08b64f75f251

SHA1
d56614c781544c9b573aa470c7ce70a9eeb3ed16

SHA256
128ee2fba419214898443c81958539747303e30b60cb13b5ed9ef15281f42dde

SHA512
06a4641406bd95c55dd9b0653150762326c86356199404957d7e35835fbba9338c653b82c31f5b202292e2eead5ae7645962168b304d7093f18cd7155fe53b0e

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
96KB

MD5
910ff744088e9e666d666b2c55743b2a

SHA1
d27281396cfb6030b77af9588cd41504df8512b2

SHA256
e3cd2da2b5f8156effc9412874dc1b06671648fc14899765d8d3063de25f83ec

SHA512
71f644cfc7dec6d61d6c2bdfd6adb28a20b8fc6bb928022dc3f48d5457aef9df2602049412e64263db022eef6d8995394ebf90c023ec7c35616ea624102d9788

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
96KB

MD5
fb68b867442c7514c7e31e355c0898fd

SHA1
f8938bed559b9ded22cd1e25be742cff2544c727

SHA256
adcc4a8362353cfcb3e1aec337dbe4d280c41df0c696418ebc70d7a570c6a1ad

SHA512
4f14b2269e6b77ecf321103fec3a971d516e75c265112b53c407e525ad02250bc7fb6e1d168b3dd4015aceadfe930b842497c3a752fb0845b8c4877abf12b575

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
96KB

MD5
4d77fd56448d1c75382ff852b14eaec1

SHA1
71583ca948f43575c782b197e18e049e1ec83a17

SHA256
f07fb4363d83100a1c964096542ae05d6cdebf5ea02b2de7754b01d53bb59ae5

SHA512
5e3eab8a47fa8b716aecd2cbd79e754f7275b344b04941bd11a521468f0364f38274b897843820e663e3d2723bbc9a7f80c0f5919f86d7742ce26e9727e85136

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
96KB

MD5
29a98a3d6170ce7234556f7c0faea4bf

SHA1
e6e6e8fa3d64c8191fd725188ce418578bf6312a

SHA256
b99a7a3ee8a0a7e4425254ba4f8611aa560d44854dbe192a113cd82df341bf4b

SHA512
a371b91df3e2167b67cfc927f159578fec67816af28f8ce9d26dab8d1e4920310087287f0f1d67862121f2f02954bf62aa16ae047dce69ef424a4ff979510ebd

Download Submit
C:\Windows\SysWOW64\Ojemig32.exe

Filesize
96KB

MD5
1f8ae630a36083a6b0b6bac866073b1d

SHA1
d9471a248eaa2951867e65e0d75642f5528640d3

SHA256
dfdc49c9fd37bc1a1247ed3d986bb4a13711899591c89e4742db758231d429bb

SHA512
fcfd3629d2048ca892f589f49c512ddd6f37fccc6879b62d21f77b0fb4a4eb0949b74b6e3b4c1a6040000fc85df918466c2424a0ab675b7726327724317294ed

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
96KB

MD5
54e54fbd35c7d9b031d225e74951ed13

SHA1
b012669f8f2eb3d6feec218694f1a8aea3b2ac13

SHA256
2ab016e145a1b5c3bbc3a031cd6861abbf77d79a3fa445ad7402d4dedc32269d

SHA512
867f988c572c97a34b136c135a0900c0ea3ffe45b35804157f3b042f7213fdbfbe7df00612749e6753e1e55ab6925792c1badd834cd25f847c766acab680fb25

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
96KB

MD5
e5949ac3620658212d12346ca3eb0772

SHA1
1f8d7263d2f5255be8e1f056c6266431ec1cd220

SHA256
2142867876fde6cc9666de2525656318a5b40cfd43aa870a454d8c23c0fc4530

SHA512
837bd9a7463bcf4556a226688829de8e0920557a92814adb1dd22bc7b26b852506adda8183bc6dc8a7ee84eee545f525f272d35da5fb9526f80d5422f0e50abe

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
96KB

MD5
e16f667e4563dafb9d09a548da9802d9

SHA1
7520fc67e580caa638baa6191b13e52a07c4132d

SHA256
e6a45e0ef4fa758fcd6ef0adcb8e8c08016ff7a90f8a2f529310741e09c13ae9

SHA512
e23da5e2c45ae6b1c283b58901678130a3d7d3d6e8c5ba1361a67cb2da4a1aaceaa739008596825ab315836a680f1de569633e7c3147913704a7591acfac5eef

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
96KB

MD5
1fe34e9fc10facbc052593f047aeecac

SHA1
1e771a2915228a176bad4a063177b8ca546495c6

SHA256
ce9ec8581ac1923d32ccc6a2d321126cdc40d66b37d608b059ce32808dc5fa1d

SHA512
f07d8d82067b724193506c840ef548b52e5e26023204c5f76c4a0f73a56e1175eaff3e22dbd2455efedde0629ad7cb0c8686773243ebb10639148f511680fbe4

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
96KB

MD5
98c5aacee6086644d634ed8270995849

SHA1
e433286ea79e89e3ac1e960e07ed9b60295642c9

SHA256
03f6a3c88e55686a932f91cb4425b0d862c308a37ed6d0271c6c3cc368704f28

SHA512
18d4b40847a7afb8eac28434bc57d88bf6181320f63e1cdf2d889d4b7bc82928ef0868a9d6cc1b601ec63703f84983c4228703951b25cd85df381269494097ce

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
96KB

MD5
a883d02194a44c3bf2036f35907c2537

SHA1
021e806cc3e11af41a99885b39dcbc05eaa898df

SHA256
af0d67ba348a23329274a1539a47b7a77a60b8702184cf7acaa17b504885d554

SHA512
77b068c522226c362959159574700fe3dc2999cc1955b85c0fd9b8a0cf02186513056ec23a5f3a3d6ae56273706fcb5933fc9f24bec1b668ac570a0321a53a1b

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
96KB

MD5
eda54028e7da220aca2bd6b21cd02ad5

SHA1
2ee8ba3f34177893039df7edf807457b4889db1a

SHA256
b8ef1fefaf880549f4d00da0431d4b0dab5fa3c6d16a8379eab1d993bd61e929

SHA512
87f212907a945d9206d1660cff5fead7ff04211e08d49ddb803612e7445f7ce824d9c31b27239845bb9b1d9b069631db79d0a984585530fd175970ba27615d01

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
96KB

MD5
5ee94c51272bd246d5c1502644ebb1d4

SHA1
316dd8fc71f164e310f68011dbbdd73beca01641

SHA256
b8c3c86b7a298ab96659b6aca5a5794c3d1165a00d9823acddd0291f959084c5

SHA512
5fdece89a03d5e8af362a617062aeba4f7658952a273f90acc5ac536dda50e3a7befad0f8d834ba94eb786fe6457540a73a148a18faed66a81e75318bffd9950

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
96KB

MD5
bd137a236f3c19ce3038e49374d8ffdc

SHA1
e0cabb9539be33c8c3b4044d2478009b3a545791

SHA256
cded2a595abce7ad5f8a0b2ec5077e88e8b44e6783ccbb2d759a714351136ab8

SHA512
04b09230244e646260202a89da5e93830f2c1ae7a561938fc18fcad1b4adc9ddee1f8b2d2a8193dd2e98c1739a06db607ae93c08d04b811e3459ef89e5faaa0e

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
96KB

MD5
9b1e6a8453aa1230fdfeb29bf249b3c3

SHA1
6d8fbbdd8f4217b651a9cb0857b429674f8cd474

SHA256
56409d737f61eef8c18e0036d1746c16febc42195b649984977b1decabdb840e

SHA512
1e1f98741f0d2e3a88d4ae4308129883bd03103e08447e1cdf726478ba283bc77b6f120773099a99e11f0c98c77a71196219138ef6bdd0e30e1f001f4436ecb6

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe

Filesize
96KB

MD5
483014a5868a8ecf86c32816737c47cc

SHA1
b5c1674b3a48f06f2ddb849b2b6e8fcb4f134573

SHA256
c15aa2fc758b82f5ba01be6e3e222eafb01b8b1dc1f978365b1b5de6d07847e1

SHA512
3e1c102bd88a2d2df070708252df9dfbaef8b76d0c886a43cb291149c64dd5819fed0e2a991ba661093d7e197be0d2c65f580652ffdf258aec13f6813640436a

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
96KB

MD5
2a031be3659aef7cf070b385b0cb2008

SHA1
0684800ae60abcac24ab5123546446cfb0c90512

SHA256
3fbc60b3ccb4a9975daab9113022db7a16e5c462b824497311d545719373a278

SHA512
bf15bb5b0eaac8e37c1a42098cea4729e59e5db002f4ef4c40e5a1e42dc1aa02db1f90a1fee4d8ac9b8f43961958bae2a80139f7a98ae1ae654ab0a6d45b78eb

Download Submit
C:\Windows\SysWOW64\Pjoppf32.exe

Filesize
96KB

MD5
d9726f57370a3c729de068fe1672f1df

SHA1
ed0cfe744a41a4b67504c8bde8689356f7e3a003

SHA256
b44e56ece975c865e06d7d8a16560ff72b6d8d5a3a816487d59bec504fab7c0e

SHA512
ba77a4a5724d17df0486503e074e9ff1d3b4dabef5e764c355fe8f7dd80d025f7c7aec0b8e654857b52d8cfdad052af563f3c13270f3d614e7b83692ffee5f57

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
96KB

MD5
1ba80f6f12a682bf461511108e433fde

SHA1
d06c2136f4a2fd2b4c473548acd3181837a886d4

SHA256
6f14c70408d7049f5bfe1ad0565f40cb280731bce0bd0e64d13bd9cac796691a

SHA512
f655ddefb1edd08bacc39d860b153fe858b3600fce11b502db6f82d03947ce4c541233aa9ea3f97101baf9061b07daa8044bc574e19b86f006901ab8856e5856

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
64KB

MD5
e570a1cb3e4b1ae92afe605642462cb7

SHA1
28aec22910564951ca89743a03f9c09f4d36f9dc

SHA256
22fc120f276675faa4fa1ad501f0ac59be315c01e0174198e0d056ed691de080

SHA512
cdb853aa0d81d74cff48d5c740763a30c67939e6fc0ed6b33931938f975339b48b2b8f3d40b304b8e615a1778346c457b4ff82fc01ee70ab3147aaf2b83b7039

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
96KB

MD5
2cf6c80f3982f8a1309760249e433675

SHA1
cc1fdfa0c12000e5a80ace8dd5bf6cd168b048e2

SHA256
8fc78926e3043826e9c8764d40b07cf7b2601b3b2fe00c2d61a4fd372d4dc09d

SHA512
659f44e6f01edfca0f64b2b9ba37554d4388632cc6f04241cfea1bf426b4a189e57f9f904898f03d67ce375094adeeda25c5a2e252b4a817d0f9a5a39ded174e

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
96KB

MD5
d05f09c19a3adc4beb5caa746f75255c

SHA1
622aaea5c7a954ed1e143906b37ef93dc837c1ca

SHA256
45ce217bbd80b289135af78b3a443f4e51267fe7ebb1a76ea5e4f58d1612d9d7

SHA512
1d8d4a304f3710780380b8c9f3f18e46da829644eba168c88179353a73e897f6adb05974b8a7a777ea1770ec6bfc54d257f18cad99cd310e4bf214c693a33d83

Download Submit
memory/336-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/352-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/412-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/676-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/776-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/976-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1420-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1568-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1688-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1692-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2064-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2632-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2736-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2752-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2856-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3164-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3256-584-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3296-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3524-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3588-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3664-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3696-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3712-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4012-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4076-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4188-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4268-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4304-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4604-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4612-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4688-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4816-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4904-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4904-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5148-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5148-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5176-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5184-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5204-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5212-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5272-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5320-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5324-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5364-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5404-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5616-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5676-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5712-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5756-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5764-524-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5828-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5844-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5868-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5972-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6008-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6008-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6016-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6040-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads