berbew | d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528

Analysis

max time kernel
93s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528.exe
Size

108KB
MD5

89c5819f336f6b28d176615d5c850b79
SHA1

948133781c47a71a6d0508eee4f7b3ddd4f70079
SHA256

d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528
SHA512

3b3ba41011e3492dcf8c268a25f397ce3725e970824a2a3c3f4b7b0de2bb9248cd9536a63785c86f4ef07ba99255b2b2334af139eab1c3bdd29711a31cd1fbc7
SSDEEP

1536:dGeqYkQlEnUNp7E3esCxr4XivVgcK7U0SdAEFcFmKcUsvKwFo:dFkjsuesCh41y0XEFcFmKcUsvKwFo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkhqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3592	Gkkojgao.exe
856	Gcagkdba.exe
380	Gdcdbl32.exe
3932	Ghopckpi.exe
1488	Gmjlcj32.exe
1144	Gcddpdpo.exe
3660	Gfbploob.exe
1704	Ghaliknf.exe
1136	Gokdeeec.exe
2896	Gfembo32.exe
2440	Gicinj32.exe
3596	Gomakdcp.exe
5108	Gblngpbd.exe
2268	Hiefcj32.exe
3036	Hkdbpe32.exe
1460	Hfifmnij.exe
4024	Hflcbngh.exe
3996	Hodgkc32.exe
4572	Heapdjlp.exe
4476	Hkkhqd32.exe
2932	Hbeqmoji.exe
3244	Hioiji32.exe
640	Hoiafcic.exe
1592	Hfcicmqp.exe
4568	Iiaephpc.exe
2960	Ipknlb32.exe
4416	Ibjjhn32.exe
5056	Imoneg32.exe
912	Icifbang.exe
4240	Ifgbnlmj.exe
3020	Iifokh32.exe
1124	Ildkgc32.exe
1928	Iemppiab.exe
1844	Imdgqfbd.exe
1204	Ipbdmaah.exe
5032	Ibqpimpl.exe
4388	Ieolehop.exe
2144	Ilidbbgl.exe
1416	Ibcmom32.exe
1796	Jeaikh32.exe
1516	Jlkagbej.exe
1392	Jbeidl32.exe
2032	Jedeph32.exe
4232	Jmknaell.exe
2000	Jlnnmb32.exe
4332	Jbhfjljd.exe
4884	Jefbfgig.exe
4688	Jmmjgejj.exe
5116	Jcgbco32.exe
4348	Jfeopj32.exe
4144	Jidklf32.exe
404	Jpnchp32.exe
4632	Kikame32.exe
3328	Klimip32.exe
980	Kpeiioac.exe
1648	Kebbafoj.exe
1608	Kmijbcpl.exe
3004	Klljnp32.exe
3016	Kfankifm.exe
2320	Kedoge32.exe
2692	Klngdpdd.exe
2980	Kdeoemeg.exe
116	Kfckahdj.exe
4920	Kibgmdcn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hoiafcic.exe	Hioiji32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jeaikh32.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Hfmbha32.dll	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Gfbploob.exe	Gcddpdpo.exe
File created	C:\Windows\SysWOW64\Iccbgbmg.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icifbang.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Imllie32.dll	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Mgdjapoo.dll	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ildkgc32.exe	Iifokh32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Icifbang.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Iifokh32.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Mhkngh32.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lmgfda32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Jpnchp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bncfnnbj.dll	Ildkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7968	7888	WerFault.exe	326

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gokdeeec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghaliknf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblngpbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hioiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfbploob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcddpdpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gicinj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll"	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmjlcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ildkgc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3592	3404	d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528.exe	82
PID 3404 wrote to memory of 3592	3404	d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528.exe	82
PID 3404 wrote to memory of 3592	3404	d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528.exe	82
PID 3592 wrote to memory of 856	3592	Gkkojgao.exe	83
PID 3592 wrote to memory of 856	3592	Gkkojgao.exe	83
PID 3592 wrote to memory of 856	3592	Gkkojgao.exe	83
PID 856 wrote to memory of 380	856	Gcagkdba.exe	84
PID 856 wrote to memory of 380	856	Gcagkdba.exe	84
PID 856 wrote to memory of 380	856	Gcagkdba.exe	84
PID 380 wrote to memory of 3932	380	Gdcdbl32.exe	85
PID 380 wrote to memory of 3932	380	Gdcdbl32.exe	85
PID 380 wrote to memory of 3932	380	Gdcdbl32.exe	85
PID 3932 wrote to memory of 1488	3932	Ghopckpi.exe	86
PID 3932 wrote to memory of 1488	3932	Ghopckpi.exe	86
PID 3932 wrote to memory of 1488	3932	Ghopckpi.exe	86
PID 1488 wrote to memory of 1144	1488	Gmjlcj32.exe	87
PID 1488 wrote to memory of 1144	1488	Gmjlcj32.exe	87
PID 1488 wrote to memory of 1144	1488	Gmjlcj32.exe	87
PID 1144 wrote to memory of 3660	1144	Gcddpdpo.exe	88
PID 1144 wrote to memory of 3660	1144	Gcddpdpo.exe	88
PID 1144 wrote to memory of 3660	1144	Gcddpdpo.exe	88
PID 3660 wrote to memory of 1704	3660	Gfbploob.exe	89
PID 3660 wrote to memory of 1704	3660	Gfbploob.exe	89
PID 3660 wrote to memory of 1704	3660	Gfbploob.exe	89
PID 1704 wrote to memory of 1136	1704	Ghaliknf.exe	90
PID 1704 wrote to memory of 1136	1704	Ghaliknf.exe	90
PID 1704 wrote to memory of 1136	1704	Ghaliknf.exe	90
PID 1136 wrote to memory of 2896	1136	Gokdeeec.exe	91
PID 1136 wrote to memory of 2896	1136	Gokdeeec.exe	91
PID 1136 wrote to memory of 2896	1136	Gokdeeec.exe	91
PID 2896 wrote to memory of 2440	2896	Gfembo32.exe	92
PID 2896 wrote to memory of 2440	2896	Gfembo32.exe	92
PID 2896 wrote to memory of 2440	2896	Gfembo32.exe	92
PID 2440 wrote to memory of 3596	2440	Gicinj32.exe	93
PID 2440 wrote to memory of 3596	2440	Gicinj32.exe	93
PID 2440 wrote to memory of 3596	2440	Gicinj32.exe	93
PID 3596 wrote to memory of 5108	3596	Gomakdcp.exe	94
PID 3596 wrote to memory of 5108	3596	Gomakdcp.exe	94
PID 3596 wrote to memory of 5108	3596	Gomakdcp.exe	94
PID 5108 wrote to memory of 2268	5108	Gblngpbd.exe	95
PID 5108 wrote to memory of 2268	5108	Gblngpbd.exe	95
PID 5108 wrote to memory of 2268	5108	Gblngpbd.exe	95
PID 2268 wrote to memory of 3036	2268	Hiefcj32.exe	96
PID 2268 wrote to memory of 3036	2268	Hiefcj32.exe	96
PID 2268 wrote to memory of 3036	2268	Hiefcj32.exe	96
PID 3036 wrote to memory of 1460	3036	Hkdbpe32.exe	97
PID 3036 wrote to memory of 1460	3036	Hkdbpe32.exe	97
PID 3036 wrote to memory of 1460	3036	Hkdbpe32.exe	97
PID 1460 wrote to memory of 4024	1460	Hfifmnij.exe	98
PID 1460 wrote to memory of 4024	1460	Hfifmnij.exe	98
PID 1460 wrote to memory of 4024	1460	Hfifmnij.exe	98
PID 4024 wrote to memory of 3996	4024	Hflcbngh.exe	99
PID 4024 wrote to memory of 3996	4024	Hflcbngh.exe	99
PID 4024 wrote to memory of 3996	4024	Hflcbngh.exe	99
PID 3996 wrote to memory of 4572	3996	Hodgkc32.exe	100
PID 3996 wrote to memory of 4572	3996	Hodgkc32.exe	100
PID 3996 wrote to memory of 4572	3996	Hodgkc32.exe	100
PID 4572 wrote to memory of 4476	4572	Heapdjlp.exe	101
PID 4572 wrote to memory of 4476	4572	Heapdjlp.exe	101
PID 4572 wrote to memory of 4476	4572	Heapdjlp.exe	101
PID 4476 wrote to memory of 2932	4476	Hkkhqd32.exe	102
PID 4476 wrote to memory of 2932	4476	Hkkhqd32.exe	102
PID 4476 wrote to memory of 2932	4476	Hkkhqd32.exe	102
PID 2932 wrote to memory of 3244	2932	Hbeqmoji.exe	103

C:\Users\Admin\AppData\Local\Temp\d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528.exe
"C:\Users\Admin\AppData\Local\Temp\d86e802e88fd33229b5cbbac9460abdaa6216875b9f1c28b9cb90ea50caf7528.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\Gkkojgao.exe
  C:\Windows\system32\Gkkojgao.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\Gcagkdba.exe
    C:\Windows\system32\Gcagkdba.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\Gdcdbl32.exe
      C:\Windows\system32\Gdcdbl32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        26⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        27⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        35⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        37⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        42⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        45⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        51⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        55⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        58⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        67⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4876
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        69⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        70⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        73⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        74⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2736
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2796
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        80⤵
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3140
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        82⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        83⤵
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1816
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        88⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        90⤵
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        91⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        92⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        94⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        96⤵
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        99⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        100⤵
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3896
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        102⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        106⤵
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        107⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        108⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        110⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        113⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        114⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        115⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        116⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        118⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        120⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        121⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        123⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        126⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        127⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        128⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        133⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        135⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        136⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        138⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        139⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        141⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        142⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        149⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        152⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        153⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        156⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        158⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        159⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        164⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        168⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        169⤵
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        170⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        172⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        173⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        175⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        176⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        177⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        179⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        180⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        181⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        182⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        183⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        184⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        188⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        189⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        191⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        193⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        196⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        197⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        198⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        200⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        201⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        203⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        206⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        207⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:6824
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        210⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        212⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        218⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        219⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        220⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        221⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:7204
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7284
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        227⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        228⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        229⤵
        Modifies registry class
        
        PID:7404
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        230⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        231⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        232⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7528
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        233⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        234⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        235⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        236⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        237⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        238⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        239⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7808
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        240⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        241⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7888 -s 416
        242⤵
        Program crash
        
        PID:7968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7888 -ip 7888
1⤵
PID:7944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
108KB

MD5
ce683da0047dd4e8df5177d112e090b9

SHA1
6e9757e7bb779014e917e2e54c1c362d0f1f8ca3

SHA256
28d8ed5e2f19bfe1566ba238f35651f37e661dcef223e3d217ae84fb2d89f2ed

SHA512
082afa8bb6d6119530b873ad6dd36c632f7d21118de60ce61c5c5d19aa7ec53f768653c659f502a5a8002f92b056f537ae2fc72f902d77d46192759877e9029c

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
64KB

MD5
84325822704cf1a3d71c4fb43e5b784d

SHA1
107707a8828d30e7b78cf3014961661ecf4e8f2b

SHA256
1c719190615b718ecb09db3761d47237e5150c695d6f5d6cc5205badc4234ab1

SHA512
fd0d8e156698ab577e0ba5bcddc6e0cfb9a089eb0847d7a3da27ae6ef610ca5e55f8b5ea1c7e6b8951ed851c101fde224d788329b11af82c038994d3c550666a

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
108KB

MD5
4ea1bfb655ec7f910ba00e0d74f0f441

SHA1
f5215b94a11af638f3cea50996b52027b9fe3c10

SHA256
16d010fefdd61f4f772e80bc0b1c441590dd2953e04bce7b90291ace1a30c1bf

SHA512
066b33708e8b950ef82020c8d71968874a7ef7f5ea18b18d7e936c59d7590ec8ca363a283c13f9a18004119eeead8420a5c049a5ae9aefbef5a0e18d99051e2a

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
108KB

MD5
8774016502f3eaabb7114b8bfbca8fa2

SHA1
d48a5f683edeb530705f82ee0cbf39f71303f1fe

SHA256
399f57eff5c3340fa728392c636120d5382cae4b3cf6d88c50beb9a4aea97a59

SHA512
7a2176f7d8dbdbdb42b341e4011d27cb74e8452abd6008717062185fd55c7448fba86dece24324d825ccac4cba9f2c07531488b87a467e21964826ff4ec33b49

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
108KB

MD5
783c2de361cc105df1d42e1dba318c2e

SHA1
c5c557e1c096d3fee334d274939a89dbe8368cde

SHA256
54e030e958d54f73f352d961edea4e4a5510f03762c46753e3f95a46c41f57f9

SHA512
a664c79bafb8ba9bebbb17b0d0cf5e4af3b24823f8de2fac6835837e4878b53813bafb471d851d50d6cbe5fe74073c89dd496dd28be87588e96860112865b574

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
108KB

MD5
14741e82ca1ef0ae2f41f0b792e55a1f

SHA1
a29ae3931392d7a7ef5f49365a376eb46683ad4d

SHA256
098ec3b899997a94fc89b8673e1a657a29b7ac4d82156765b4304ab835b44136

SHA512
ac7a7dec26f0d30a40249314f2e12f721ebae1bcb812cae64f3bb973f5acd8c46920ddc1667ab5f5f5870f61f1990a48dd308ca88797fe23b82d59caa385c326

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
108KB

MD5
7506e3958097ba2f586b31596ad4928a

SHA1
08da9ae3b98faf688ec80c06d1dc0e4f1cec0e40

SHA256
14095f8b55d3a88fe2824794221e7f7a4b1c4adf0fbb95b6008989bcff054cb5

SHA512
1f0f9651ae361088eef23da46d8092656427e24693995b61c49c27cca45ff49e9c656e86e169e0880a41daf7d7d36f79a8c92ded39fc8d5ef3ad4badcef23ba3

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
108KB

MD5
8dd2888f89c86b0beefa450fda0175d7

SHA1
810e4613fb5e6772411c65c6c598951ff14daf45

SHA256
1818169fa368625bb08c06a0cb0ec3f4f7d444faf7df380d7b2e6992b5494415

SHA512
f627f633c99fc9b2bf5e21b1490e58c7221cb67e54036ed72faddd01dfc7e9b3427ccd16162d9dc72876af29f2a90052b6bbcf5ad7b6ba78e38bbe723ab6ba8b

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
108KB

MD5
dc6ec7fd52da3a0aa81b002ef066bd69

SHA1
235a7ec572e42446054b4ebb9643bdebfd1b2be7

SHA256
bca79545226561ae751120741185b294da7997f7f516e58e6a51291610fa126e

SHA512
e345361213f0660be5468579de7d430b2ab38a449bedb5ff822a9c53c4d00e7630ee055926f2aaea72cffb193bc4563fd1d1f112e5a60f4c0c9627e2c5db939c

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
108KB

MD5
a1415d64e2843f7c1e18de3b8847e3ba

SHA1
7d42c6c3960be261d4b0b73392491e9c444c0600

SHA256
036cae924c8b986ba653d85e693e22232dfb6dc4e036b950ed54f57b98b9ca58

SHA512
941c7ef77cd1a9494d2c34a6256588b8b29c50d73784a1f5e50a351929f417ddb754cb2903c2137ff68473d5fef1133fab5af6dd7381922df7083eded5a3c543

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
108KB

MD5
283364af0592fd135dba5341ae646e46

SHA1
dd85ca47a441cf44e4cb1daab4afd5b402813148

SHA256
b9658edff682534ee1ba4af6ae12a6b9210a61759925f482ca303cf0b52806a0

SHA512
2e8dd3d3b28e7f49bec35a2b3120bf0db2d4f6eaa0e31952b1db73ed39bd83270312f267711ca59d25f79ecf7a56a0019ed610b80d4f15ca215b4c07a21ce832

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
108KB

MD5
48769d68e36c2a09bbe68623575f8777

SHA1
5fb1183c06c8516aaca97adaf805aee7629f34a9

SHA256
78f50e16398fc9c01e4d422f3058c9972696cbfdf1b37f422123a2c34200c8d5

SHA512
ab016d9021ed6ff3b58129440a1f009c3463df46f544546b04298a896403216ff48807c5dfe28431e1ec8937d655b9f09923b4bbccf6d016ac25bde440a2cdd2

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
2f9c05285a52e162afb5b45af915765d

SHA1
0e71b900f81a8b12883c650bc16066e498c7270f

SHA256
5b8b3644763a8559c35a099d2fbd289a8cfefb361a90e41208154c11a87db5f4

SHA512
b5de1e29876ab3fe6821c15f388547260477c41bee2445971cf721a14bc254551bc7fea5063f55200bdefda10b658a35e0642757748aee6df62bfdceea2db98a

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
108KB

MD5
9b06e58cf5076bf96e0000a7ca19c941

SHA1
f888d9972d0fd2a0b4d19561df9661c2bdac30ae

SHA256
6291df7705b4eccab96963a3bfd476afd84262219f86516bb906561b51d07200

SHA512
d75535661d177126e642d7fc4c9919ab766b4b5a053e329c581ba9bcbd0099ca332187570d8c14d5f01c9b8fcc43a3e6b0de62cee099383a412a934398370677

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
108KB

MD5
aea3b798864ae4a9bcd9e4c53e5e3dd0

SHA1
90b2e9ea62f9afc74c2910d82562a3dcdd8d1c35

SHA256
7d1f39d6e85f43d1780410f398ef635870352546a3a3655f34dcf8c3d7e7896e

SHA512
e03794c95687a01762507b388150726e436a31d7eb467c99e7066bd283e94d2b72d739db1d9c908a5b549d7f3b625ba8d47cc4e358266e492343fc2db3fa96e9

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
108KB

MD5
ec64e12f1b8de6351d3606f9283dab1a

SHA1
f4370d62e44640086f82493f7df0f2ef5414fdca

SHA256
fac1715d6272e65709d9f94d476d720f27af62fe2052f7252a3ff2ad6a47ffe6

SHA512
e11209469aa64f3a54d44d8333cef16c086ab0a7822e92c212582b94c0cd3a99a032beefb51714a78428fc4aa5de67c280c912ad4bb2f25abd1f4dd9354ccb8f

Download Submit
C:\Windows\SysWOW64\Clhkicgk.dll

Filesize
7KB

MD5
c2923845e872e27d87ae8a90b8b3108e

SHA1
50e6a0e5cac1b727007e1ec4bb123346397a2fdd

SHA256
94f7ed78e93940db6584e179ff5535496948b15064971b430732dea2d12073bf

SHA512
4bd0cdf2ef3c4d2d8613ad30e282d8b22bcf2c36490b0c13dae8acd25f477cbf215fa381fa48d1dbc84a0ad23788dcf29430fd61a4554f88074441bdcb82966b

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
108KB

MD5
844a8933698f24d9a48a1882e9d69740

SHA1
37e60e73c39f3f6faf8fc12cf4f2cb0eb1c1a34b

SHA256
2185fc9602e6eb5ccc15f9a6bf9e2d913bc7f03dab4b568c54c09d06d938a167

SHA512
ea5f1eb0175a5780244327673bcd8823b616f3031304e2bf029d01aa44baa17d580cc25b40b32371d5f250e24759db628435f35e9f21973b030e5aef14295b77

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
108KB

MD5
a5ae7d09a43e2931b5ceaa60553bfcea

SHA1
80b7f1a3eda69357e42899031c38a6f3e323be11

SHA256
671845274ce07730fec819dc3b8f1275eb76e6d96f3e3833ebcd1c3674735567

SHA512
46fc40f58d95f123b0fa21950172fd9a99d4ee75e54d9d0230b85cc769705d4da8ff9d43fc380e14bb10b41dfc63d1945e6ceeaea29b153548a41a806fcfaca6

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
108KB

MD5
1b2b694b52d38787db9182dca19ff3f6

SHA1
0727e097fddb1eef289feeef97b07af7480fd088

SHA256
fb69b086ff82f0221f28428ba1465a2a286a071f19d31a65fc893dbe5604dfc4

SHA512
04ddc653ad2f1c31abee6a5df570554889fd58e84181aa5a2c62797e766123f452cddb4b3521e800409445c3508c2c0dfd78c7033e2e40c28dda1a77553b29a6

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
108KB

MD5
6001070f82fdc6f4e2f1f71a62c19683

SHA1
9553c9ff0c54ac2f5b41816fb28e4c0db444e4b3

SHA256
54884486dfbf6ce215d72ae0c656ca656621da372ea3b245007b78ae24842211

SHA512
f794e8d62d60bfb70b22153d36d06e6a7b3de311e5baf72789ad475cdfa05e59956b21b867202a6292967cab76f719db47c03a86a79cd759848a555a4e5df869

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
108KB

MD5
9a98d5a599ff5cb337020b97e2fc16f6

SHA1
4932c6e98c1dc46c171dd18023da650ac08ea73a

SHA256
39c01f4ade229a4791ea2e8885711f9474dfe1312658d1a41854ba5f25f21272

SHA512
f9a4799866057530f26441ce432a968a5b3e5ba32e898eab7a9afdf5f9545c1751ec3dbd39bc8dcc80df45468519b542017f18c2b1e46d5f4f7da0839ff0aa82

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
108KB

MD5
79c6b844927cb298f2030e5e21846a59

SHA1
8c08b145d8f21db56b610988c80e8f73a72def71

SHA256
72c80baf4f2f4396acc4288f63556ca082a3ae6caa28daf56c66c9e9312ab4ea

SHA512
bfe5caef0f5e61d469484e7fea6954425a035a10a2ec33b647e16506b49042b0115742d64d759867e5b7b41932ff8891bbe7377aabfaca19edcebf9e52749ac6

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
108KB

MD5
d95ed2df130d6137dee80c9004152928

SHA1
1b3c7bfb5fdbc240fb60a4bf10b645ef09ebce86

SHA256
d0a85d22d82f91e26ecc60a22075f55c233f6070d1ffcc14a6fe4b8c17ae9355

SHA512
5fc8450ba212b7972e3f8332756ea2674e111f418c09dbdbcd8d15596aa9f6bb122d5cc707528fe02c8eb330e31acef15d1fe4ce1df6b6307fe80d180946edd3

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
108KB

MD5
70cb9b795223d1d99f57d5de48ae9402

SHA1
7dd5c8e356033de13813baf308acd00c2931cd7a

SHA256
db88186ccf39b8797630df2cff5069468f23b8bc7cac9e11817ad0426be74a51

SHA512
ec459b52b06fc3a120151d0ef3cb38eecffd32fb00778f1434bd83191db23f3d6d8adf4f9ecaf2ec2940d1a0509cf690ccf746b33efcddcaba050870cb9e51ba

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
108KB

MD5
0d7357a355eb23dbd8af5feb4e553203

SHA1
87ea48aa32d2c4d4f8c51d906540a9e2ed5fe4c0

SHA256
e9a01c1414ca2afd7c98df1c74b1d81b2788e59114321ca0883568e06f9891db

SHA512
01cd05b49b04c34b50b0cfc1448533066e961d58e3da74a6faceff82ec56a8b9fa6632aaab412a7f14388c751108681baf99dd2870193c222818ead9f206835b

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
108KB

MD5
9fc08b5840dbab1b5328f6d87d75dd08

SHA1
6fdb98dbc283a60e303f617007ad3d805014b1ca

SHA256
efc3030fcc93def02abdf42b8363fc1e89ace19e9c5f3c376b027184e1e6438a

SHA512
9574d1ecf40f10474cf783d615b33e879d66089082d24c294fafe5ce76bef7336c45ea288cc229ea88e51b92edb2a5d86a6fada8e087537f525f37a82bc58782

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
108KB

MD5
72d0428b61ef28d9c804cb269f174823

SHA1
0559e2da1b8213d0222f76222fde17beeba91bf7

SHA256
e8277ba829d4cd1d4ffa82cf68beaff54fc00f7e572b79135901605bbcd9afbd

SHA512
9c439571b3af74653a5c8e705a9995fa6bd0d9ee2bdf038091b87419b5e031e6a80dab621eb26fd0b8b603958ea52b573ba910ea2c309e592b62d8e42604392c

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
108KB

MD5
31ac7704b9621e519b4edda75ffec9b9

SHA1
3a1fc41366988bae8d01a8185a2df30a8dfbb8f4

SHA256
d5cc9ee6af37bc978fa273a8f63dcd5457c13ef51d01b32dad57b4ff9fdf9622

SHA512
6f3e6c5c2fdc56284d57007b506d7a9c01a730f9184bec604e619164dd9c1abb56c373bb593fd93b4993aa6c1a3dde04a40a7a0673849f6c74000f3fc5e7f078

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
108KB

MD5
fbccd665666a20041a8f990b948696ea

SHA1
f229847f2a1cf240fbc1eca2fe146059d6fe8df3

SHA256
1f9d2beb9c2a995a52062f6d6552bdfb05df295e5256a14372ecc8984325a1dd

SHA512
39a369fd40c755fb5c4e4ad53065a5fc811b23e44cf95580e62bd24a8e65c0bc2d8b8ca7b22d3efcecdfdd390486af02b994aac4d27de67b0c9935b1cf70427e

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
108KB

MD5
f5d97d89f076ba4a768b71f210abed33

SHA1
0fe8537335b7c623b8e4ad0cfa67829b61ba211e

SHA256
3f9f289e5e0969f89ee8e6e5254ba16db27a052b06d77a200c4ab5e0ce4c4ab8

SHA512
38770e3b35375fbbfc42b7f2b9a64bf1a4c9d6c13dfede64098ec9a2b73af88c4553b2d975cb9fc0806f4dec7a1bd647ea76c43f494e7b558b388db5a4d2da90

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
108KB

MD5
e160a683d11b1a428d487955e082c2b9

SHA1
046a5931d8eb622f1fb12aa40ffc4ce2cdc9ff67

SHA256
c635c91887c60630557a90305be39d306d167a2ad27579867b3ce5527b807dc8

SHA512
f1fc67f710162e44544de3864b4c9f081d6688674665518856784f69d03653649eff95c6ac5a1636de8c58b649c26878a1207e7fa8c10b2ef14d6fc5eb096759

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
108KB

MD5
62207a143740a002fda0876424824104

SHA1
f117a552ab655dda7a2002365378cb63f6cc366d

SHA256
f14267bc44a342787e209450daaa8bf452613b526b48416acf8d76196f372148

SHA512
323ca65f2f7b9e4094d79559ac817dd5f94ab15572928f131b2f169f19121a9351f3605d7c4b99e7ca36d8ded7187a90177fade7298c89b3838ed70ae3a2db5d

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
108KB

MD5
3be6266c4a177621de40b6a76c89e4e5

SHA1
5ec91ed15c079c5c578b35e0ccd863e1f308af39

SHA256
b5fd1f3c652c31a4ca1dc7b7580aa3de1a7fd10edaf207c90a046eb865a0b458

SHA512
bd8d66e5a85726ea59dbed7031c6d36c6c268c54a9eb99b77bd8b094984b29c0588f4558b8e24383deaf9905bf0313f7b64c4077e759859d8d7534b9f85757ab

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
108KB

MD5
9d766fdb4db4dcf9e1aa5b9ee9cf4c25

SHA1
d7996dadece85e94162e1d3030eec350402d5d96

SHA256
837de780b4a5f652f1ef295eeec7e231deb20bc45c1eb735af754c6bdda3306e

SHA512
c8d08ad77743a0ed27aa9848dfd8ec900578bad58d82404d363d6011b3bcac4caf9ba166d04e8b15f98a737fb65f4ae52048c4bc4191dc5639adfba77cb80620

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
108KB

MD5
54a95fd753799211abfe9c634e89f4d9

SHA1
04873d1cdaecd317a019e8d3f5ab9573f622c8ce

SHA256
75bee9384dceec4bf592bb7e4075889d247d0501ce213852d4b47920e8dd7906

SHA512
e7ab75f3aae178e51f5354c41a42b626b4e8f7fb647856393bd81b7ee286777b5c83701be3c920ea3a222fca969fd6cd27fb84a4e49222a6e92e2bbb30bb0570

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
108KB

MD5
26885d4a30096383a25cb0ea85f8bf4d

SHA1
011f150862227f3fd9e8f6d76a2bcedfbe7eee4b

SHA256
c25d3bd120b671d8f08faedafda502a8596c3657232c1adfeb45655b1a9f1b9c

SHA512
6adefcb8b34883726a8bc5969be21d6d5251b460686785a96fa3fbe43036fe935ad97b52d6632e5052638051f37918b421f09eff6d8fe13bc646491e710578af

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
108KB

MD5
2865f82c18fdce6780bf3c99bb8cc43f

SHA1
fb7d684b54cc36239010b51fe45fff631d562345

SHA256
46759109b18a65e39661695566ca0df1e718f7dbc7b6418dfaad9601a7286aba

SHA512
0e879325b343d1254d557c220cf09187b64e18daf68944fe4592a5cb2dc5757b59558a0e5985814f7896eb5ee020b171c119abdcd4368f8f88ed6612473eb161

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
108KB

MD5
f87d462d9f48e6cb3b06165a830288ff

SHA1
f1709a60fcf39e5ea5f6b80eb9f844a89d000495

SHA256
11c7f6871942f12678f1db39681a8b17a0b9f0d1a4d1ea96b49c429fdf9103ca

SHA512
c6995082f4a2cfd5a2c5d7c2e6a047a08e77b2313b2820c591e99447c7ae19f8f298a4ecf0adadbacbe6c52f1e43d97ce71ee895fd1140c315354ddf9716007f

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
108KB

MD5
51ff8e8df1c8987bf9460209d1555ac1

SHA1
4b25d4c975625b09ed7e7952b31664679b64a95e

SHA256
1f7473503308b6f9eaa628a1ed7916c5285198bae615103345b8bb361223a60d

SHA512
f55266ccea6560513e87059d48a6414f2842cd54dfa4af680480ea22b5389d74d511218a1346659a5f3a8c07c9d8acc96d90eae13ab622798b47346eabf75a23

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
108KB

MD5
09c166918740ead7dbf72c1dcf7e5f07

SHA1
8130be29b6438d7bbaaca1a95b120c1dac466dd9

SHA256
99567b47c961bee429aa86ce561193ac07ebb0b6381aa1d34ba61cfa6c616a0b

SHA512
4905d9885fab811bd5c22f32472e4b41c41f8528e8022911f00ad158f2b99ba1d0945da43b4912292e9a8fa1584cdb92de02c857cb017ff96f0c982427207c79

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
108KB

MD5
bf2fe96a984b440e1225dab69a44604c

SHA1
19fd2f76c941f4c3353b3470c16836656ba77792

SHA256
8667f5f557e7582f57b0e5dae1098888a235d00fc4a8026d0d3744029d9fef30

SHA512
6f7bac5a59f860c43def2c98e266d1f3d0855a66093d18f5e94941e9d4d6ccd95c8bf28ffc472d814b6c07fe1c54c6838b8e6be2c1ce3d9904c7e2e0c7952123

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
108KB

MD5
c6f88481d54ae6366f5415ad197efdd0

SHA1
e03a4e289e3d95a9409e51972fbf1c53bb141832

SHA256
49c0bc30c6810220ddb37a63382921dcab907eee1bdbb5d96bc219f86e0243f1

SHA512
3b614124257a97b5336c09df3a068f4633f2ae653d65dbb4637d8b1456ec59beffe4d674739f907d03c15867ccad1aeefdfdc6741a4cb50aa799ec999b7c403a

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
108KB

MD5
06d723a201d76d1f07da90b6f78e739c

SHA1
9e6ce4dce0a4375a22f47f2824c427f6429ccd8e

SHA256
2bd650e29cc47dab95ab759e22ae297d874f4e32dde940f72b93bfebfe68a951

SHA512
b3c5d557ad41b96d44e29d4da32f6d1bc89499db64cfc502cef16cfa667799220bc70f02afb7a1f93bdcee7ae52e0f5e1906956bbf8efc3ae1c114d6c3016995

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
108KB

MD5
0f8a0897a1b298b28fe95a11ab31455f

SHA1
1d38ed83c947e1cfd59f72297e01a09fa0d7a1cb

SHA256
fc9cb514c13441a1e16f074bb2f0138b39c00b0606466bc8d7cf89a90d51c40e

SHA512
441ebbfd20bac6d2e3454d8d38cec87228e4b9af80a2cea090b5dfea4923b492cd9513687f835a617a1b687c9fcbf3700f4bbedccbe79f45c8e2db5a93abc04f

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
108KB

MD5
3bd200e81481fbbe67aab9f30dcbb2b3

SHA1
bed28c894e786be6e3ff09e6c14908bf4a3bf644

SHA256
e4f4709d8529ce2c7ad9b1a7156238958528831b437334cb8c62ea993346273b

SHA512
ec61fa86d410e3a4392d167f5663d3ad1997ea4edcd5a157bbd4432f117aa70f9afb49eeede123d21a31b94618d92511ea0a5cab7be61f05bc0acaa0bd3d8e29

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
108KB

MD5
1837a8cc28b0117788ecdfe265f8d6d2

SHA1
10eeca08f4facd3fe546397c8fc60859aafaffef

SHA256
e413730432eb02437c073412cfac10fb531cdcf45ec72a1b8e04719f4b574cf7

SHA512
5f3e69a4e772c767cb4d3ee102cac9f754c9727077b1793aabd17c14544520f081f7f8e014b88058e961e134a1668de13caf20acede1776207b19de04f3fde19

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
108KB

MD5
1715b6466b68df3a7e7b84ff4f8f34c0

SHA1
5bf6e4500f4440e23206c0dae2932fa66eedd3f8

SHA256
1bd5bb7cbfcf883a4513faac5762782991516eddd08be0cfc3791b1035852ed1

SHA512
637ba5cd7d0f55d80aca6c951eb51c5d8860dce3f06f99ab18ce1ba1b0f556454c3d9a17e0af6b93c0214b1b148cd7c6198171dfec7d0eb3ef69ef23a1ab64d3

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
108KB

MD5
5feeffc02d00c50cfd128e654cdf2033

SHA1
8067027689ed9f9afa94d17f38f7dd0a0035a592

SHA256
b3102a7e00545f8ed6c4e51e0a14fab8707a653c3ba939284258a3dbf5de8238

SHA512
ccbc423afeda74065e00903ed82a3cc29d46ae98ce8b55b8fb96a24947e00b593846d190aa47c8793bed0f126342616426df2fb805f98d2561ffda1a5670556b

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
108KB

MD5
0a253beb42dc40ea9d2169951b65bbff

SHA1
644cfe5c6bc959daa1f0fe9c8874a9346b83a733

SHA256
a1a7eeb62beb77a2921f190fcadeb5d4cff568dc74fdef3a066289ce0f0e64bb

SHA512
c6d82d7346c34cbcc7dc1349eef7e0c65c213dbe0bc84f7bda14af870c7c270f9c91529f45559b71240dee80fa769e4d3148aa21650a775da9df3657f0fff708

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
108KB

MD5
935ea3ac874815096170db801ff026d8

SHA1
08f2a23d38381c4479efbe230aff756f69fc8b37

SHA256
549eb94c898716fcd5a0811438454d0f3ab2956815cd9a47c33b17b015103964

SHA512
b5f86e969dc2374729c2eacad47bede4ec5d76e350ab8221a7d9e6abade72d23e3b841fb603126609ed9ab0c6b985f4b2b4f4d40a7b8e6c994814f7772d56086

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
108KB

MD5
f27e68ceb44d186521bf8e460d8ab867

SHA1
57494febcce61cdf5ef5576bd05b2c1f60c1dfd7

SHA256
edee26853e6d3bdba3b305f3de960507cac6f4cb25e913f526640bd8e042264d

SHA512
017959c700264c9e549336a76d6dd622b2f330c9157c372e4d8b7d857d26d493cdef240f6812414970b4094728f7a176bd8bda55e89c461e0d76f741b1060215

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
108KB

MD5
4b97ac2d45d0a5ac4babdad3ba458eac

SHA1
289a88b48ad0d76dc7a3cd1f7a47c5d495fd5447

SHA256
9fe8ea8e7446d547f4a08541dab42d9df1661dee71949c9667364e0e5da1bb18

SHA512
3e61b19a40810119e6759f2b1e60deedfe1445dba6c42d82c9c00b9e6c2f5b4cd5c64658c0a02672ce0bc2b01b9b5a910acfe42260b787fa6513a35325c6857d

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
108KB

MD5
65a118a6e80b1581ff4798691c308c22

SHA1
3fe3bc612b618e7265cd41aa2040753367aa3f8d

SHA256
20ac7ee54a815cbfa74ce3ae520a07d3ecec3dfc885e1d6ec43c75edf112e24f

SHA512
500d3cf8cccaf1228f897acf21b029ab541cf3a00c130d4458fff7a715cb59ed9bdf5f36feaddaeb772ccd5222a79169463566ab42fca3d2aa14d2cc3434eaf2

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
108KB

MD5
93170c7ccd001e4f37db9d954c1ccedf

SHA1
f4e0d1feb8ec91f8fbb34aeaa9d490c9f81da53f

SHA256
764d8dbbd80ab0d987b8f0a3ac7242f3ab3e41dfcd1dea94f4208c63e2182637

SHA512
c37d76c0202033c9fe517f5bd53ac527888fb5d1d968a812328b759cd126ec37dcca68d67a78b208851721ed3920332e9bdd0c2605d0488d2db9338e4e37f7b7

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
108KB

MD5
042e969e0e3f86fa1e69b157db63c59d

SHA1
34620afd27ea7bf8c5c2ecbea0cee3825ea015a9

SHA256
e5883b686b1777da70c8afbdb984a74aa45f4612d1c8b089c8fe9e75743182ad

SHA512
9dd2925700569f5134a7fa9d76ea7ce75904778f87d4c703808fd961a2b9579cb9b9f587b1a8c880457309d660156d8311d65d6c9a267b803d7aa50820bef78c

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
64KB

MD5
d1c2946a2822dee6a946e6e73bc78499

SHA1
d17f2f89ec163ba2325be616c9d2c7e2fc50fee6

SHA256
5327104562dc0c7b899acb41ca8d58e497c07bd3c1edeee0c7ca65779b1744d4

SHA512
020914946c07cbd3b2ba211b6baa753b030292be233f38d3647d06941e66377abb641c156b7af3b430fd544f5f2fde19c25be9dcfbe38795e72b98f02c7fc885

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
108KB

MD5
4bb3c70d15504e94dfeaa91a636cf817

SHA1
1b61692ad2e811273c42dd3214c5fc787b47f2bb

SHA256
95c4de9bf712e385ecbe98b4abb315a294686283d8133e9bdf3a18aca6424ba5

SHA512
48c2345bb83d5d834abb6621489107cd0c12874f115b550222e937490925845e71e3f3c8eaf10bf9e17a5b4453175d5f4789f70262f7881c50e436e25ea74d56

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
108KB

MD5
4268e97554dcb0d4a6448027b92af6aa

SHA1
f8306d9aac5daad9bbcf00c675ab8ed8e9866c11

SHA256
6a6780606a9a9b0de3a81b1a33dffc261e5395a1db714711b2f319643c56a7e4

SHA512
e3a8f15685b3c868eb54a446ae2130e7fe8fd663175612250a13686f3807d23ac0f42bcf717a15303b9d805532e9aa18834e12f2f1349635197da0efe98dfece

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
108KB

MD5
e3f7a14b53c66efac9c53fec500647ad

SHA1
5b7570e7962e588a68836fd1c3628551fb0a0089

SHA256
28981cec6134041daaf2dd397ac7fea57d8e2d46ed818fad0b5806adaf93d744

SHA512
8ebdbd1401228720117c3262f761f548f006d83317fde0ab06785481124882f981c8ba19e3992e5ede21b08fbf97ac57bedaa1e4b55db8e388bfea511239aefc

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
108KB

MD5
b5e0d4e1e7d1ea8156f56db5c5673633

SHA1
2a728ab8cc859b65561c4789534b2d706bb321ff

SHA256
a4e9e9d3397c5aa97e00c934f03a65bb64fed4bad59618fc39d1d77ecde4e3eb

SHA512
ade71596f06c2e442a5adf3b69cefae94514e444456c53283c93eb4fd2a6375fd7bce7b9fc3964eaae7685b9f60b46a15096359560cc6d78ae13e857090f3bbc

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
108KB

MD5
c8df7effd6830412ed62ef58eaa3b5af

SHA1
2bbe98c1af76a23e1918266f68c2789e5358e630

SHA256
97ddd5e8fc64d87b081418c34f397c0caa18d922f35305d6aa029d06da7bf0c0

SHA512
0a6321cf45417216ff9a2fe70492245b328f7ebfee6e0b662a5e81e0d39a876c5f72075e90920e2dbb60ffc74327cd74aea1cc14addf3cf5845ab24d63fc780e

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
108KB

MD5
8afbc40c81aa81e19e30887dbb683dd8

SHA1
a4980b165463fd98489eac4402a2200fc8163330

SHA256
b8b19e825d624c169d06d1aa2706b42dc110bd60da22233653581af2dc6874d5

SHA512
72aed3bf72af819ff5e929dc334546ee80394ce9b74351e6fa584ae4966ed56c2b8d134a8798abcec19260ccfdf488eefa5d73eca147151ef7d808c84473d659

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
108KB

MD5
835b5aeb2eb5c25c7bf640461b62f40f

SHA1
ef022d9a2bc93f8093ab6dcc41cd69348b67b574

SHA256
4e52da98198f3a1c36dff897f234d155cec17b76c8fc0c44bcd34ad995011591

SHA512
66f6a9fdf57b258cca75cb27c7cf8744f411f55b4a97b48ff99985912734caadc55e133b00bb5f302d4d2b56c78c54f9e222a194b8f74f71894ed9f256ff3a96

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
108KB

MD5
037b1fb88e67c1590f653071d825819e

SHA1
5cb8adc2b38c6bd9d70a3101d0fa8cebbf442622

SHA256
ee5a10d26386e453e1b415c8bee3c13fe96cc973712e13ca10307ca373d2b5ec

SHA512
e65f78a9a2c4d6c4dfb8d5f896e179d85a663f80207ea935f84729de55acda15eb1744088e211af8f86eed5e1848615e4360630c862d604ebed961321e3a0ae0

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
108KB

MD5
a27f94a61c3e768e6d36e23487a5f81c

SHA1
fb9355c04fd49da5890e77a86a8cd4efbea0294a

SHA256
efe138bc5716edefc15488bad5879bfe9306015d33531c0f3b19ff6dd2ec6ded

SHA512
7c5d6f215e43a7daa6093d85cdb0112982c795181c534e3e644eac19922f0c6a12b575b6dd54d79121539380435572c6926cff79f95fa062f1bc109c0cea907b

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
108KB

MD5
4e1ba87178ea675c4266e1f7767bd280

SHA1
ebc788cee33c7c54b27decf59a250cf3331535a4

SHA256
eb7490c4e69b698531d1ef08b8e8b22b53b9e7a1095697131842aab92bc91ddf

SHA512
d08cff86584c7250b19558d855e98c612680fc398dd3bc7fee70c6344d3cc959915fb6b424f079659c29f904c33b87da33223532c6f00c434a9b8da287784e9f

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
108KB

MD5
7b26b4f4c5163d829bc0acedca533f23

SHA1
587a12d5328958499dbc3d0c18ac69ce57962715

SHA256
e071b35c296819f7e38a5a2d6efd54583d29cbf8d1cc5e09966b30fdb9782394

SHA512
f0a786e7f6db894b84a3c1f613cc60b03c77c840ab7bb0079ee7950615edf1ce591e923214b0c20b86eca15b3dc66fe035fcbd3f43799cd03bd052fa99c5b810

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
108KB

MD5
79b9a238da838ec18b512b2e7cef51e7

SHA1
c579132f04acb3c8ba6c73bd3921ff38ed685539

SHA256
8fbcc3e2537aec65963f5817a0cf168edca4d699e1adff72771944efa9af4721

SHA512
b378e5ee6bdeda45d4c9f6afd53efaa7b3123d369b9d96920045aee1fc727784696f4f2c9422a481fb7a4dca5a8efdae8ba14acea81ee102cbb675c412d3a3f2

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
108KB

MD5
3e252adeba7c1c4567bcb4297cc2edec

SHA1
b9766f3b33a0f984f386a6d9114a62689fcedf74

SHA256
7995f955a13c165597b6530981bf9ed913c34be76e51e871fde27bff73322c09

SHA512
8d766ba53465a82b2921a18801e9937a1b221dfba3db2403b8ebc8a69289b26e9ded6522a89a9e93250908be1036e9a24c7951188c14960b7fc477e19b6ec97a

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
108KB

MD5
f26d7bd7d51f2660f4de49ef71610d6e

SHA1
fc303b243671bf5bcfa848ebaa30ccc28a4617f2

SHA256
1958557c57048b5caa7d05540dd548ba0d40d7cc505121a9a60ab0a6d6d5e404

SHA512
2e9e99e810b089f2cec23ee2193e2da7f7f7bf4f8aa313228aedf38db6051b4bf36d4e36d2f65ef9d5b336f2d2b07482b9d0332d138c82071fdc464e00da17e0

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
108KB

MD5
edd1b26e377d1e717ce3bc33b76b18b8

SHA1
42a593416aba3f9924707ba0f884680802e551fb

SHA256
66e3374ec197634e717633e26da3553843e1b8b7e21bdbd4425eca438089a031

SHA512
5a9b2f2cd92cf3967d221487a43116624cf1ed3434c52502295b56cf8c17906f71e411cf1c4f5defde52b6fc0efd96b9c482a5f6baf0dbb76b99c3ac92d017c5

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
108KB

MD5
e6a9bbfb1ce0148f38faa26c45b8680f

SHA1
ae1415cb0717e43c711aaf534100c633459d13af

SHA256
6c78e6ced146f33fa604251f5e81a5c37617a3640580376815a35b9de17e62c4

SHA512
0019f86f1d99a63a8eb38ebd0c3a03f0cbc26f6a04ea86d3b3b3b3f3ac067e05857d73b7631f8dff50c3b14255ab4c7e50065d4e6727d96f628bdb0c1b582d83

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
108KB

MD5
20b1bafeb5943e737f0eddb19117bb6e

SHA1
11425650ed5171d8f7c84f7834ea242af6764be2

SHA256
4452ee8549593e3a3c5434925099bf8e948fe0f678a97d90fef0bf9721332d06

SHA512
1ad7edd2005fb8b409b1196ff2311158606524cfda7bc34f21d8f22f929d60437ad8d90c8b28c85edd6f46e94a7d9eb34c961d1966681ce5c19ccae74496f6d6

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
108KB

MD5
5bb78b4ef33ff841dc3929b19ee130cc

SHA1
5da11740b96079032d0d1da3e96b943f26332ad6

SHA256
b88ba2c873bfe0caac66942b687db2944d378dd1f85ce8226a283bdc3e27231c

SHA512
661b0486dce472454d4451d923a8c89e90f97ac9833cd213b86805c02bcf99d8f67e38109c2062898b2e9bbad966c1af4af87dc659f39f1322776dcd05d48aa1

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
108KB

MD5
5d6d95233ddd3133e58740652509207d

SHA1
41b1079455e792f662cce8f1621bccafc54ee12b

SHA256
d0e0da61f969ee6687dd43fdb3676b407a2d3f610c6a02d203a966838070d03e

SHA512
a1d49f43839939ad84f162e6049e3d5b651b59a69162969e020e9fa0349e28be8fd4597b058ad223580fc3c636531a666254e9bc0e34f160dda982515b9dcb74

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
108KB

MD5
87a80b55e942451b4ec9084c23accdbb

SHA1
ca78b75c8e8b83145e9bc5d979fee6af647ae975

SHA256
f45f1750b6972748adfbadde45703d5c6ebe9f87c96170bcbd26a829da651c98

SHA512
915b9cae5a54965e53483e10375bc0c9a6885112fc3180d14d1e561d0c877778ad15dad18bff684ec0073f873db4f24f1b8791c07431e27a0d348fcf3fa501b7

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
108KB

MD5
15b691d0c3dea1244f09d823f783b1b4

SHA1
5dfd5f7d9edab5911028d151fc83e3ede2939015

SHA256
6506f449b732dbd5cf8a0b34a0de39ac192bf0e6188c11f6fa7d7cecbf834ee9

SHA512
4d91a6d01aab4e34b7bb14a6211965f8a60922542329b984b148afe69cb0ea6b90988e5bcc4d79822c6aeaaf314bdb44ac07e2c5cc51ef51b88ed7bffb70a69f

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
108KB

MD5
a26083f4e0952a5f5faa9ad53edee9fc

SHA1
f574544346367d6a770eb98e1504dd1f76ded89a

SHA256
14fbce42595794888ca3916b16f0e87dc727c1cd510b8c07f491a59da352686a

SHA512
6da05786f24c87e789ccda6e92c38274782b52f69fa0b703c4f8722e3c97f78b87f7a0c68fd7b9579aef53439ca7438864eaa9c3b94d94516b2fc171cb6c841b

Download Submit
memory/116-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-1936-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-1983-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1136-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-1970-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1272-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1392-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1460-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1608-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-1891-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1716-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1796-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-1972-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2144-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2268-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2320-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-1919-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2736-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-2020-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3180-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3376-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3400-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3404-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3404-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3592-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3592-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3808-1864-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4024-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4144-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4232-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4240-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4332-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-1909-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4388-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4476-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4572-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4632-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4688-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-1888-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5056-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5112-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5116-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5404-1813-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5476-1723-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5568-1753-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5716-1768-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5840-1748-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5912-1731-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6056-1787-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6228-1619-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6316-1664-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6340-1713-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6608-1630-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6656-1696-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6692-1629-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6904-1625-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6936-1683-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6964-1604-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7116-1639-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7132-1673-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7448-1582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads