berbew | a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4f

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe
Size

96KB
MD5

03acd51ffbb06ea9de7038672fdd37c0
SHA1

6817636c4ac0cacdfb37341539904bb7e7f5dcb7
SHA256

a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4f
SHA512

02ee2c32581d36ae068da8ded9872c43218b7263f49ebb05fb76448aaf8ae20adcbcd7fde300ec604af93f9a0dcd8d44b524eeace8565c0f924ccd0c80a0d60b
SSDEEP

1536:/DGNPRB6kSWRX6VgfdAEyd2LsH7RZObZUUWaegPYA:ORQERWbEF2ClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Anmjcieo.exeJfaedkdp.exeKemhff32.exeLingibiq.exeOqfdnhfk.exePcncpbmd.exeQgcbgo32.exeJlbgha32.exeNpmagine.exeNnqbanmo.exeOfnckp32.exeOdocigqg.exeAadifclh.exeBjmnoi32.exeBaicac32.exeKdnidn32.exeKmfmmcbo.exeLikjcbkc.exeBmbplc32.exeBjfaeh32.exeAqkgpedc.exeCmnpgb32.exeDaekdooc.exeLbdolh32.exePggbkagp.exePmidog32.exeNebdoa32.exeOflgep32.exeOjaelm32.exePdmpje32.exeDdmaok32.exeLbjlfi32.exeLdoaklml.exeMlampmdo.exeDfiafg32.exeDeokon32.exeAgeolo32.exeCagobalc.exeLgokmgjm.exeJcgbco32.exeLekehdgp.exeBhhdil32.exeAgoabn32.exeLeihbeib.exeOlmeci32.exeAmbgef32.exeCjkjpgfi.exeLdanqkki.exeMelnob32.exePgllfp32.exeBjagjhnc.exeJbhfjljd.exeKibgmdcn.exeLljfpnjg.exePgnilpah.exeCnnlaehj.exeNcdgcf32.exeNgdmod32.exePmannhhj.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Jpgmha32.exeJfaedkdp.exeJioaqfcc.exeJcefno32.exeJbhfjljd.exeJianff32.exeJlpkba32.exeJcgbco32.exeJehokgge.exeJlbgha32.exeJcioiood.exeJeklag32.exeJmbdbd32.exeJcllonma.exeKemhff32.exeKmdqgd32.exeKdnidn32.exeKepelfam.exeKmfmmcbo.exeKdqejn32.exeKebbafoj.exeKlljnp32.exeKbfbkj32.exeKipkhdeq.exeKlngdpdd.exeKdeoemeg.exeKfckahdj.exeKibgmdcn.exeKlqcioba.exeKplpjn32.exeLbjlfi32.exeLeihbeib.exeLmppcbjd.exeLdjhpl32.exeLfhdlh32.exeLekehdgp.exeLlemdo32.exeLdleel32.exeLfkaag32.exeLiimncmf.exeLlgjjnlj.exeLdoaklml.exeLikjcbkc.exeLljfpnjg.exeLdanqkki.exeLbdolh32.exeLgokmgjm.exeLingibiq.exeLllcen32.exeLphoelqn.exeMbfkbhpa.exeMgagbf32.exeMmlpoqpg.exeMpjlklok.exeMdehlk32.exeMgddhf32.exeMibpda32.exeMlampmdo.exeMdhdajea.exeMiemjaci.exeMlcifmbl.exeMdjagjco.exeMgimcebb.exeMelnob32.exe

pid	Process
3492	Jpgmha32.exe
3552	Jfaedkdp.exe
1636	Jioaqfcc.exe
3132	Jcefno32.exe
4644	Jbhfjljd.exe
3844	Jianff32.exe
1096	Jlpkba32.exe
628	Jcgbco32.exe
1860	Jehokgge.exe
4212	Jlbgha32.exe
2016	Jcioiood.exe
1252	Jeklag32.exe
4440	Jmbdbd32.exe
3724	Jcllonma.exe
4736	Kemhff32.exe
740	Kmdqgd32.exe
2588	Kdnidn32.exe
3028	Kepelfam.exe
3620	Kmfmmcbo.exe
1848	Kdqejn32.exe
2332	Kebbafoj.exe
3652	Klljnp32.exe
1528	Kbfbkj32.exe
960	Kipkhdeq.exe
4224	Klngdpdd.exe
3984	Kdeoemeg.exe
4596	Kfckahdj.exe
3680	Kibgmdcn.exe
3040	Klqcioba.exe
1744	Kplpjn32.exe
2164	Lbjlfi32.exe
2424	Leihbeib.exe
2248	Lmppcbjd.exe
2452	Ldjhpl32.exe
1516	Lfhdlh32.exe
4444	Lekehdgp.exe
3240	Llemdo32.exe
768	Ldleel32.exe
3928	Lfkaag32.exe
696	Liimncmf.exe
3996	Llgjjnlj.exe
2940	Ldoaklml.exe
3012	Likjcbkc.exe
2356	Lljfpnjg.exe
1404	Ldanqkki.exe
1100	Lbdolh32.exe
3840	Lgokmgjm.exe
1464	Lingibiq.exe
3168	Lllcen32.exe
2956	Lphoelqn.exe
2372	Mbfkbhpa.exe
4856	Mgagbf32.exe
452	Mmlpoqpg.exe
3212	Mpjlklok.exe
2952	Mdehlk32.exe
400	Mgddhf32.exe
1432	Mibpda32.exe
2704	Mlampmdo.exe
2112	Mdhdajea.exe
4780	Miemjaci.exe
4536	Mlcifmbl.exe
2764	Mdjagjco.exe
4004	Mgimcebb.exe
3152	Melnob32.exe

Drops file in System32 directory 64 IoCs

Processes:

Jfaedkdp.exeJehokgge.exeOdkjng32.exeKmfmmcbo.exeMbfkbhpa.exeMiemjaci.exeOnjegled.exeKdnidn32.exeOcdqjceo.exePgllfp32.exeCjpckf32.exeDopigd32.exeDddhpjof.exeJlbgha32.exeLdjhpl32.exeLlgjjnlj.exeLljfpnjg.exeMlhbal32.exeOcbddc32.exeKfckahdj.exeMmbfpp32.exeQnjnnj32.exeCfmajipb.exeKebbafoj.exeLbdolh32.exeNpmagine.exePggbkagp.exePcncpbmd.exeCnnlaehj.exeJcioiood.exePdmpje32.exeAadifclh.exeDeagdn32.exeKdeoemeg.exeLmppcbjd.exeMdehlk32.exeNnneknob.exeQfcfml32.exeKepelfam.exeLbjlfi32.exeMgagbf32.exePfhfan32.exeBeglgani.exeCdfkolkf.exeOlhlhjpd.exePjjhbl32.exeQqijje32.exeDaekdooc.exeJcgbco32.exeMpjlklok.exeNgdmod32.exePgefeajb.exeAfhohlbj.exeDeokon32.exeLekehdgp.exeOflgep32.exePnakhkol.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Fllifblf.dll	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jehokgge.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Flpafo32.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jlbgha32.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Jeklag32.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
7348	7212	WerFault.exe	292

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cfbkeh32.exeKmfmmcbo.exeOjgbfocc.exeQgqeappe.exeBnbmefbg.exeCfmajipb.exea3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exeMgagbf32.exeAqppkd32.exeBmbplc32.exeJcefno32.exePjeoglgc.exeAeniabfd.exeAgoabn32.exeJianff32.exeLljfpnjg.exeNloiakho.exeAfhohlbj.exeNnjlpo32.exePcncpbmd.exeQfcfml32.exeKfckahdj.exeLfkaag32.exeLiimncmf.exeLdanqkki.exeNilcjp32.exeCalhnpgn.exeMdehlk32.exeOdkjng32.exeOlmeci32.exePdfjifjo.exeAclpap32.exeBanllbdn.exeBcoenmao.exeCdfkolkf.exeJcgbco32.exeMmbfpp32.exeNgdmod32.exeOjllan32.exeBfhhoi32.exeCmnpgb32.exeDfiafg32.exeJbhfjljd.exeMnebeogl.exeOflgep32.exeQcgffqei.exeCaebma32.exeNebdoa32.exeQqfmde32.exeBjagjhnc.exeDfknkg32.exeKdqejn32.exeLphoelqn.exeMpjlklok.exeOdocigqg.exePncgmkmj.exePmoahijl.exeAnadoi32.exeAcnlgp32.exeJcioiood.exeLingibiq.exeMelnob32.exeNnneknob.exeOddmdf32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcefno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe

Modifies registry class 64 IoCs

Processes:

Nnqbanmo.exeQgqeappe.exeAqkgpedc.exeCnffqf32.exeDfknkg32.exeMcpnhfhf.exeMpjlklok.exeNpfkgjdn.exePmoahijl.exePmfhig32.exeQfcfml32.exeCalhnpgn.exeKdnidn32.exeMlcifmbl.exeQnhahj32.exeAnadoi32.exeBeglgani.exeLljfpnjg.exePmidog32.exePfaigm32.exeAcnlgp32.exeCagobalc.exeNpmagine.exeNcfdie32.exeOflgep32.exePqbdjfln.exeLbdolh32.exeLfkaag32.exeMgagbf32.exeCmgjgcgo.exeDfiafg32.exeLdleel32.exeMgimcebb.exeNnneknob.exeBjagjhnc.exeBfhhoi32.exeKbfbkj32.exeMlampmdo.exePfhfan32.exeQqijje32.exeQffbbldm.exeJcefno32.exeJeklag32.exeLllcen32.exeMelnob32.exeNeeqea32.exeNloiakho.exeAfjlnk32.exeJcioiood.exeMmlpoqpg.exeOjllan32.exePnakhkol.exeBmbplc32.exeJianff32.exeLeihbeib.exeLekehdgp.exeLgokmgjm.exeAqppkd32.exeKplpjn32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jianff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exeJpgmha32.exeJfaedkdp.exeJioaqfcc.exeJcefno32.exeJbhfjljd.exeJianff32.exeJlpkba32.exeJcgbco32.exeJehokgge.exeJlbgha32.exeJcioiood.exeJeklag32.exeJmbdbd32.exeJcllonma.exeKemhff32.exeKmdqgd32.exeKdnidn32.exeKepelfam.exeKmfmmcbo.exeKdqejn32.exeKebbafoj.exe

description	pid	Process	procid_target
PID 1872 wrote to memory of 3492	1872	a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe	84
PID 1872 wrote to memory of 3492	1872	a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe	84
PID 1872 wrote to memory of 3492	1872	a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe	84
PID 3492 wrote to memory of 3552	3492	Jpgmha32.exe	85
PID 3492 wrote to memory of 3552	3492	Jpgmha32.exe	85
PID 3492 wrote to memory of 3552	3492	Jpgmha32.exe	85
PID 3552 wrote to memory of 1636	3552	Jfaedkdp.exe	86
PID 3552 wrote to memory of 1636	3552	Jfaedkdp.exe	86
PID 3552 wrote to memory of 1636	3552	Jfaedkdp.exe	86
PID 1636 wrote to memory of 3132	1636	Jioaqfcc.exe	87
PID 1636 wrote to memory of 3132	1636	Jioaqfcc.exe	87
PID 1636 wrote to memory of 3132	1636	Jioaqfcc.exe	87
PID 3132 wrote to memory of 4644	3132	Jcefno32.exe	88
PID 3132 wrote to memory of 4644	3132	Jcefno32.exe	88
PID 3132 wrote to memory of 4644	3132	Jcefno32.exe	88
PID 4644 wrote to memory of 3844	4644	Jbhfjljd.exe	89
PID 4644 wrote to memory of 3844	4644	Jbhfjljd.exe	89
PID 4644 wrote to memory of 3844	4644	Jbhfjljd.exe	89
PID 3844 wrote to memory of 1096	3844	Jianff32.exe	90
PID 3844 wrote to memory of 1096	3844	Jianff32.exe	90
PID 3844 wrote to memory of 1096	3844	Jianff32.exe	90
PID 1096 wrote to memory of 628	1096	Jlpkba32.exe	91
PID 1096 wrote to memory of 628	1096	Jlpkba32.exe	91
PID 1096 wrote to memory of 628	1096	Jlpkba32.exe	91
PID 628 wrote to memory of 1860	628	Jcgbco32.exe	92
PID 628 wrote to memory of 1860	628	Jcgbco32.exe	92
PID 628 wrote to memory of 1860	628	Jcgbco32.exe	92
PID 1860 wrote to memory of 4212	1860	Jehokgge.exe	94
PID 1860 wrote to memory of 4212	1860	Jehokgge.exe	94
PID 1860 wrote to memory of 4212	1860	Jehokgge.exe	94
PID 4212 wrote to memory of 2016	4212	Jlbgha32.exe	95
PID 4212 wrote to memory of 2016	4212	Jlbgha32.exe	95
PID 4212 wrote to memory of 2016	4212	Jlbgha32.exe	95
PID 2016 wrote to memory of 1252	2016	Jcioiood.exe	96
PID 2016 wrote to memory of 1252	2016	Jcioiood.exe	96
PID 2016 wrote to memory of 1252	2016	Jcioiood.exe	96
PID 1252 wrote to memory of 4440	1252	Jeklag32.exe	97
PID 1252 wrote to memory of 4440	1252	Jeklag32.exe	97
PID 1252 wrote to memory of 4440	1252	Jeklag32.exe	97
PID 4440 wrote to memory of 3724	4440	Jmbdbd32.exe	98
PID 4440 wrote to memory of 3724	4440	Jmbdbd32.exe	98
PID 4440 wrote to memory of 3724	4440	Jmbdbd32.exe	98
PID 3724 wrote to memory of 4736	3724	Jcllonma.exe	99
PID 3724 wrote to memory of 4736	3724	Jcllonma.exe	99
PID 3724 wrote to memory of 4736	3724	Jcllonma.exe	99
PID 4736 wrote to memory of 740	4736	Kemhff32.exe	100
PID 4736 wrote to memory of 740	4736	Kemhff32.exe	100
PID 4736 wrote to memory of 740	4736	Kemhff32.exe	100
PID 740 wrote to memory of 2588	740	Kmdqgd32.exe	102
PID 740 wrote to memory of 2588	740	Kmdqgd32.exe	102
PID 740 wrote to memory of 2588	740	Kmdqgd32.exe	102
PID 2588 wrote to memory of 3028	2588	Kdnidn32.exe	103
PID 2588 wrote to memory of 3028	2588	Kdnidn32.exe	103
PID 2588 wrote to memory of 3028	2588	Kdnidn32.exe	103
PID 3028 wrote to memory of 3620	3028	Kepelfam.exe	104
PID 3028 wrote to memory of 3620	3028	Kepelfam.exe	104
PID 3028 wrote to memory of 3620	3028	Kepelfam.exe	104
PID 3620 wrote to memory of 1848	3620	Kmfmmcbo.exe	105
PID 3620 wrote to memory of 1848	3620	Kmfmmcbo.exe	105
PID 3620 wrote to memory of 1848	3620	Kmfmmcbo.exe	105
PID 1848 wrote to memory of 2332	1848	Kdqejn32.exe	106
PID 1848 wrote to memory of 2332	1848	Kdqejn32.exe	106
PID 1848 wrote to memory of 2332	1848	Kdqejn32.exe	106
PID 2332 wrote to memory of 3652	2332	Kebbafoj.exe	107

C:\Users\Admin\AppData\Local\Temp\a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe
"C:\Users\Admin\AppData\Local\Temp\a3f047813b67f6b1688aa706a9da4da9e8206e1ad7bd8031d1b010b899bd1e4fN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\Jpgmha32.exe
  C:\Windows\system32\Jpgmha32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\Jfaedkdp.exe
    C:\Windows\system32\Jfaedkdp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\Jioaqfcc.exe
      C:\Windows\system32\Jioaqfcc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
      - C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        23⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        25⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        26⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        30⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        36⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        38⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        57⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        58⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        60⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        63⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        67⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        68⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        69⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        71⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        72⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        73⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        75⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        76⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4788
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        80⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        81⤵
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        82⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        84⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        92⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        93⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        94⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        96⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        97⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        102⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        103⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        104⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        107⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        108⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        112⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        114⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        116⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        120⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        122⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        124⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        125⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        128⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        131⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        133⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        134⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        135⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        137⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        144⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        147⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        151⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        153⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        154⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        158⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        162⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        163⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        173⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6980
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        176⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        178⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6384
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        180⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6832
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7056
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        186⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        189⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        193⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        194⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        195⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        196⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        198⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        200⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        201⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        202⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        203⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7212 -s 396
        204⤵
        Program crash
        
        PID:7348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7212 -ip 7212
1⤵
PID:7280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
437bdfa48f37d21e5dd104d7554d830e

SHA1
e51dd77c6743627e32fe676a3ca22a9ee20bbd76

SHA256
a06ff977e99e6eb2162e33eae9cd2b82be70943f8a75e66386a985e264d5b7a3

SHA512
5de8be80e83a26f0fc6269dfcd98c8bec3929103f3c710e32364724c1ad4cfbf0b039e5412abb6e95941303d5661a8f84a04aa5a17ffea7a3fae9dd89ab9627f

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
3c8ad829e54d935c7696f1f3d920ecec

SHA1
55aecd8d4d2e8640ee136a03c11e30dde576c204

SHA256
301c978f14f0540625511332a8bdb2e3818845854c202674ecde8a3eaee19abd

SHA512
ad5fbec7fb186cdf8ea52e31713935abcfc4641a2fab3bc79d80475907d1c7d066dd008827fa5fcc13514769f2114b392c302076a57362d2473219b598c61abe

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
d868097eda79cba6eeea02c4ad45eb5d

SHA1
292c7ee228fd37e6e2d8316416780e3c5bc6d5e2

SHA256
638cdaab48e1b714da7e260bb4612b3a4470cd349e257b63e2c2518728105fea

SHA512
8975c27d5f84ea4cbb55531e96580823f359a4b0549e6fea5d9e1c4eb8bb6254c68104f25b250907601f5c92da98cb9094a85a18317adf02a927b4e03bafc9d3

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
03bc1931546ca916962a8f3973083e7b

SHA1
8f5c278a95281a7655c78bffdc071791660ee350

SHA256
fc0f0a017feb14cd7ab146023faa3f172164eb80fa8aac57ff64abf9e0ecc7b7

SHA512
9ffe04f8df78bb32e239b187cf2936d4758b922a904b0568b12b95b37b783557769238f492daadaf0d2dd7aae9c46b281bb8722950070bba72514e50e1d4f2e3

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
febf44fcffa3c327a1eaf9578a9b5364

SHA1
42409be61c3ef89341694a0f1ab0621f865dfeba

SHA256
cb39f91df47f6504b152b6d001aaa5bc88b61d099b83c708c1e694e33bb4b752

SHA512
8e10b8c90df083579588ff219990e648c5b381969e9d497e8ccee4431eb88c5117beb95457bb511643a40437e81cb8b6b17c889d63954393f722f32e2d78f4ff

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
96KB

MD5
c93d9eb5d59a6b4a6bda15b3e9597148

SHA1
85e6ab460d46bf0f14de6bbd14a63005e07da66f

SHA256
5a6dd4f0c36c3dd6a8cd4fc1434cc27e692cf458dcc0804954e1911dc6e5c08d

SHA512
d07f748e6e05d454bd1f5d64aa0737752c76d6f0a77f9364e510a90658e13236c64f206c581d1addf5297c2d195ec0a72c0f972cbb9a692c9bf8464e89a14c46

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
96KB

MD5
a2cd11f7e8632a36b0fbb2caad27809f

SHA1
8b23d48d3f086fec68457de8a6eb8c0130184489

SHA256
46d833e09c83667966318c78464281cce076ce7b5e3ac0f2b7dff0e4cfb45db2

SHA512
185dcb5d7aab22fd9c7c2fbc2847ebb520663abee9654f84ebb75c673d2fcf9ed9b1f32021ffdfc6313e29d64741e8ea90ad7f6c1a194bc0c5b2817d36ba2706

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
96KB

MD5
1b3a4d4d5c46da25295e59a1e98beef0

SHA1
63e919ba1eb6bfba690283a67d385f9494460e01

SHA256
184cb17015b8cd6770a4395da320c9abde531628319317d3e07ffe9c229a4fc4

SHA512
97e4fd900357eb3bc202d20d55e63ae9fe0e726b5b20812b1d12c4d0601976504411ec48cedc470b54eefa008f4f79ad1c87006a1e2424f5e2189c0cae5a4d11

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
a1d821c4f5036884060f931dc4320eb6

SHA1
6c3b4d39beaf3045da343f24a570252cbe6861f6

SHA256
df68316b4beb6cd99e91ee0e439fa8c0a7b5f4b698dc96eefd5762bfffaa1a57

SHA512
136ab4476b8b86793d37f1b7ab37979575225df3c921332df7b68c72c280f6eef88afdb9e7052ad06f4f4768b5e913206a8df331bf76fb391b9a6d667d7364bc

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
96KB

MD5
6196e0f6b9bd5373257b5d3ea3c88e7e

SHA1
1f7829e6f47365b708eced0bf739860493f6ded6

SHA256
78108b41948de0fcb8b968b39477c199cc85ec091ebb559bbddd7bf8ce702e68

SHA512
19c36b01750bb184ad3adbcc0938e8a3aa3ac348e9dadd2150b80af6522c0e7b2a54cda726afff2c6e333a07ca9c922925f01be9aca941dc8c2951b4274172f7

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
96KB

MD5
c964ea97b41331026204ea290e511087

SHA1
e2e49917747b0d9625f18790877414da683addbf

SHA256
60e463a59a2e0446e8fb34d942a7289c535b30094d752e12ff2353a95102258d

SHA512
9738dd1d43d6161a6ca673c08c58a70ae241b1c6b96037ee3c4e143b514d5da3090fe8eadcc850d3244766eeb38e79c89cf12374ba6c4af1755105c80fb58c48

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
96KB

MD5
21468bcb3e458117bcc0a465d176d9ae

SHA1
8050ed435d337ac5863a2e001218826a7f5ae8dc

SHA256
be3b6770baedef62979f83a844dd7aa471cf4634b395bf97c1c8da99aa6856cc

SHA512
ce61072b28685045f63b40cf4fafff64f06fb9dd4bd5a581994d4ab5470e98d6d2b3a021096b89161b7862a09f39d5bddc08843f3b67a65e0b292b067b1bc4a4

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
b040544ad770883318543fe1748f9924

SHA1
d7315b274bf792175af385a7afe05478164b6719

SHA256
387028b06c4d933c165e994954a41189709f327ad1ca9d710450a7e290229984

SHA512
f9f7665796a061573eb0fdbc37aca6cccd957b26a680add74f17a3dd9d69191c823afefee0d0a172e076021ca0e66b65a9b05f558239f41844acdc769eab96b7

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
96KB

MD5
91317404a807a4c4e4b3e32a53229aa3

SHA1
425edc998f501c04de5193e186c7d5a9364dbc59

SHA256
e9c58aa5dd26310894f4f4f438dfdc209df4fa3a24b06ed766b36b077156bf72

SHA512
e8e5c46e81b7e38ab38f2ea4939be5ec4bdbe391a7b5c63cf0336601285824175482b33d5e74eff4337946411c1205387b3b636fcdd54e3518b9d59e02bb45c9

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
180158e76af1f37cfe6c4f44e8ed4fe3

SHA1
a72c3f8fe083865f31ce351278c7ae59ccf29e17

SHA256
005064860a39df86c75ee97544b8d45f2375bb40d5acf7a9172cb01b8f7e1bbc

SHA512
26706a05c5b1c1296696d32834978f560a0352e83021c9221e314bc13cf66e764083f442f11d4756057044fba5c32352c1b42d34109e3a72347b07cfd35b18f7

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
96KB

MD5
a135bc5c10a919069cb251055d0cc09d

SHA1
a068b248f87a4464f5adfbef9c8031b613c7d371

SHA256
ef6a028e98f248d6ee16b9a660adf86625281568d984851bd9bac64fd74a181a

SHA512
241c67eb1f6c9addd221f455e7857f3e315b94854a6eb0b5b11b33fd47f55fc52871d2331036f18f2b12134b02c2883cc452154252e07679bc15631b73289b70

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
72384e3c0b78642a6ebe533734e2e3f0

SHA1
6b8be2b2bc2437c72c5c6c2c1dec88af6202f8e1

SHA256
c913d6c858a96b7d5fe5f5be1733019dd2c86baf6194eca7af156cc4d37a6a8c

SHA512
558f1e16172a5dbc106a3244a79cf22f5602178a099a6c41a09e917f17d4d668d75fba49eee9eb9472063212a76f59d491220772ffa872c4e16fa822509f84da

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
96KB

MD5
e3baa034d04cdaf5ee1f6f264acf4a8f

SHA1
ea37770e39acdd772912baf1c8540e7584ae65bb

SHA256
5c793ad4b4e594aace71ed0151b5e7c07a3d4c199f465f9ae86e2d2d90ebb14d

SHA512
43bd38df221a329f52297c0d9035e971ff9bb6c1d470357b184516feceb1bcd25c41d121b15ac758d543e4c9cec7774e06b38dd9e36ba9d662ae19eb9cfa59a1

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
96KB

MD5
6586b581df4e6e43c13f3bcddb7ba8dc

SHA1
13bfd2ac7f48135e0da566221cbea1b9ec9f4750

SHA256
7635c619615a0ca0b067ef939d6093810870b564497eac8b9bda0eb709632b80

SHA512
27df7e949cea881d585d7d3f9cc418c8f0a164c2c2eb70d08aefc7928be3ab17c604acf5614d05ff32252438f06e7fcbfd81c6b0b76ca0d006d5d28d277c3408

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
96KB

MD5
6630d4bb01cda281d08895262a789683

SHA1
6a4e093f281c47d0f7c17b0b16588a874c44183b

SHA256
7715611bc025f0e11945b3bf3d072a3deef638cfce349aaf92b6a7eb39572d32

SHA512
6f37104d13a481c30afabde347d73996ff4681f52e0736c462a1a0c81c6fdcce3a9fd3d880eb7a2f40dce55017aa381b3e7d31ac0bf5c46403a6424b78a0fb9b

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
96KB

MD5
ea85b9a99edbbb10dba73426900e5127

SHA1
0f67c8fe94356b197310e82bdc6966610a2249ab

SHA256
dc46210e1f4e04cf1c14ab45dd47ac338394c305c4bd6505e74af79763c6f619

SHA512
cf5ff5b758b03204d4c882b3b148efba64ae8db2f17a2645711b286d105bf1b473c09a6a1bbbee2093ff641c5f3b90c46fc5e87e1901445016efd302d15f7ec1

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
96KB

MD5
3fdb3e70a0bc9aa8584d792a74de652e

SHA1
fb26d65c9ab1b984d3139432e28db26a9bc6321d

SHA256
a05c6af8895560f691d50d2902fa402b73d5b5490c135cbb8baf1da82b65cd5e

SHA512
486e8bb50e451269c70df5c00a14b6480baa4535fa8ef3bfe5f70a14cccd6622d18245d71ccf86fd34c9522a7b696b0f39b3e5ec81f3f7f2abb087823cb90a68

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
31767b74dbd4ee086d10cb19f2d8e1c1

SHA1
1fd0590d165976f784e74a1ecd7abc4c3810280f

SHA256
5857a34565a15de50c1bcd5b969accf904cd2b933cfebaa502f2d7690d2b3415

SHA512
e0aef98f2993f2bdbc536e950e820ba534583e5069310f163354add4297665a25ab310d4bfdf7efb803a4646c3824a0fe5589acdbccf7f0737afc981ae32493f

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
96KB

MD5
7849c73245dafe4f4f6a0d1261316fe4

SHA1
95f0b55bb035741b19dcb231ac5d5ebe84cc5d6c

SHA256
5a7a6b7ae3b93e5950b4f8c4f87dc8209ae149c348fd4219c879aca81bd0efaf

SHA512
c1dde3ffc56cdaa6072b1f76742cbfaca93d3c902bdc09b7c0134bfc6588aea56e1eec78cdece411a418e5197589be64f7a715344648d966fd94afe760f350f6

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
96KB

MD5
50f86faf87c59a0cee54ccba59ee5faa

SHA1
792081b134dff73c61979d2e6d42a6831df78860

SHA256
a3094ef7f82200975bfd385385bc2c942db0477505ec75d0582ece6b5a496058

SHA512
3ff2ae3b57ac106dcc5be6a2281444b7691f040d05855467800ad57187c3dc765838bfae928111a101970d9195c69c33ffe2dc9eae41d5b8a45203322c5cc810

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
ccd543d0bbdf133d0ad9affab2ecd5f5

SHA1
d6b15bf203709bf86b098fc19bffe70a48bd118e

SHA256
ee4270b5120966b03e5f19add3d3b712c33f9a0d96d1a157836fa1beac4360b3

SHA512
bafc8c99a9da7baefe6674b615452217ba00c9e6e591366d485a80e6c4d72b823e25c0fd88e9640678049af4bf89df05610d5e2665805e6dd73fc61999129294

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
96KB

MD5
f1657547370951adf0b9ebbd01fc70ab

SHA1
ea97763849357a931ede54ff8dc29d42e9fa9e3f

SHA256
24ec7dd9b1210fa448d0615ac9a62c0a717b9043e11c20d13c7c208239879cfb

SHA512
59667ef50c3df8a2f22a06984e87a60041916e525d334413c320dbe4f10cab2cb6deeca9fc8b8f3e6f5d3d39691ad7e1cd6fc218ca53d77a2354b4272ccf562c

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
318f84b5adab6e33197a731ad88aa0e6

SHA1
422e40d5ccef7b70654f0e36dd382758800fb94b

SHA256
5524e095fc540712367a2db8c42c580f37b43d34b1b66aac5bd86db2ba6f34b4

SHA512
98a27e20251499064091b2c0f123a79a894d875b40782a34c8be1500fcd29769d5d2ee71c34047466e387e1b79e9ef7a727920a26808d14290c0d68c9d448aad

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
69bc5fc4572bf67a162aa9d2baafcfc0

SHA1
edf7d4bd0f80fea52d889ad49b2079168a07653f

SHA256
eed71dc9ddc508ab055df66425663e7df4a8ff5084d8e02557bb39c9297fec28

SHA512
4ecd0c971731b2e7e82153b5e3152b5205db36bc140026060425be59b1de31e9647c9c2e959f4fa49e24a59516dea6e3f6ec1ba3558815fa76aa53061b5ae868

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
96KB

MD5
e5675766f6cf32ba96622124ef0f69eb

SHA1
c2f364a12f97903368b9787648c3cd708cb66e8d

SHA256
95c2c32196fd47618abc8c0cca262b6154fa2d5ce18d84155b4180c6166b8e76

SHA512
cf58fbede9c185ca740ba36d0cd1915730acedb45813f15863a5f4417bc34c9d2c22f3fda1e54fd4c36f372eb25873604c68306f1bd3cce309f96ab1674dc796

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
96KB

MD5
acd05b1e487542c2d59a334a071db3b4

SHA1
f54661890dca42caee60a38fab885332da10c4f6

SHA256
61a794c7cde9628dd3ac1f4bb638de368750c2c75d716ab788c22a0ed5464ac8

SHA512
dada98bcaca77ac646e8b2ebc9491fa215668f429e489d640ba6d5a2449d6c2a86af5bf5cfaacfed259680af627ce0d4959044bd487552f1b4b8597e1fc9d71a

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
96KB

MD5
c2ab1fdb9e31f0a17c94f32ec6e606a1

SHA1
19881efc3142bd2d433b9d9cc031df3127bfbcf0

SHA256
102d61eba20d2f3de9161547b24d2f826a32abc84b5596c6d6f035a0a2c92664

SHA512
3fbf1fce3b4a4efd559026d39dfff6ef4bc8bcba65be6993a06bf07347a0313d4ae48d3e75e4eb6aff0d18f7e874f1d6b6155183eb310c00b02e028508a00825

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
eef7ed2f30ab08a4af45dda348efe5a3

SHA1
816dfb2a43d71607edf4e0f97daf0a719b5fd9a8

SHA256
90de1a6f2acdc89f7713d2a1ba3c92a2b2ad7c7a3c9faea00419741116c5e4ce

SHA512
bf91fef29db4e9448da5ff720c89432c0632857d749fa1f6926bb1429db8ec7948622f46eb85ad4b3f61c91f407e639c4f94c0cb9e9c0881c05143e2808947a8

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
8187a7594e7813be7c974df9cf3b36a1

SHA1
eb73f53a25b5c997fa21ea2c497d83e73a51d514

SHA256
038cf873f5403a7dfed3c527c5261ed8cf3d42180410fac27d0c7141048bdfa6

SHA512
5ec4f2dc9a84c6015afa14086873a4f2145284cc387ac51adbb4701154af3bb4eda33015510cd715e16ce08d2874f7b57154ad4efdb65673c7d0b8ab0680ba4e

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
3664ce85b9cfb4284583f8deb314068e

SHA1
0904acad4262f8ce4272ddf42af64ac0337598da

SHA256
eb7f61badea3ecdac51d276f2376bcd43e93bb1d80305147ecd093342502a35c

SHA512
5ba3635bdad4ef0a65f40427400472b28c43eb05bfcdb8db7d9dccf80b38a3794af99a2fca633bf9899f871ca44ae5c91d49fd365de78210f771a690d457b9a8

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
96KB

MD5
8cca645141931e9423373c76a32886b2

SHA1
5239d9f696d280a0501e4e7110c0f56acdf2661d

SHA256
c5d2d65d5050746d08572e5faad6fafce248f1f0b3f1075315f5c06792289ca5

SHA512
6f1211278d85d1a5cf9bc8ebb8d570707c4404c8476916b4369f35de6ea449c287ce334d9f117684c34ca4648484e2ebd36d7f3a70eca866422d51caddcc5ccb

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
96KB

MD5
2fb0ef6dce43ca22e3b7fe37a55d2945

SHA1
8b8fd13cec70a2e817c19770612808bec141f7bb

SHA256
4159bbc7fb39ed57dabe60999016f922640d7a9f6d5bf81192dc1c9d048c279c

SHA512
0b7badcafe70bceba57c8601f2f53b5f1b8785a2f45dc103191a38c466111e195b64d4cf9384daa2557e5287b850f35a6d2136d2645a1ce082bcef30248b8745

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
e01f7fadee3ddce2a5e1b4ef1577ed66

SHA1
f9f8e1f50567aced0b34629a25babf20739818d9

SHA256
41c6fbfde7451beb6a9ae00e9243aacf3fe6a55a8a1c75f2b7c4f23dae1a8a58

SHA512
0846d1964deb608a869221bd5503567bad7b42ae0aacb07dc6dd235e24ee3e1d532e9f947b541154bcf52d582eec03b5a4375495b5edda94964b88cc0296517e

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
d4e329a8fb8879ae49fa10ee3c65c9e2

SHA1
97f0ce2f9d05a1ff1e408cb9073acb5ab3d220c5

SHA256
002b55ad43cb05deca129250ce7b3cc9dad6fb9aa85c6de29442b2f6dc4246b6

SHA512
8d5e668edcdbe5bd738137cb400038d1f94bc26cf43b205b5bdf1cd6c1144d6659cbe0ba05cbfe91f9f06fd98fa771272b6b85b31d0ebaeb7bac4cdeac7ad898

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
76c3a1e143c65c1ce81637c5f28cb671

SHA1
41426fc8bc475311e4be4fa968fc73c823bcf483

SHA256
c7ccddb5e0f117c6a2050bf9896735287a7b16b2ac404eb8a7bba19b681c9eda

SHA512
4345e88004571e98bb6e96c2de9a14dd3ed85b303e6c48da22c85ed0d441951c1569ab41d418a3f14aedf205cd9fe84ac55ede547d90f4ceb5c7dcec914b9f97

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
f93f5ce8d728132c4801989cab4cc7d3

SHA1
25949821f78c56bc8165f713fbca42d6b29019d9

SHA256
61bae57e183edbc790cda78e7b2599d4ea38aad8d72dc21c3b8cce6e7c56baf5

SHA512
b584eacd4892103e80182d6caa657dc0d779b8c7729ba70f23920a8d1cf2e363095b5b23da14d5c04f666bb9ac4c5c8b1ccf154aba1a084b08d0545b4015a474

Download Submit
memory/224-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2016-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5508-1471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6160-1405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6712-1492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download