berbew | 21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe
Size

161KB
MD5

7c1ab8970496db870a28b2510cd55c78
SHA1

2fa107f53b34f9894319035a073c90806f107279
SHA256

21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72
SHA512

8f8fda31a41e8e468bd14f5472d6ab73ece778bbfa2e146080180177df31d88b48ec8fc8ddb6b0f3ebf22e15b3f4428ab5e1e0a37c4d1d81c49e1f0335343505
SSDEEP

3072:b0Qddlk9X6C71LcSoCokJVwtCJXeex7rrIRZK8K8/kv:bncnL0CokJVwtmeetrIyR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcfkm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1888	Kebbafoj.exe
852	Kmijbcpl.exe
3060	Klljnp32.exe
4240	Kpgfooop.exe
1088	Kbfbkj32.exe
2008	Kedoge32.exe
4512	Kipkhdeq.exe
4212	Klngdpdd.exe
968	Kpjcdn32.exe
1184	Kbhoqj32.exe
3968	Kefkme32.exe
388	Kmncnb32.exe
1472	Kplpjn32.exe
5048	Lbjlfi32.exe
3332	Leihbeib.exe
1696	Lmppcbjd.exe
2592	Lpnlpnih.exe
916	Lbmhlihl.exe
672	Lekehdgp.exe
1096	Lmbmibhb.exe
2788	Lpqiemge.exe
1324	Lboeaifi.exe
2316	Lenamdem.exe
4280	Llgjjnlj.exe
632	Lpcfkm32.exe
4276	Ldoaklml.exe
4656	Lgmngglp.exe
2908	Likjcbkc.exe
2324	Lljfpnjg.exe
396	Ldanqkki.exe
2032	Lbdolh32.exe
1508	Lingibiq.exe
2176	Lllcen32.exe
4392	Lphoelqn.exe
2844	Mbfkbhpa.exe
3628	Mgagbf32.exe
820	Mipcob32.exe
4916	Mpjlklok.exe
668	Mgddhf32.exe
2816	Mibpda32.exe
1348	Mplhql32.exe
1660	Mdhdajea.exe
756	Mgfqmfde.exe
4892	Meiaib32.exe
2856	Mmpijp32.exe
464	Mlcifmbl.exe
224	Mpoefk32.exe
3440	Mcmabg32.exe
5032	Mgimcebb.exe
3536	Melnob32.exe
3116	Mmbfpp32.exe
3652	Mdmnlj32.exe
4228	Mcpnhfhf.exe
4776	Menjdbgj.exe
3616	Miifeq32.exe
2628	Mnebeogl.exe
3064	Npcoakfp.exe
220	Ndokbi32.exe
1416	Ncbknfed.exe
3024	Ngmgne32.exe
3948	Nepgjaeg.exe
1432	Nilcjp32.exe
2924	Ncdgcf32.exe
2640	Ngpccdlj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Bilonkon.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8796	8704	WerFault.exe	389

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1888	4076	21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe	82
PID 4076 wrote to memory of 1888	4076	21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe	82
PID 4076 wrote to memory of 1888	4076	21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe	82
PID 1888 wrote to memory of 852	1888	Kebbafoj.exe	83
PID 1888 wrote to memory of 852	1888	Kebbafoj.exe	83
PID 1888 wrote to memory of 852	1888	Kebbafoj.exe	83
PID 852 wrote to memory of 3060	852	Kmijbcpl.exe	84
PID 852 wrote to memory of 3060	852	Kmijbcpl.exe	84
PID 852 wrote to memory of 3060	852	Kmijbcpl.exe	84
PID 3060 wrote to memory of 4240	3060	Klljnp32.exe	85
PID 3060 wrote to memory of 4240	3060	Klljnp32.exe	85
PID 3060 wrote to memory of 4240	3060	Klljnp32.exe	85
PID 4240 wrote to memory of 1088	4240	Kpgfooop.exe	86
PID 4240 wrote to memory of 1088	4240	Kpgfooop.exe	86
PID 4240 wrote to memory of 1088	4240	Kpgfooop.exe	86
PID 1088 wrote to memory of 2008	1088	Kbfbkj32.exe	87
PID 1088 wrote to memory of 2008	1088	Kbfbkj32.exe	87
PID 1088 wrote to memory of 2008	1088	Kbfbkj32.exe	87
PID 2008 wrote to memory of 4512	2008	Kedoge32.exe	88
PID 2008 wrote to memory of 4512	2008	Kedoge32.exe	88
PID 2008 wrote to memory of 4512	2008	Kedoge32.exe	88
PID 4512 wrote to memory of 4212	4512	Kipkhdeq.exe	89
PID 4512 wrote to memory of 4212	4512	Kipkhdeq.exe	89
PID 4512 wrote to memory of 4212	4512	Kipkhdeq.exe	89
PID 4212 wrote to memory of 968	4212	Klngdpdd.exe	90
PID 4212 wrote to memory of 968	4212	Klngdpdd.exe	90
PID 4212 wrote to memory of 968	4212	Klngdpdd.exe	90
PID 968 wrote to memory of 1184	968	Kpjcdn32.exe	91
PID 968 wrote to memory of 1184	968	Kpjcdn32.exe	91
PID 968 wrote to memory of 1184	968	Kpjcdn32.exe	91
PID 1184 wrote to memory of 3968	1184	Kbhoqj32.exe	92
PID 1184 wrote to memory of 3968	1184	Kbhoqj32.exe	92
PID 1184 wrote to memory of 3968	1184	Kbhoqj32.exe	92
PID 3968 wrote to memory of 388	3968	Kefkme32.exe	93
PID 3968 wrote to memory of 388	3968	Kefkme32.exe	93
PID 3968 wrote to memory of 388	3968	Kefkme32.exe	93
PID 388 wrote to memory of 1472	388	Kmncnb32.exe	94
PID 388 wrote to memory of 1472	388	Kmncnb32.exe	94
PID 388 wrote to memory of 1472	388	Kmncnb32.exe	94
PID 1472 wrote to memory of 5048	1472	Kplpjn32.exe	95
PID 1472 wrote to memory of 5048	1472	Kplpjn32.exe	95
PID 1472 wrote to memory of 5048	1472	Kplpjn32.exe	95
PID 5048 wrote to memory of 3332	5048	Lbjlfi32.exe	96
PID 5048 wrote to memory of 3332	5048	Lbjlfi32.exe	96
PID 5048 wrote to memory of 3332	5048	Lbjlfi32.exe	96
PID 3332 wrote to memory of 1696	3332	Leihbeib.exe	97
PID 3332 wrote to memory of 1696	3332	Leihbeib.exe	97
PID 3332 wrote to memory of 1696	3332	Leihbeib.exe	97
PID 1696 wrote to memory of 2592	1696	Lmppcbjd.exe	98
PID 1696 wrote to memory of 2592	1696	Lmppcbjd.exe	98
PID 1696 wrote to memory of 2592	1696	Lmppcbjd.exe	98
PID 2592 wrote to memory of 916	2592	Lpnlpnih.exe	99
PID 2592 wrote to memory of 916	2592	Lpnlpnih.exe	99
PID 2592 wrote to memory of 916	2592	Lpnlpnih.exe	99
PID 916 wrote to memory of 672	916	Lbmhlihl.exe	100
PID 916 wrote to memory of 672	916	Lbmhlihl.exe	100
PID 916 wrote to memory of 672	916	Lbmhlihl.exe	100
PID 672 wrote to memory of 1096	672	Lekehdgp.exe	101
PID 672 wrote to memory of 1096	672	Lekehdgp.exe	101
PID 672 wrote to memory of 1096	672	Lekehdgp.exe	101
PID 1096 wrote to memory of 2788	1096	Lmbmibhb.exe	102
PID 1096 wrote to memory of 2788	1096	Lmbmibhb.exe	102
PID 1096 wrote to memory of 2788	1096	Lmbmibhb.exe	102
PID 2788 wrote to memory of 1324	2788	Lpqiemge.exe	103

C:\Users\Admin\AppData\Local\Temp\21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe
"C:\Users\Admin\AppData\Local\Temp\21e6ec7dbc21b436375b69637b9711d771ec34c583e34e76a1199b5d40ddec72.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\Kebbafoj.exe
  C:\Windows\system32\Kebbafoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Kmijbcpl.exe
    C:\Windows\system32\Kmijbcpl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\Klljnp32.exe
      C:\Windows\system32\Klljnp32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        25⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        27⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        28⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        31⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        35⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        36⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        38⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        39⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        41⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        42⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        47⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        48⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        50⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        52⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        53⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        56⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        57⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        59⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        61⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        62⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        66⤵
        
        PID:928
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        67⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        68⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:644
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        71⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        72⤵
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        73⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        77⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        78⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        79⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2884
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        81⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        82⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1728
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        84⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        85⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        86⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        88⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        89⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        90⤵
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        91⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        92⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        93⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        94⤵
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3268
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3564
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        99⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        102⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        103⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        105⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        106⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        108⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        109⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        110⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        111⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        114⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        115⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        116⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        117⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        121⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        122⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        123⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        125⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        126⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        131⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        133⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        135⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        137⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        138⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2388
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        144⤵
        
        PID:740
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4800
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        146⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        147⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        148⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        150⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        154⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        155⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        156⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        157⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        159⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        160⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        161⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:592
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        163⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        164⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        165⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        167⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        168⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        169⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        172⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        173⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        174⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        175⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        176⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        178⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        180⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        182⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        183⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        186⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        187⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        188⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        189⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        192⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        193⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        194⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        195⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        196⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        198⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        199⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        201⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        202⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        203⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        205⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        207⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        208⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6320
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        211⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        212⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        215⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        216⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        219⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        221⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        223⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        224⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        225⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        226⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        228⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        229⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        230⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:7208
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:7264
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7296
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        237⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        238⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        239⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7484
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        241⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7572
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7660
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        245⤵
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        246⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7788
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        248⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        249⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7872
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        250⤵
        Modifies registry class
        
        PID:7916
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        251⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        252⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        253⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:8080
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        256⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3068
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        258⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        259⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        261⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7500
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        263⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        264⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        265⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:7756
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        267⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7900
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        269⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        270⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:8060
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        272⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        273⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        274⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        275⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7448
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        277⤵
        Drops file in System32 directory
        
        PID:7560
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        278⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        279⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        280⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7972
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        283⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7196
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        285⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7712
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7884
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        288⤵
        Drops file in System32 directory
        
        PID:8000
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        289⤵
        Drops file in System32 directory
        
        PID:8168
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        290⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        291⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        292⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        293⤵
        Drops file in System32 directory
        
        PID:7392
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        294⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        295⤵
        Drops file in System32 directory
        
        PID:7516
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        296⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        297⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        298⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        299⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        300⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        301⤵
        Drops file in System32 directory
        
        PID:8352
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        302⤵
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        303⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        304⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        305⤵
        Drops file in System32 directory
        
        PID:8528
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        306⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        307⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        308⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        309⤵
        System Location Discovery: System Language Discovery
        
        PID:8704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8704 -s 216
        310⤵
        Program crash
        
        PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8704 -ip 8704
1⤵
PID:8768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
161KB

MD5
b0982977b2203a254b2df8a64769031c

SHA1
ac841aeae83b90b23ff144404851386e4d877a7f

SHA256
014578fe81168cda911e16976fddd4d25626ceaa62dee8cfeb2a149f00ac90e6

SHA512
e88033c0178045f73a0299336bd0e409e7681d993710dddf9f62b20d0fa23941d34b9f3646c98cfab41940ec83aeef123e43b011702fc46a25c1785c361afb0c

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
161KB

MD5
97a79b55b7ed2ab2319c427c979cf6ac

SHA1
3c4cf23f3fba5a7534eb839f89f35366e31f7c0b

SHA256
664066f487b058deb69c9c7dc6e94eca672bedbc3cb4febd8cb4db257685a2a6

SHA512
2d70291e65019e3c153f7f450e0ad07b42e1d62f5cc59ab057518d6f15070d49a964faa70aca349fb3f5e5eaf908b8358b77bc7c632645d4f2b385f01cd54924

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
161KB

MD5
c7b16fbeb08dabaa093b127213101a9d

SHA1
fcd571b980ca9506013616a96b1d67683649b193

SHA256
303b6cf4071fa914ff277ac5368ed1144f67c799773347134a7a79c921216818

SHA512
08ae6335353d8d481cc9410f0058b11d84136909e24c6b89a046333e4c80b7b25efc5691bdf24bd0023df93203886eef9031bb0d3761311ebb5621fef85bbde6

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
161KB

MD5
689d5d60f635f29ff6fc31ec84eb136d

SHA1
64efa22f0d921d1bc2fb91bea267d68fd24bbd61

SHA256
182534b22769cde2a461e8d9f5b66c9ff56c48083ea0f014f923bf179a47a16f

SHA512
488ce983523908d935da2999d5365740029838bbf295ece9591f504d1f980bfd9d95e507d65b32731ce18dafe70a87d47896d64bde1e0e481ad8c3341fd819e6

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
161KB

MD5
371d8a2edb74971862340dfc21d5fa21

SHA1
5e4bf99a57aed4551a2a4565f03031a007301d6b

SHA256
ecc3c10deba73e73f0e4d8f576e2250b088e6c83a5f8703fe258e5edca0ddd6b

SHA512
e24edbdb380d377283ad75d17bb2270a15348a51b857dc961d595e86991defecd76166c954cb6fa3c3814438389e026a3505a0d077ad013ecebb0cae1ae53984

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
161KB

MD5
f46cbdfd8c9f5ddc7090686e303faf37

SHA1
baaf1b7d85276644c7851c89dfb1602788cba99b

SHA256
1a5e28e28d907799ddb25359c04b4754173c9800b271a028c4ec565be4a1f00e

SHA512
4061e89154da2dbd86382fb9e0b3113ae165f2b09f99988299e479bb00ad9cdb00e95fb4e5096293df22651906c6eb37cd48e80c80bc25926461af5ebf2f6117

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
161KB

MD5
3ddf38986032152abdb4c62565089d72

SHA1
812ec676ba32cd86288372d533a5e87611a50b27

SHA256
ad75aea782c8ec979311d463c98247a6e98f9ab88b1cfd702660a2a3cf2098b1

SHA512
e0b2827b16ab7f6fcf9a87d1a8976490380c4f27373c3cb1b2094a67bcc34e9a9306615e07117bff9404c48b771774d8afafa0c5a8c071e1260fe7afce2fc331

Download Submit
C:\Windows\SysWOW64\Jfnbea32.dll

Filesize
7KB

MD5
9baddbe823a0f905ddebce8b66c0b8ca

SHA1
373e3bceb4bc2bffa0024b63df3c3344ca08afca

SHA256
26273b99f4a0dbd8fd9d950b519e0a774381450a5b34c326fb68076dadfda958

SHA512
df1c2ff6fe9330265cd642dd34fc599bf79e129f71bfdcb28c0f5e0a6adfff8ebe33f24fc78259204829036475b3eb80a8f2903f3e58693e68664541525f5752

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
161KB

MD5
50f4b5e224b1bb764444511bef8dae9d

SHA1
466dc5fcaa738b1901442a441df88c1597d19a20

SHA256
12457f3ff593ea4e1970d6171e9b54105fd4e4c0a756efbd3c0c19d7ef6891f4

SHA512
0bf9a6197b93998e4156e9758d77baff14ceedaa08389bcc6eacc7a81e4124773f772c9046725982edb08789c2bc2a11b71d4fe5953685cbc22376e036aa5486

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
161KB

MD5
47ee7c12d13842fe02adee451ec56cda

SHA1
0864a6f7e7775476a5be46428e2feedbe829ccfa

SHA256
76d85ad2bbe8938f8fab675ef61e0be8105a54a4bb86bdae1ee78951e143f639

SHA512
c1f22b38dec6d5a8ca10a84cef24c97ab16e2a538019026aa535cb17c8c9dd3f73ab1f6920eab3e538368d84ba45d19dd1e3029d55f6597cc9008b18271d127c

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
161KB

MD5
d1fdc9a94179f23cde657e1633c88fe5

SHA1
8005a64dda8053fc4ce6fb3c848fbc97863d716d

SHA256
1755da7ff066f5f36749a6c161c05da74581515896c553adc5043c27be776f72

SHA512
6920b49593ebca5888869e95d0ef3ba2da9fe1a12a216ef96bdbec40ac1eb0fca54fbffea2b2811a48a6dff480734db5a385d902b51697c94a914950d0060c1b

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
161KB

MD5
f324d7083d75545dfe22727795e4ab4f

SHA1
d0876c4e82316749eb7a48d4d0459c2e5733640f

SHA256
e49f719afd73b28f4b70ccf3dd81af82a607c7160f0396654f0a30c74f377f6a

SHA512
f6625a4af200b3bf9bad95871d83e21ae4c2e8ad5551c7cc47fd62d310d501272fe2b4a8db16fdd380fc8cdbf883e2cb4c63a0be4eb8ec35cafb3d7a8f854f96

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
161KB

MD5
de795f835b202a356eef66d8309d48ab

SHA1
c0c135262b7de1fe012b26604eeef78e8284b8d2

SHA256
6ffe834957cdee8534ce8c86b5981c2975b19a11908cf4c9a798230b471346f1

SHA512
17c1ef3ceed64a918a7376f0875a99e36dc8ed24df6bcb2b2a640a711076dd10925f2a6df92bba943b9a64a64c4eeb24450b6a41ba7eb0868036b30082515cab

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
161KB

MD5
cfeb38c5e46bbd6c763e36de08997f85

SHA1
653f01b2bb691f8b536187e76878fa131f6597e1

SHA256
ed3a16fb38a891182be56ba0f85ab87c0bf6b820a5ede498e1bad2eb1f24d9d1

SHA512
81300f68caf0ba2e624a7cd4cdb7e44ebdf38412f21b3344dcb4759564ef1bc9f2c9f5eac60e4e67c04e57cd32573d27709b27dbd1a45fed7ecf8a5db203ec82

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
161KB

MD5
ab4126e256fb50dfbd2b879c2aa7d576

SHA1
bbbc82406ab75442c1fe44f6e6fbf6648187178c

SHA256
83779b8bd065988dc106b95a236c0888a050baebe4e09579393b6dc637ad25c0

SHA512
fb89714a8e5e804e57a0f63cdc974f503cd18863fe38454d71c72831d98827c9367d2dfdb9faee6ea113534596c404550bc9365544a6a574e59134f061ade31b

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
161KB

MD5
20d16435e0448a2db35a3c25ea2ec760

SHA1
59a2bb9509b645c2161ddabc9b352fcb98cd4524

SHA256
db1750f3c9c1e75996a097390184b1bf5d4e5e99a243238a7a38bd38175d15ad

SHA512
fac86d44e9d40584b9f816accef9da9c654b0801ea71b35cf8659ad25479436ea50709865e0edff3204136d7b9e0763f8f552e40cc267f1325ad7d739de391e3

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
161KB

MD5
6ca08b04a128a6c149d72bd858bb616a

SHA1
c74019fdf0bfe831d2c5b42379857d21da99f72a

SHA256
6efe825922d94f002172a81803a23a77a87cb2d389a31eb820484a75d1487043

SHA512
ba4c4ba87f741117ea9a46af6e5f8d2dcd32091b66e3e210893d90044e2f5ea848d589d620e6f71fc2c036b7e47a5716223e747297de13a65d592f03c73c268f

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
161KB

MD5
cc707a057d0fa6b90cc9e6ef81664cda

SHA1
8a9eeaee96f26ffaf020250425a64ad338678539

SHA256
85fa4eae74b0eb6fd00ce112d15c40ebdf5ec22f6be1a5a5862279310e07f425

SHA512
141c7c1a388905af96ef186c519caaba9bc173dc6a23ed8f2729d818cf658c3fc21fc91681659d756d45c19349a6b65bf30381d1c887408f89aefea91679a435

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
161KB

MD5
85e78398820b1d385a2eac522cac33a6

SHA1
afde305ba5682e53d6b8c10c64013d5336452782

SHA256
7ed911c46fd24c78311c49d918e6524134e70dfeda138fb7ee85e7e56537532d

SHA512
dd64f60b0203a3ccd7890dddca1b012e3bedc5c951d56c9373f749a6e6e4dba50784f3c3669307cf400a3099a6ef682cc6a1850e0231504559445c082fcc0316

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
161KB

MD5
52de60046a4b6ebf10473c961a4a7309

SHA1
b76f64e52f7141f6f7208d7ffbb9a9d36d25460d

SHA256
7d890c47b85217c9a9b43808642e6e667e3b4e9d4ccef60dc4f57717535cc68f

SHA512
422252f13580ea667470fb637e2f758bab9cde6d016a1f88f5d6fb964d2769cc738fea3f771fc7a997b49c1a0664f5fce684c1c732d992ac61b7a08a839da8d8

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
161KB

MD5
ced47c29d68754131584c048f1edbc37

SHA1
0e6017b3c6d72f566606aa2d7d5e4b738096d0f4

SHA256
cab900d24babd5f2a1fdcc134cac820042a1b734d14fe344a4984727fc59c54f

SHA512
9a0ad3de24222c094d209c3d036af56d432d32d376f96bd8112a5725a90bb40af84be9f1f53571221fa9fc27486b23aa2760f2a35c55e80bf81e9b2fd4f88584

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
161KB

MD5
93ce4c5f3e2c5d255255110788b57e1f

SHA1
2ab53ff05ac936809275268f9346792d5d5eba1f

SHA256
e326122b0c57be681a2a1e713dbcfc65feec8957f965039854f5d32bdabbcb97

SHA512
a05565ae9dde71629b742ce950457ee34a885f2d56d2866d86c5a46a975cd036f2e1859a01ffb23960b292294f8e8fd607456d6a9145006648031857c61eade3

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
161KB

MD5
55198a5ad3559d303ac5429840a56024

SHA1
4511e7a0e602c9c90512d1c683723327abf1da23

SHA256
a8ea1b751e71aa189eb9e560c8d9fc49c6ab6d6fed67c119ffb6e95b6d8d932f

SHA512
3284c593969470b68e1ee76b4ed365b8a687cfacc82bdf701625296a4d31f5b1539d735c17e4763bcc827eb61a92f82d786b00c73f88791292ddcf656eab0e07

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
161KB

MD5
d6573aeabc9cfb7fea95c7f3476cdb2f

SHA1
564ecd4cdbed24de31904fc69a9d04eee3923150

SHA256
2922f9c2b2929566a87c05b139666b320091a6083b0e9732b777e8f158b902b9

SHA512
88876aaea178c4d5e0031647b61be2ccf9ee01ffe2b1fcbeefe3665fc1e9f0924a790dcbc900f4363ce06b84bf6930a7c0ec7585566097359a507b7d2dd02d80

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
161KB

MD5
7da2dd1494c41dbac8f5581e62648189

SHA1
c2964419b471ee0bb8f9ae52479a5c5c4053c6d0

SHA256
d255bbb975dc66463d15736e277d402fcf155699f9e87855ee1a5490937e7570

SHA512
84307fad320db1065353f9527a30aaf0b47cf00be87464711e239ff53ff63ff767569ed7f81306ec831794e896f6c3b92b8bdc4010731a0b655460cf4a906233

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
161KB

MD5
4919ed57529a0641225c805c2c66299b

SHA1
41df14ae8acfb9e8f5e13a65e49ed478daf14c92

SHA256
7039eb1ad8a7b6faadc9c454825d2b42fd090942b5dfe921ec10acf2f6309c34

SHA512
e4947b025628cac2dbf9114dfe145b84ce0debf68704e9506437099a0c6b615641c16894e000658f581ff1d939b516f820ea7e7f5e50d78219e8655b26b9693e

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
161KB

MD5
a7a6140608e47803e0c25c057e2ee2a0

SHA1
f3bfdc2c8f0f736ccb200e7872c3d4d5eb9a18e8

SHA256
39e822a0ebe30845b59b97c3a4e0746e3fc744bb8588948fa3bbaba3430b5b37

SHA512
ff6f38221e17774745647919a8188a1f3908d26706f33228f7b7390f512f14bdb20ebe258c45951f5da6e1c77002873eed5ce98bc80e2699d7d6af4a6d576778

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
161KB

MD5
a02121ae051779f5804895b228ff92e1

SHA1
abc549f1303f52ba1df7b36dc6ae0d59c5ac6e27

SHA256
6192eb9478d1ba47aaae80671d5c97fd659af190362f69bdccb6aa10f7a3281d

SHA512
7fb561640a0ff835c6d8e02301d82c6eb78a2c99770d0f984ad0c325800cf20a72502859882cccd05aa8362e2e9d3dcde01fdbaa175143440176c0a00c0db3af

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
161KB

MD5
cd51477c4d5737769a328600fab37918

SHA1
732c02f07cc5a577893ed50a82f3e99ab940148d

SHA256
90e461e0b039909a2621f84d10c328982dcbc9793b92ebac2a376d79b93a4574

SHA512
5fb2392246e2a1ad4e17b76a5280452a29654a426129556edd47a6548a62b1e4661541ab36b3f2c3e43e09a6f96093ec0888a3a23365c882436272bd9d822b1f

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
161KB

MD5
48b1f7626ebf2dbf260d19c6623eeab4

SHA1
275e2db6e468d601e435883995766a37bbfbf46d

SHA256
882f65f01cc5ecd37636efe2aadcb3934737b51f53060c4394c7eb1245975e3f

SHA512
abec853f56f74685e5901bcb7448bfa1b2539dab5073ee5efee108756d3d5d1eca9ba58f7dc017d35fca99ebc031d2ad72d173729d1ebca5d9f65cfbe4bc04fd

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
161KB

MD5
9ce8cb75ff303a5f0362eb3388512fd0

SHA1
b90a12b75a3f856f6509ee630c4b464fd9b9ed94

SHA256
8282d9485530262bf0ceb5a80a5c3f6f7d6a1eac6363f0df54d3b7a3ae98e445

SHA512
b6a2550104e7d7d0c3a4f2fcd760b91ee15623f8cbac546f9b7f63ac46006c2da2c2d5329d3bbc95e84b352cca506446c4722dd16bcc7f00823b770d86994bd2

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
161KB

MD5
3891ecf89d8095d4ea60e8d3e7e76cbd

SHA1
01c20c8fdb524a761a1dca60c9c002365b84aa1a

SHA256
9109665e38af0110d069f15b43b56ef9d400fb33feef7748f7680e5272ddff46

SHA512
d08046812fda5926252972aa2e9aff0a70ac9b35f441558523f7dc57666e986f89f2abc9a731bd9eda3c813f8cd20a14fd8ce8a3ed0eadfd939adff727924a7d

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
161KB

MD5
2c08ea395888e6ac8bc6c48f63e91f6f

SHA1
90431a3c69202b3fe1f5c1e2582b225eb0393db8

SHA256
131122aeb73b280666609fe8b17ffa4fb206f63cf474524a90afb6d206d3dad2

SHA512
196d84867bdb5cec825c8605a52849804934030e91ca7de9efb5a6a7c1a1b7ce0ea30ead190883d60a89a7cfd19d786361c005144be4277b5892cfd2dd485a05

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
161KB

MD5
ba32a30f1a12826f918baa58fef68e0e

SHA1
8f5bbb1fd71f0c291dd98b3ce03ce9fda519262d

SHA256
a51325ec8371b70e7e1b01414b7e41ec8053dc405ee54a941eb27acd1f846ea3

SHA512
303376bcb40c90861faec76e114f1c5ef61eebd65b8767149ebc217ab5e3a2ce046850d29908294469aa702499180ee6e0b777b7e00146d0f3059b84032f7257

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
161KB

MD5
4dc638a519070ab39c6c3cfdbd10677d

SHA1
263972ef6fbdeedef1e717b2045c7d9be14c823f

SHA256
ada08cd6af877caff258b02c05fbf085ba1793fd51f63b37ee8cb242bd94e68f

SHA512
8b25d17c3209ce82ec99f1553014fb6c798b97ac9f11d0cc6623bf4e594489eaf49f6e73118a52403aab8c2181729149c4fe1bef8528ac8e5b5a1a44779dba40

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
161KB

MD5
a123ffff184471a0698360d5c3819ef2

SHA1
e5992dbcc79426f0913e56653edb14d7ab92c98c

SHA256
405f589245cf5a65569da21d27e77e1d1da8d8d7f27161d2c0174f434c634adf

SHA512
66e4f74f45e8a855371823322dc7df7fcab0003b749fa54ccad78583d1f5cdcf45ce5c70f0da86536d77fa5f30484ce4be0f9ac80cb8f74c32c14b0c3a78fac8

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
161KB

MD5
be59cfe34ae91a503bbb38c3c5cb2725

SHA1
6d87873b6ae41b663a5adfbe92c59b3bd847a36c

SHA256
7d890b87ececc0bfa154fe7c08e514752b080ecdcc05b606d90480b156b73d68

SHA512
443af812e955fc91105c39c8ee133425854ffdd6ae02d07689ca3838bfa72bbd11b5004a10cec8e1639aafea2d915a477096e04ed6621d6b23201bef961f3555

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
161KB

MD5
b19251ae6d3718ec12482fcc1646c7f9

SHA1
c5a8dcf53c34b7a8264d06f105355c7286997976

SHA256
5f585d2be42ef11857aaa3d5870e9a55316f8cb4ac7ce0b368f88d7b51c117f5

SHA512
0e0d10093a4b585cd2eb46e681cc328afa549cda76e322b71765abfe40b90b4e2e288848c0e639ec44fcbdca574e8707251df8b8f684c92f7bce3b5d8347fec6

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
161KB

MD5
04e5bf074fce890965f23c39e5e2ba53

SHA1
bea19d92e72f4fee27a5f44795d3c4b0480a32a4

SHA256
ecafa0a62fbd106caf2fa6fe3b0866dceedf6368007e199762e1b178e1793e6c

SHA512
4f05844f52ef1f9bc0b61d97d6782ce8c05d124f9f091ad3bf393f869c967b48f9b8d73f500fd99e88a11631ee91207ff9442e091ffa16e3a847dca54abdf86f

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
161KB

MD5
56f21a7accb944420b90fbf1e21d5a72

SHA1
1c09cdff81cef0ed2eb2ad4e96506ecd52efeb46

SHA256
8a94f1b51f43cf8b9e2d78129b0ca5b4831d5a470d3a85a50b7c3d27085feb09

SHA512
cff21a947a081163756be3980482a4e4cb2a1276773e19a847070cf98a931957187753568728e6d4ea9d3904ac39123b7753940f3b8b2630e4980f85c1cb8173

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
161KB

MD5
58ba80505ae568b16cb75e7a9fa34db9

SHA1
5857d072aebddebbff4c00bfae8fca1ea7f348ec

SHA256
e3f133285c14c710fd001dd280ce79991b0a47c651babc25e62c470ad4781243

SHA512
4df95a07f28553d9116d1cd71a5c705c255beece782e74e3cb12c5e54aed07374268001b4aefddee91360835e1df50ec2f8572c34edce0fce3c14147920ac9cb

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
161KB

MD5
b173bc4b50c1b983d1f70a37c46a747a

SHA1
61dee30d6c55eb7cffaf5e8ced0f95e8ae74f4e1

SHA256
e6e410714aca1efc8f673cfe0c505231ec8058640065895efef0ef4601df139e

SHA512
592800727c4dca531a521f01a43cba5da3e4d66d810247319af3d0daae7d3adce0d5d65eab05e6bc7ab9082ae5b032ed896d3a208c24b2b14f15fae77bb4d65b

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
161KB

MD5
3e275fa15fc73cd8b8ebb08ca97d2db0

SHA1
52f0eeb438b86e28033484cb5c7a2078c74d7667

SHA256
97a4d415e2d40ced552104c0f95c40eb1669abf5940afc9a5422a8b981ea17af

SHA512
53942e136311d6764d9db97286047eb4b953c1343a06a10eb18541360cbff52606fdda572e039e7afc21bb47e18dfce1c4010a65dada9264708f5e777ec0b88d

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
161KB

MD5
33d3edeaf0b6a7c9e808f45af272d276

SHA1
b697ed030cf9ebaeed023e4232d1647be7eeca9f

SHA256
b0b72861969a74a0083c7c08bc626833c1279fec0a2b27b054e917a4ab552a82

SHA512
ae1724183f637292511068aec7259af94ebe89abc0a76625a6baf540d0506eb9720a3113b6af6e976bea30277b63dcfaf313fd829a30d47ae38b9f9b956ef44b

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
161KB

MD5
ffee0f63939167222e5d307d3e7db243

SHA1
8774afe399efa5025bd37b2c10a6f48886716482

SHA256
4dcd81d48cfef329142e9400840ba63688a4cdb6c286f677acf7968ca4e7df8a

SHA512
f1301085c82ece3143430936ec0d40605768ee97d470e59881cb1dbce3a09e95c00e6b267993c3097ba16f21e609db6e4e0e8b8b544e12235d23d27c40871a4b

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
161KB

MD5
ac1c89fa486cce531fe42f050e155657

SHA1
274c1809e13bb523bd1949ce700a0050a2e4f930

SHA256
874f1d96af75f0920bb4d3e848ea94b359ee65f5a4d330284e97a1b88895c1aa

SHA512
e51e3b2fe24f927e53ba13d703a48c20e515c4fcd2e99eb666933a8a739b9eee50e5423d0042ab01a4fc39b1a2f09e2f52b00e03296174adaae06152013ee246

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
161KB

MD5
636341041980faa4ea4581c56edb6b45

SHA1
7c1769490f3208dbcc40c3c568cce40fb6948756

SHA256
8869dc92202c345762f079fe0444eb75f5f719bc288b1b825d1dee6c568d2b1d

SHA512
b8674d015ada0c3a50a4e02ce824e9a01d813ef911e621b8ad96cd8e0d1638e5ef99368e0e67453e3f8e1b3bd384b42ef386f8d1ecb35b7597eb09a9a09bd3a6

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
161KB

MD5
e28f22886f1243d1f5850d41c61f54ec

SHA1
e292dd0ffdb881583241c5104771b0cf7199a496

SHA256
8feaabcc95d537957c5d6bd6a1d8f21ddbf8630f76a0f0295367391e633543c3

SHA512
6efec65b9357be410a7a140101e6d75e91880a78f44dfd20e24360cdca4e3afaa27564026dec6099e6fa19096d5f925398db8cb21d81e6cd88316793dc796a36

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
161KB

MD5
ed0e154ecb48320e504d2db38cd889a9

SHA1
809725b3cbe6d99808114b6f1916e7eae47731cf

SHA256
dc0d6241393fff629f0a0d327316b631960abd717c696ffb3b53b1e48864df72

SHA512
79a120cd3243d8ae28677baea786ad423cb45b273a5054639677d023009dd69c13d860cb689085764834505b9be6efd7d1417bded7ca9f4d9712f6c49aed7273

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
161KB

MD5
c1cc26e986c2922cadd63063fdccb83d

SHA1
fd8253a2b8ddcf80be7b77969fb9a9ebf6093318

SHA256
2a59f63cca91eb717676db5ac9de03045c3a3a7d8851d158dd7eb4748b6ae76a

SHA512
43489d2da63a0fb51d4f4a4779c576a60fca71521cfe2cf387c3c2990954f128c468cea23888a1bb96aedb9ec98521dc3bd5881a0516a034ccd3995ce241fc3b

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
161KB

MD5
9e69d8cbd15173b9504746e2f1accf07

SHA1
724615861f83ae47ef8aaf5b686c1310f060e1c6

SHA256
94203fdf98f0ea65146be3af39e770bd094cb7e2f9f3f9d0a77443f122c2ac8a

SHA512
47e365c8b95eb77e6b98df5b08da7a5ce3fb3c93b7074be5ecb0ae8379c6f1d8b328085020501bc455f84270c576ee99dd84b91d462b9e3d61e5b83ec622c12b

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
161KB

MD5
bb46bb5f63495b4377abd0c56ccccedf

SHA1
b7dc7abc3f5d9511597bb516d1b165b6aad5ddb5

SHA256
222750d8ea332c9086ab2f9d07b48b3f2f3f1f114d1f9d744296df3ee852bf66

SHA512
ac74e4190a673d5e1748058a83a97ac5988e244174f1f3cb054206b804326a0e1051989576102671678be25fe6a7594f7b5d892e6c8dc94eeabe5564a9aff641

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
161KB

MD5
f7867d9ea691a9843884d34008a76fd6

SHA1
5744ebcaea768180deec5c29e570c83105c4d93c

SHA256
f4471c4725403df809583452220bf3970ab6a24c7b2568fdf4325333b73d75ee

SHA512
194931523ceb554240a97b1c405958cf92133e8e8ed0ce802a0318cec69b24f9945cab3cefe5d4f837a6d6411f8243540cbaf2345f4a071149c8863273ac6b82

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
161KB

MD5
d306511b8134622cf018a7a529e2840e

SHA1
e38245d712de04526f825bf102cd108920dbc012

SHA256
d2b03cc04e71ace493ddb11d95ec9917bc49159687d4f95a9f10dce91a1fe15d

SHA512
58c70fa66c61149928c69390f0a6bfa7f46d7428d7ec0b9cb605317156b5fb8eddc293661721e6629e865df21c0d40c8b3d0c50b485f21f5fcd342b03fcb0afc

Download Submit
memory/224-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/388-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/388-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/672-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/672-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/756-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/820-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/820-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/852-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/968-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/968-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1088-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1088-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1324-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1324-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2032-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2592-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2908-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2908-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3116-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3332-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3332-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3536-405-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3968-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3968-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4240-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4240-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads