berbew | 7a65ea84978d653141d5fe65a05f59831cd7be417ae8c630a4e584647e92b35c

Analysis

max time kernel
123s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_00e8c6172aae832496ff5066c8282abf.exe
Size

128KB
MD5

00e8c6172aae832496ff5066c8282abf
SHA1

ecbc64509f0f604d7877066e53e0116e122899a2
SHA256

7a5ca7cdd82bb3d066397bb48c95a9d40d59c1b1725f7566048f5142c99f085d
SHA512

9cf9704ce2d0907043bad5a84df7cf9cf8348b2da23975ab73a36bc9778d7bc568298f828b92a22d94e2d0f003d5ea39374226302e54c199c81551c1bf04a5fe
SSDEEP

1536:zMtcFRfsQw267SdDke1Hoy+GsHQjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xu:zXU/21IsHKG7UDd0pCrQIFdFtLQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igfclkdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgkfnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljobphg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokgdkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehkajig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knenkbio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llodgnja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcanll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllokajf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbcke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3928	Cbbnpg32.exe
2824	Clgbmp32.exe
3756	Cofnik32.exe
3360	Cljobphg.exe
2660	Cohkokgj.exe
4044	Cfbcke32.exe
3652	Dokgdkeh.exe
2184	Dfdpad32.exe
1776	Dmohno32.exe
232	Dnpdegjp.exe
4808	Dfglfdkb.exe
1952	Dmadco32.exe
2676	Dbnmke32.exe
3056	Digehphc.exe
5076	Doaneiop.exe
4184	Dmennnni.exe
3372	Dngjff32.exe
1180	Enigke32.exe
1744	Ebgpad32.exe
4752	Emmdom32.exe
4632	Efeihb32.exe
4408	Emoadlfo.exe
4564	Enpmld32.exe
720	Ekdnei32.exe
3428	Efjbcakl.exe
512	Flfkkhid.exe
64	Fflohaij.exe
1496	Fpdcag32.exe
624	Fealin32.exe
1440	Fpgpgfmh.exe
4432	Fechomko.exe
4848	Fnlmhc32.exe
2792	Fefedmil.exe
2780	Fnnjmbpm.exe
5000	Glbjggof.exe
928	Gblbca32.exe
2700	Gejopl32.exe
1648	Gppcmeem.exe
4972	Gemkelcd.exe
4328	Glgcbf32.exe
1008	Gbalopbn.exe
4012	Gikdkj32.exe
4860	Gpelhd32.exe
740	Gfodeohd.exe
3036	Gmimai32.exe
2000	Gojiiafp.exe
4040	Hfaajnfb.exe
1868	Hlnjbedi.exe
4436	Hfcnpn32.exe
1908	Hibjli32.exe
4608	Hlpfhe32.exe
1920	Hoobdp32.exe
3920	Hehkajig.exe
3208	Hmpcbhji.exe
2808	Hblkjo32.exe
1904	Hekgfj32.exe
968	Hlepcdoa.exe
844	Hfjdqmng.exe
1616	Hlglidlo.exe
4280	Ifmqfm32.exe
1248	Iepaaico.exe
3700	Iohejo32.exe
2640	Iebngial.exe
1372	Imiehfao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gppcmeem.exe	Gejopl32.exe
File created	C:\Windows\SysWOW64\Emcnmpcj.dll	Gpelhd32.exe
File opened for modification	C:\Windows\SysWOW64\Jghpbk32.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Fealin32.exe	Fpdcag32.exe
File opened for modification	C:\Windows\SysWOW64\Mnegbp32.exe	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Dmohno32.exe	Dfdpad32.exe
File created	C:\Windows\SysWOW64\Edommp32.dll	Ebgpad32.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Figmglee.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Akblfj32.exe
File created	C:\Windows\SysWOW64\Gikgni32.dll	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Micgbemj.dll	Clgbmp32.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Nflkbanj.exe
File opened for modification	C:\Windows\SysWOW64\Ocgbld32.exe	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Onocomdo.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Kpcjgnhb.exe	Knenkbio.exe
File created	C:\Windows\SysWOW64\Edqnimdf.dll	Kncaec32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Dfdpad32.exe	Dokgdkeh.exe
File opened for modification	C:\Windows\SysWOW64\Klfaapbl.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Mmfkhmdi.exe	Lgibpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbpjg32.exe	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Enigke32.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Fefedmil.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Ilqoobdd.exe	Igdgglfl.exe
File opened for modification	C:\Windows\SysWOW64\Hfaajnfb.exe	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File opened for modification	C:\Windows\SysWOW64\Ekdnei32.exe	Enpmld32.exe
File opened for modification	C:\Windows\SysWOW64\Lgibpf32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Kodnmkap.exe	Klfaapbl.exe
File created	C:\Windows\SysWOW64\Kiodpebj.dll	Ilqoobdd.exe
File opened for modification	C:\Windows\SysWOW64\Jocefm32.exe	Jleijb32.exe
File created	C:\Windows\SysWOW64\Pjmjdm32.exe	Phonha32.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Chdialdl.exe
File created	C:\Windows\SysWOW64\Iipfmggc.exe	Iojbpo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmeede32.exe	Jiiicf32.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Dbnmke32.exe	Dmadco32.exe
File opened for modification	C:\Windows\SysWOW64\Ljceqb32.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Mqafhl32.exe	Mmfkhmdi.exe
File created	C:\Windows\SysWOW64\Cohkokgj.exe	Cljobphg.exe
File opened for modification	C:\Windows\SysWOW64\Igdgglfl.exe	Ibhkfm32.exe
File opened for modification	C:\Windows\SysWOW64\Kgiiiidd.exe	Knqepc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7740	7608	WerFault.exe	343

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Digehphc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gejopl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmqfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmfimga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblbca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mokmdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcanll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjlopc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngkqbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emoadlfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefedmil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glgcbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlglidlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpenfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllokajf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cljobphg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gikdkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqfpckhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnojho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hehkajig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igdgglfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieidhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npbceggm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igfclkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlkedai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofkbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llodgnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emmdom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hekgfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_00e8c6172aae832496ff5066c8282abf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlpfhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqhdbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfglfdkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efeihb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klfaapbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efjbcakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll"	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll"	Iohejo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll"	Kgkfnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll"	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emoadlfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knqepc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll"	Clgbmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmpcbhji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enigke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpcfd32.dll"	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggnadib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll"	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll"	Dmadco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fefedmil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3928	3932	virussign.com_00e8c6172aae832496ff5066c8282abf.exe	83
PID 3932 wrote to memory of 3928	3932	virussign.com_00e8c6172aae832496ff5066c8282abf.exe	83
PID 3932 wrote to memory of 3928	3932	virussign.com_00e8c6172aae832496ff5066c8282abf.exe	83
PID 3928 wrote to memory of 2824	3928	Cbbnpg32.exe	85
PID 3928 wrote to memory of 2824	3928	Cbbnpg32.exe	85
PID 3928 wrote to memory of 2824	3928	Cbbnpg32.exe	85
PID 2824 wrote to memory of 3756	2824	Clgbmp32.exe	86
PID 2824 wrote to memory of 3756	2824	Clgbmp32.exe	86
PID 2824 wrote to memory of 3756	2824	Clgbmp32.exe	86
PID 3756 wrote to memory of 3360	3756	Cofnik32.exe	87
PID 3756 wrote to memory of 3360	3756	Cofnik32.exe	87
PID 3756 wrote to memory of 3360	3756	Cofnik32.exe	87
PID 3360 wrote to memory of 2660	3360	Cljobphg.exe	88
PID 3360 wrote to memory of 2660	3360	Cljobphg.exe	88
PID 3360 wrote to memory of 2660	3360	Cljobphg.exe	88
PID 2660 wrote to memory of 4044	2660	Cohkokgj.exe	90
PID 2660 wrote to memory of 4044	2660	Cohkokgj.exe	90
PID 2660 wrote to memory of 4044	2660	Cohkokgj.exe	90
PID 4044 wrote to memory of 3652	4044	Cfbcke32.exe	91
PID 4044 wrote to memory of 3652	4044	Cfbcke32.exe	91
PID 4044 wrote to memory of 3652	4044	Cfbcke32.exe	91
PID 3652 wrote to memory of 2184	3652	Dokgdkeh.exe	92
PID 3652 wrote to memory of 2184	3652	Dokgdkeh.exe	92
PID 3652 wrote to memory of 2184	3652	Dokgdkeh.exe	92
PID 2184 wrote to memory of 1776	2184	Dfdpad32.exe	93
PID 2184 wrote to memory of 1776	2184	Dfdpad32.exe	93
PID 2184 wrote to memory of 1776	2184	Dfdpad32.exe	93
PID 1776 wrote to memory of 232	1776	Dmohno32.exe	94
PID 1776 wrote to memory of 232	1776	Dmohno32.exe	94
PID 1776 wrote to memory of 232	1776	Dmohno32.exe	94
PID 232 wrote to memory of 4808	232	Dnpdegjp.exe	95
PID 232 wrote to memory of 4808	232	Dnpdegjp.exe	95
PID 232 wrote to memory of 4808	232	Dnpdegjp.exe	95
PID 4808 wrote to memory of 1952	4808	Dfglfdkb.exe	96
PID 4808 wrote to memory of 1952	4808	Dfglfdkb.exe	96
PID 4808 wrote to memory of 1952	4808	Dfglfdkb.exe	96
PID 1952 wrote to memory of 2676	1952	Dmadco32.exe	97
PID 1952 wrote to memory of 2676	1952	Dmadco32.exe	97
PID 1952 wrote to memory of 2676	1952	Dmadco32.exe	97
PID 2676 wrote to memory of 3056	2676	Dbnmke32.exe	98
PID 2676 wrote to memory of 3056	2676	Dbnmke32.exe	98
PID 2676 wrote to memory of 3056	2676	Dbnmke32.exe	98
PID 3056 wrote to memory of 5076	3056	Digehphc.exe	99
PID 3056 wrote to memory of 5076	3056	Digehphc.exe	99
PID 3056 wrote to memory of 5076	3056	Digehphc.exe	99
PID 5076 wrote to memory of 4184	5076	Doaneiop.exe	100
PID 5076 wrote to memory of 4184	5076	Doaneiop.exe	100
PID 5076 wrote to memory of 4184	5076	Doaneiop.exe	100
PID 4184 wrote to memory of 3372	4184	Dmennnni.exe	101
PID 4184 wrote to memory of 3372	4184	Dmennnni.exe	101
PID 4184 wrote to memory of 3372	4184	Dmennnni.exe	101
PID 3372 wrote to memory of 1180	3372	Dngjff32.exe	102
PID 3372 wrote to memory of 1180	3372	Dngjff32.exe	102
PID 3372 wrote to memory of 1180	3372	Dngjff32.exe	102
PID 1180 wrote to memory of 1744	1180	Enigke32.exe	103
PID 1180 wrote to memory of 1744	1180	Enigke32.exe	103
PID 1180 wrote to memory of 1744	1180	Enigke32.exe	103
PID 1744 wrote to memory of 4752	1744	Ebgpad32.exe	104
PID 1744 wrote to memory of 4752	1744	Ebgpad32.exe	104
PID 1744 wrote to memory of 4752	1744	Ebgpad32.exe	104
PID 4752 wrote to memory of 4632	4752	Emmdom32.exe	105
PID 4752 wrote to memory of 4632	4752	Emmdom32.exe	105
PID 4752 wrote to memory of 4632	4752	Emmdom32.exe	105
PID 4632 wrote to memory of 4408	4632	Efeihb32.exe	106

C:\Users\Admin\AppData\Local\Temp\virussign.com_00e8c6172aae832496ff5066c8282abf.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_00e8c6172aae832496ff5066c8282abf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\Cbbnpg32.exe
  C:\Windows\system32\Cbbnpg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\Clgbmp32.exe
    C:\Windows\system32\Clgbmp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\Cofnik32.exe
      C:\Windows\system32\Cofnik32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        25⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        27⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        28⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        30⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        31⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        36⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        39⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        40⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        42⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        45⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        46⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        48⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        49⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        50⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        51⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        53⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        58⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        59⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        65⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        67⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4556
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        71⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        75⤵
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3988
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        79⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        81⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        83⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        84⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        87⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        88⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        89⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        90⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        91⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        96⤵
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        99⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        103⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        104⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        105⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        107⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        109⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        111⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        112⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        113⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        116⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        119⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        120⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        121⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        123⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        124⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        129⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        132⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        134⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        138⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        142⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        143⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        145⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        147⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        148⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        149⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        150⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        151⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        153⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        154⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        155⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        156⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        162⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        163⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        165⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        166⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        167⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        169⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        170⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        171⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        173⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        179⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        180⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        181⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        183⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        184⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        185⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        186⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        187⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        188⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        189⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        191⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        192⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        193⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        194⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        197⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        199⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        200⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        201⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        202⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        203⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        205⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        206⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        207⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        210⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        212⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        214⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        215⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        217⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        218⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        219⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        221⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        222⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        223⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        224⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        225⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        226⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        227⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:7228
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:7316
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        232⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        233⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        234⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:7488
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        236⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        237⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        238⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7668
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7712
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7756
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        242⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:7840
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        244⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        245⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        246⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8040
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8084
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8128
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8172
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        251⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        253⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:7400
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        255⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:7544
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        257⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 400
        258⤵
        Program crash
        
        PID:7740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7608 -ip 7608
1⤵
PID:7708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
128KB

MD5
1508756835ea62f4ccd067c4f8faeea0

SHA1
7ad8c74658bf0beff78c3519d5c85b52f2a48e35

SHA256
acd91fd1acd19bbd4da1ea980c86c3529253a59c92f6d57dbaff50fbbbe00260

SHA512
c5ebf8bf9bfe9a831c48fcb93e9eb22b4fe5edcd4a1c57d8feccd1ae71b67f7ccb08542b43b8ef4288f053bef540f9157eac89525bb887de2410b8cd777fa9f4

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
128KB

MD5
bc676d5d21b275106223bc8081bb54e8

SHA1
ae596086da178e8f008f5b61caa3124cd7916f16

SHA256
c844aa58eb004da485ccbf69d98e55f06a045cbb429dd5b2ea8ce586bf134229

SHA512
269b8a2db994d1c95948f0fb8df3162d5c18a9537e47fa1c2c862ce62a3f714c1b348cdd5e757e8609b360c9488ec12cfbc7a7e2d4cf27c980ab8216c6b69bce

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
128KB

MD5
a5645c019017057fe9621ebbcb7fa930

SHA1
ccfaad4916eedd5ba00bd28701351fe97da41f1c

SHA256
2aacabc91b9a77653b1e07a62d86c50fef765584521215e3c47209064927450b

SHA512
a4db5428d380f8b12654c7d0d43fa78a44efda8c82d916cba67635b5dcf566de3d315cc7031dd286f2349d9b794d5970fb4161431ea1252f4095a89255cfd326

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
128KB

MD5
ae45adbada652fd35509deb82a45989c

SHA1
50a8143fe82807dfa77ba656f113ff3702321e6c

SHA256
873717a1b2b7125b5bcbb772711f3762338c070b975373009b5871ed197a41a7

SHA512
5db65411d66222317ad65dfedc6e06f11de1869417658ef1dedaf7686dc65e4716f6e278fcb3fd3f2efb7d693be215b07439486c34c1ef5e336004e037eb3140

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
128KB

MD5
be6ea0c0f29ebd142b1210238cc66afe

SHA1
ec00e28e1326a8bd1713454ef9e47ac184ff80ae

SHA256
769501f859bac5717c2df25d962e2c197c284dc0b0b0e5f477c58a5426961686

SHA512
27a1e2964cceb2f71dd28d8f51711ac2b8c52617816e9a0a083450bab838000d2cdb5102a9ba10ad62a02d03b5fe3ea041cdbafe2a7fca578caa863b297f6fa2

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
128KB

MD5
22a57ca5a443e6c6857e780c4700947a

SHA1
b5f9dc431095b21dbc492cceef74f07af30398f2

SHA256
b7d81f95447ee00ce77a37ce1d3a9fcaf08633d83195eab884a783ffe6d61e35

SHA512
a3ec8b99243917af31781bebf63d3c3f81e297e7d059fa2fd20571a22357eb9d5126394c4fa7ecb00d8906ec614f17923ba337e3f6b68a3b5536e472b5a4a181

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
128KB

MD5
877627d84e67d4e3c6a5183e4b338e3f

SHA1
19f5c6e3f5e3a115e1eebc625c51dbbf2c378ccb

SHA256
52b49286c6c322c76110e0580997fa8957dcf75bf2efd7872770e5e0714bc893

SHA512
73aa296eb7d5ed346f4ed5d878caf377b52ffa78e4fae22341f5f661cc7b5468dc4b8076ab5f8f42deba22255026c01e20f832da945fef5a982125cba34eb328

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
128KB

MD5
396c2453389bda1a0934176d68098dff

SHA1
9ff589827c7dd43f4ae8d21fbc1f235067841420

SHA256
138a76102edb815fb6a5771649f32e2f39ab52208583006171e808e0e729d240

SHA512
16013e20d58d1dcf4537379569c0c174c427df5394d6ee31a57789dcd9a1152091638b7bc4c92631f111824c9dc6c94bf35771b17cf65edb8682e7415545b903

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
128KB

MD5
6e8aad5e8d4786f9b982952d4d7ffe6b

SHA1
d96d53db1e8c4f8913956daf2fa0487d09b430c6

SHA256
1ef3d37178948cb2a2ea7686f1bcc8572a92b08d2f3911d574f9bab109fbad0a

SHA512
d02bacf5f2f80c8d9a6556d39d171ccd9d2d593a16c7500a66c49ab06072685260a93e62a8fe773d87408f6e1dd9f60f7b65394a3257e6e787e029635ccfd7e4

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
128KB

MD5
5a9bb1c967801082b04f0dc020291052

SHA1
9ce869bcc4c6573f7f10ceefab0a9fe719cc54af

SHA256
05d23e4fdb4817dc7bf94bb5865cf92e0116342d9d6ff70f999ef93272a49ed5

SHA512
e111c975f89489a7e6db79f44d9b62f7b0820fa34bb30e0df143602ed9aff8d9859baedc2cd8e47e358fba10892f8b000e008ed7ea53fc004027ae36270308f6

Download Submit
C:\Windows\SysWOW64\Cofnik32.exe

Filesize
128KB

MD5
623ef49d5aa57cc49a63e6a2c4d1c34b

SHA1
3adf11b4e873b34f8bab046ede64a4ac05dd27f8

SHA256
611b8496a6e7a11157be040f81fc17459b6fc08323b6ce42e3e0f69812addb2a

SHA512
290407752635b3d66e480ca03adc219052c47f0079a3adc0f05df807c4c240bcef05a0565590f346049f7840a0af58b642603b2deb83cfdf0488d455b3d74142

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
128KB

MD5
a3d62c11ab5f89bbd0e8366e764ec898

SHA1
68a4805c17d1fa6382ffaca4ded9dbdafef5ea73

SHA256
5370f0d244443e48a41842115fcad8635d469211d0f252369bff2d4b55f5c8d4

SHA512
ff5728e5e6b6114e46c56ec79d547c4684ff766249bab9581e6a682efa1ae37b5d8a2a2117771d6c9d598712e1b31d34962c26458ab357b732871f9118f225ff

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
128KB

MD5
c906d7394ab510b2b9da2d9d3e92b27f

SHA1
65fa6b311d98d6aaee052846d460467a094eec7f

SHA256
f2c3c1f367a83185ba775a3d0f240601702365fda4c2617ed5b0020a93ffdd48

SHA512
65f70a503e8561ef550608d395c13a927d781b65d3a2b399741e082f32bef9aef81a20e28bbb0311a83f93c38df5535e67a47c53354d5bbf466f9378c6ee2f29

Download Submit
C:\Windows\SysWOW64\Dfdpad32.exe

Filesize
128KB

MD5
607ef0cf0cfbec559e2c3a264eb978f4

SHA1
c4ea301837126f886300268335007d47be3714c4

SHA256
ddfa749c41413972c01d45833393a7e49bd29c88131bde84abe63d60c4146630

SHA512
5b28792b1cc56e79c2d54f170bfcf94b6e52df1102d6a58df9efe49a9554838ae123ca9251c76eeb183c3e803e2f30b2ea7af63dd08b11a155b58f2c33c0f1ae

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
128KB

MD5
154adb69be55338f0fc2677b52da975b

SHA1
14216c340a15548c53b9491acc1184083717ccdd

SHA256
fbebbb89400b24222171d3d2fbc925177e98df4c0fbed4ed7ba0b7c5a7fd229d

SHA512
a0d980d4c4e71104139cfd44d1502af085343a33c1d478db7b713d1e4a9e5a41f30fa22ce6f7cb9e5c0d1b20523bf13eb449946f5121c4aab6389684757f9140

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
128KB

MD5
a2481db10e300dbf6f511bad26dc6941

SHA1
3b22134bc1a48b973626ba56096e7e67e5179d8a

SHA256
6e37416c930a940c03a25b3d4d85c4ad40902c9383c51d01a5597bd0370a42f6

SHA512
83ca0726928f3eb3a636fb60b4ff51e4b8f4c43a0477d0325c5d28e038f669b9c96cdec3998f4a062c123917dcb3db7ad69359737c97c2880695ae708b45e824

Download Submit
C:\Windows\SysWOW64\Dmadco32.exe

Filesize
128KB

MD5
d79ac7b69ed5f715e505ca347a7a14e0

SHA1
504f6ec82fcbba91359053b43d3c3c86b9d11fb2

SHA256
ba0278796f32c07b9183dd24f483aaf59daaa71ac922153fcc0ddfeb3777f2f2

SHA512
6240a43132c4bccd457db544e7e9ed7ce3600785cfbae04be9399285030773df9c330b10e3b56bcd0ea82c4b6b407959066997b6401d2bee183ef4bbe1ffff0e

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
128KB

MD5
2e68e883bd8f81f6791b7ebefc2bbc8e

SHA1
64d5569e7342590a597e31c485c6dc1b267ef67d

SHA256
66fd82039034b64cfcc9101480abc0b7310e2a85a7d527a2b3f7daf658624146

SHA512
54569b9bf8321b199a8705affcf5a4539f8002a94590eace77f930bd9e1ac7e370d533e1bd2671d1b280572456343f36fd04b032a3cbd57310b66104e5aecbd4

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
128KB

MD5
a03b425a90f4dfc0a72479a4092e5065

SHA1
2e11d255e41ed86a9f5cd12e33cab28e8f294402

SHA256
dc020ce26274117619517f79e59a04ba664fb5c16bcc7c82b52d058a2a661c5d

SHA512
760efa8c7924844826afb16d32533f18e044c2a871e2cc9e0fcec064104272ba9f05802751aecad095e6e072e3c7b58057b413a92f698b1f4a2f1db8c7c1eb44

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
128KB

MD5
9076ac5c6c64b3179181826439c5f81b

SHA1
dc6339912e397006d45a9f859596a166cc2cd122

SHA256
f9f8cc943f0d29f1d9010fb02331736e583de2f5e509edc067fb4d05112c5d3b

SHA512
133c1d34f28da8ab0cbbf2dbd43b2e7c4330a3d7a7f05144cd4b69541b87bf713063fb294808588824ddf36b0096c2653530ef43dbf523eefeb13cc4e2ec7077

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
128KB

MD5
ae3292b7ba0be648a959d4343878717a

SHA1
69bba93ea615de7ed8847157fe80fb75c1ad5cd1

SHA256
de231953e0aa15db282dda43f63dc10d3e2c839a9bde017745e2c00c6e19153d

SHA512
c863309327f323d76f9919369d07f03fac8d50156b2823b9b2d01e3efae709bfb45dea58c104906f7637449dc973c66999a27227371b033ccff3df89fc090fc4

Download Submit
C:\Windows\SysWOW64\Doaneiop.exe

Filesize
128KB

MD5
b9e429270e954a60bda70b575a7d80e9

SHA1
500acfc48d72f5e0086c08bf001952036f1b70ae

SHA256
88605430a881f56a3699b6f0f99ed25128248cf9733d56e45e7fa0c39002b282

SHA512
e7ddadcc4e920eb69de8e0b7a25aed2e48387dcf0f7a0920312bad534901e05348a5643955ec8cc28c0c86501a20b59bad88b15af0affeb8299b531dd4de025a

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
128KB

MD5
2b4f94c4a1dd33237f9005b3d64ce737

SHA1
70d27060039c31c0d6e43b000814ffeb81ac8b3c

SHA256
8ae792e41133f3e4db13cca870943b6498fdcc0cefd94692154a1943ffc76779

SHA512
514f3e9d32e5bdaaafd76de15ee7c320d8bdaae11c0b017db9860cafddbae0e50eefab05d288f593ce5b338d79efa5a87830af0c552d6c33cb9fefb53a3f309c

Download Submit
C:\Windows\SysWOW64\Ebgpad32.exe

Filesize
128KB

MD5
21469cee91adefb08ce0124b752d8708

SHA1
2096267b7a585d089320ae174e66729db2909b49

SHA256
d46e29d989215ace244300e2410a2872c8c97711f5705ad6ea703bda9b9cefa4

SHA512
f5384e3c8c289b84ba2b49e74b402c58ca3c1b6ca27e853992e1e2998fdde9d03014c3e48cfd052117d54a09aab209451674e1d2a15960bfc5bacdd6ac204173

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
128KB

MD5
0ffc2a3c6541f1e6d6ee607364805ccd

SHA1
2fe3ba9c91d51a3ee2198f7eefbb9b7e7f240a48

SHA256
e2e0f2c703c71bdb42db06cdaef454e29c98b08b023620177a9a8859120363f3

SHA512
e03ed4bacd2ac86c5324bc96e434c450b5a5e08c6fee3a1732c79bd7b5fcdb862c40385f9c366ee67dcf36bd123ccae31c45521640f30dbf70fda03eb469a7b8

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
128KB

MD5
565ccd94ee8a2073c391216d90c66071

SHA1
e99caa8a700b5eb1b59efb56bf9c9e3879ebd6b2

SHA256
2dd7c44342837f952a1ee93ea865c32dcf55b2664f4552796ce773576b5c67c6

SHA512
a77300bbfc7955443de9eddddd5ea2658d46191fd89a00fc1727addae17a14f428b2450b57c5b1c84a6dd77c6cbdc45c3b5beb71a17b6354238a2840105b01cd

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
128KB

MD5
8e8e4b400738b07a2944750b3c369c5f

SHA1
b614f5c45174950b78b4e58b425ab47ac11d6426

SHA256
720435f9496ceaeb4021eb1aecef42cb233520d7e674bffd6c560690b94cbe85

SHA512
31e794eea91cfe73eb4b222d49cc9f37bdfc1997fc61e93ddfe2e5371d16381eaf8140ffc785d60f8651bce54659615a6501455b127dd3ea7a2ca1a442c23580

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe

Filesize
128KB

MD5
23660b8b5da21ea8f5cd2f499f820dc9

SHA1
a0b97431308e659d62ec6d6f5842ce75925768d6

SHA256
b46969fb4a7f71bd27b1ac0e54ded3b459e30a14c158369a18eb40d2ec55a6f8

SHA512
e453cf725d74bc243da5d08606ba71d55ec7b5c61fe5bf3fe69411888c61bb44fd7544550ba9ff1960a593134a132406efab95d7508a5c823c4142675d5b6b7f

Download Submit
C:\Windows\SysWOW64\Emoadlfo.exe

Filesize
128KB

MD5
41efa86c03dc787d1580f7bb5f58b8c0

SHA1
38576cfa1352dfaf34067f88b3746fc5439f4d3e

SHA256
12da4af3ea0564a157cbbd2f8736c76e46882b7c11afdc993f3628108eb1e12b

SHA512
9f7ff182a725d651139e137fc3b9678bf3975eedc5dd0261822a47358c327cfee218463a98b41092cc93f94ec4863435a23559a88a613d8d1eae04d523d5151c

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
128KB

MD5
fc7e4746852a7541d76863f4734ca232

SHA1
a1d5d51dfb6c53f61d665d24752206835a04d867

SHA256
0e65ec178a15ec218f952e3db3a1e64dd93031741cc9ff6a612fe3d77a635114

SHA512
3aaadd4543777ec552c80e6020dce5f15d9f6cdd0df33c6fc42d47cffe447b210add9fa362fdce168321a829c89d248f422dcf3d8acb943d7e144493dd110c8c

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
128KB

MD5
ba631a89303a0288fb8ddb9e6de11c02

SHA1
c0f3adb563f2f0d41e72db3fd7aa1d84c70928c8

SHA256
430603d2fc9e69e903dedc38d2443f69d404f775aba5c6db3c54e4b995fd1976

SHA512
1215a66caeb46a45a644d07ec12e96230dd7131b52ffadb56352190519d4ab810bbf0eb08ba691d381b3359f8a88103061a06a1a3ddbdb161573ab772e7c2fb7

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
128KB

MD5
981fdd77fd1b0cbed6fb4a9bd75b37c1

SHA1
0a805b50f5b42cb002123353a1fd9ef095ea404f

SHA256
80ed74dcbaac5dc8e8fe040b1d270a38f9933c47c6a685a7d0ddcd4366305153

SHA512
ee63a9b73cdbff049e628ffa0164b17ce49b58dc1c46b1ee50caa92749f66493060ef02cf221544eb2981bda245562701c6e5c3a4d7397f1368378749db25a96

Download Submit
C:\Windows\SysWOW64\Fechomko.exe

Filesize
128KB

MD5
4eab1f24e8367f6297e66cf5ffec2086

SHA1
7728b0b4b3f0d8b01e43d83c2eef037bbc3ba055

SHA256
0b52c8cc2042b39921c747693ea152f4eceff04738c42926ccb6a09acfa70596

SHA512
73bd8afdd2c4100dd080470bc85b3fea43293d420ecde78066e78b9fbd1c0cddf25039a717cdba40cc2b6f2cb676b0f4502e11d0a988e74efca901e82359290e

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
128KB

MD5
80cec3ecf0c80aa0a2270d3281037e40

SHA1
8a0d2892fffef718bbab24e2b3122fa87b1e968f

SHA256
cebcdfd7438cd969c8695edda9a809dd7c2806cc9f7c038693c9ed1ff0f2c36f

SHA512
d8499aa4f8b8c2876f44a4bb419382c912baec55d9a68a647ae5cb9352768c7efcddd717f35fa181451ac6368d989d1672ef754a6284f2fcb10f8ef29c1d2697

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
128KB

MD5
beed6e57ea561a7fa4eb7aa79662f539

SHA1
c4339240f530ebbdc18389f5dc1da954f2f90a26

SHA256
ca965c476b206c4b75fcbd30405528f63a8ac11395337fdcc0ac6ef1736e08c6

SHA512
cd2283b437ac8a24762675fa87a3695b3d3e693c6d0dd72ef86edab8ef69ab22cc92391ccf227433a55ee550cb047b6a375cd170878eb179509e208ee7eec33f

Download Submit
C:\Windows\SysWOW64\Fnlmhc32.exe

Filesize
128KB

MD5
4afd42d14906c841832fa6031330c165

SHA1
d9ec9faf94a4f9f0c396ae28137079121807a20a

SHA256
203c64b91def9dca7f1e4dc59df89e897042ba1fce98d67dee65a05826d0601f

SHA512
44baa865f93bf177e184f490b0ccfda57ea255d96595199393c762008bf67675e340e4f74f72f4672d1e0cdefe217212df4dee1a575ee64031727d5d534f6e69

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
128KB

MD5
0f92ae1668a2d79b045c8893c54a95c1

SHA1
698934f0b66e6792f3373ec6234d12407a8a6f6f

SHA256
7792b11834454477f1a644ea76dac966b61a05d18bedc23439ce84aee58da920

SHA512
facad770ae03e2bdc2559af6b99197404f4b03bb31f15412d2ce63f0496c76907db9f754ff9d6bb08b0c34399b732ce533a8dd017053fc3e91669f6774e5066e

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
128KB

MD5
b375f1d7a450615f12c3b176d02c832a

SHA1
fef34d41517288c899ea3dc50c903472ed8f3172

SHA256
a5960db408d93c649a7200f294407c51946d8ee588d99571c61f734946400e1c

SHA512
e5960396cd9f974658c0dae7bca8728402a874351168df5d16fc12660a8cd9e80f54cb08f4af447dcccad51ca4ab0684a5e854dfa1b3b5c795b7698092a877cc

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
128KB

MD5
1d7a5de963255c65a31389ccb665ecea

SHA1
82c80a32f7842b84eddc5ede513b0ffa6ea3a717

SHA256
33d08e390c5e10f670774907712a3667770c99b657418d46031e5407a48efa3b

SHA512
e648e9de18d466f4de2a91390b7f9b20b22f51740802e08bbd0e52f05b9915dc3e265aced354ad4f5f3c44c40a1cb2ca37e146fc6c90e8efba732c94b75ba883

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
128KB

MD5
648f2e46f16c115fa10ccaad6c0a5365

SHA1
57ccf073193a22dbe5ec70044a225c8043c9a33f

SHA256
29141d4cd8098a9c665d92942fb5d3a5b1e3de063266a0fc57fd752c4f21bded

SHA512
0ea3a7b3dc52c81c1836a403ae29fc121854f544cfeb1238f77aca65f22d766867a40720af69f063d518c5caf44c1fa16fd2cea01c64189c3b5220bd235b7205

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
128KB

MD5
449c42d3614f50e8f18ebe64c8ae1c11

SHA1
7342f8e92859127952b576bbec8925463db115e0

SHA256
b2d36573087844bcab7e734f32fd6c5ee9c14574d0ef4facbe684c7b53e9490e

SHA512
095d549df0ef515f805a2fb7c12adec2064c4962708cb954b4b58cf6b74df41d03271f04a3468da08d3f1ad2f323b1fc72c4e960fab18b90b85d2f2a4c78a849

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
128KB

MD5
7d5e42024930b497c00a0ca2689d0699

SHA1
ebbfc278bc7187e33bfff4466a9041f1a4f5ecb3

SHA256
53aa9297f49295eb200c5c37eadc0bbcc57724653e540d110847c1f36d97260e

SHA512
5530ae741541bb507957a6af065fe185d17dbfd5aeb39333260d7a7952a0175cd100574c3a5ed7e1fcadc845da310402c17e40c9f269f35ae06dc6f81584c27e

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
128KB

MD5
6a8064bc41faf736802af102cf268fc7

SHA1
d7c53f74ba2c00fb3fb896155f3a734761c02750

SHA256
924303a903c68651fb82d8676221373591ad00779776e9a399044500682b9670

SHA512
807c11315e6df463b1ac8cd02bc5f4123e4656305ca0eed717fbb5ebace5f687f2219fd0af29822d933f81e81f8e20bec562fbc4ebf54d717e050aac43735a68

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
128KB

MD5
35c31b779c60563748f306dfedd28336

SHA1
2bfde00f9ae75798117d40ed9c0fc31b95aaf866

SHA256
f10fa2e1efb3d28bd67cdf779d2d138e5f9e0bc52c24a7bdd61ba645d58253bb

SHA512
d7d9642ac35bdee167392072b9ae84c935baa6620e64842bfc00b35c6b8aeeeb3b3e67fb5fbd0f53a6beea987ad9259fb21b495bc68e33a5c5305b4384d1d0b9

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
128KB

MD5
50bd70e2166595f3483f5d3649f1bfee

SHA1
27fbc3609a17dd9a0214476a6b32b3300031eff7

SHA256
b83e736b695015bad24c1a82fb7bf60cf52f279e1e8088ee8286c1af175c6dc5

SHA512
8a3b23cb20338dad0d158a055080e4b0e543b5b55b0c3e1b6eab972a47fe06d3f21601985d54210adb1129ab54ff43da700b47e4aa10a05a478abfd2879129ae

Download Submit
C:\Windows\SysWOW64\Igfclkdj.exe

Filesize
128KB

MD5
aa46da19f1eac35f939adb6e442a3da0

SHA1
c556d39323571c37e0a4ffb7bbd674027ea013b2

SHA256
d37908880931e8346d56be65328e817913b4bf6c2a0c4bbcf8a7e95002685fb5

SHA512
64e0928b9c4e7ab066021f3f97b833bbf099aa353857367d93aa1d7537a2abad38a9677517847bdbbc4e6bcec686e12a0dbc2ba36fea4064aa17e4e32bcbc861

Download Submit
C:\Windows\SysWOW64\Iipfmggc.exe

Filesize
128KB

MD5
bda0e3fb3080352a471915ad96ff7430

SHA1
d7d9d3d3354b5b87842e5138ff6083f8f2dd45b3

SHA256
3c517133524baa501d462b67b01499e2b015a6743b706ba9f47aecc71909caf2

SHA512
493d96315c91f22ab3b3d2b1babc5507180f7fdd78eb49069c923e0f2fa0fefe13023a248a80ea62763b2e6db44b560754d26472b16f6ebc73bf951ca31bf0a6

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
128KB

MD5
4446e599f099510a4e9e1bcda46d5a93

SHA1
524862763ee95db853a333101d25eb499727f8bd

SHA256
990f5f421d137d292cf27b0236a95438b933830dec2aa866c96852dc80ab5650

SHA512
a988646aea504b7711010eff7e158fb798ebd7228212e98597ea067ef2e532c419ccbbfc53c778a2e0a89df710e0869193ebd89a02d41f3454c110a2f234b306

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe

Filesize
128KB

MD5
4f69d023857c642060f09190afa02a5b

SHA1
34f53dfee5a85750e92aa1ba7a8386731385ad43

SHA256
4c468a6b96408c7e52ffc79d46fb798521799690756dc1de67d3177a2f1bff02

SHA512
af41e94c35c69ce40a8ff06bf5d39e3ec78b3037029879f2b9549536fae3791fe44bacfa172059036662fdcc5cd37ae33291a1d0f92e181dc6f27fd351117494

Download Submit
C:\Windows\SysWOW64\Joahqn32.exe

Filesize
128KB

MD5
b4556e4da6437c1964c420654ddd7c1c

SHA1
219aa5b2a5692081e103797e18c85427a47880ac

SHA256
1e6ef57b432d61dc86525df4b150fd031c57d3cfee4d906efa5192d7e081ee5e

SHA512
d25ed85129d343ce1012c1886fe309e914a81690a2f9e93c07c1a1c00515cf675a4c9e4ac5ee1b01b5e005b2c5a31c4cb288b15f1c04e03c6b3604bcb3553e73

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
128KB

MD5
e592b7940bb2b1660639ebfaedaf2f03

SHA1
72640a0af0e10598b252d1878b08c338d3261173

SHA256
b1cb4927a490715a50779181061182de44a9bce0eca11f8fc1ebb9c294410605

SHA512
64c4ab4770819ae1228b32e158cea1336616f7b8586b73cd9350d00eba07486aa16caba8cd8f1683c9c4504146156193d6dfe4f556ae6252ba29bbff2a597bcc

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
128KB

MD5
935b1e1fb7884ce01ee1eda5d07306ca

SHA1
a55c3ad40def7d93cb145a68b37c9f7718d36d91

SHA256
d1eb10bcfd82c7602aecd339af2443d8e34b2e008c54654285ca798e5f7c161b

SHA512
18c372fc3ea9e44a60896104cda561001d85467efb5cef507015fccbe3b34fb70c9b0263b3c0cda3932d09c3bfd8f671a227009bdeb77f0ae07fcfc77ef9ca5b

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe

Filesize
128KB

MD5
ca9906c45f3e7c4df4adf6c3d2cd4c9c

SHA1
d7d0260c319323d802433831df08ab090999055b

SHA256
f05aed40e497af5bf577db46536b09a8f9a526063d939d53283dbee958098906

SHA512
78527ef570daf3cfa6bb5b114904d01fbf8e53d048f32b6bf48c64ee5a83088a97ffdd428d4a54d3033fdc2a1356b01cb8bd063bb7ede44e9e381b77cc8b8480

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
128KB

MD5
03862c60e0d1826ec5edaceb53e40dcf

SHA1
c5acc7084dc97dc1a104519a648bbc239ecb18d0

SHA256
6cdba13cfd61333d0909c9a6e5866133f881d223de5339dc06420e8a9295d3fa

SHA512
fa4fc3b41f92108a807f617b0fc9936827767b96633ea863cad046fbfe2138d61d2df4590c6c12db8377818a74e5f29694194a5dd9d8f811c26fbe750b78ddf9

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
128KB

MD5
99923aca307a6143485dd67c9bb83900

SHA1
6b683950c8e995be9a371e9fd34b9dcd5d700fe1

SHA256
1b1597dfcf4993d7352e15c4ee2e28277078c812bda548c6c55436bf8915f0ba

SHA512
bb1161cdee63755cbced83eff389b62a5f27372d5c7aee5c6bc5a3e4eb768d83f380060fffa60a70eb1b2b506b5b4bca93a61927b53076300879dd16d8dd0611

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
128KB

MD5
428da2ecf258d077c2a10095aa394536

SHA1
f7c48ed5016687095824fe1d509542037e5cfabc

SHA256
8564cdd0702b848be408b616f07d56d2e011190d7209a395a7f8faddee757a09

SHA512
61f6c3f096694107593491e4d04093f232f73038e0757c1c9a20bea1aff9aabf3e0f69ba13a1d8e5d5107be0038ef4e9cdb31de46e679fcbb2e2e34e6bb69c66

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
128KB

MD5
f432507596a31519f1d3b1da3cb6c79f

SHA1
779a6454d615279b498dda496e827d731642912a

SHA256
3b0cd629c848f91043a548007fcdd39ee4075a99a55f0858bb121b9dce0a492d

SHA512
345dff6bd3d14c1d5ed07bde2c24d631bee76df2f4b9da5e084974fc04b21670f2a7947bb0ea89714820794e7a7a3eeac1a19559f291c4c025e5f229b9c233de

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
128KB

MD5
c58d4bf88fe55809e998379059306328

SHA1
f034a406966ec60eaf86594c96134f9fff4624c0

SHA256
308d1a30465ca0d276978e13a794268c90bcfdce524804a079ac2d145fdbed86

SHA512
42f8c5f9c8d8ba3e05c73e750d498ccf0f5bfa2339af695738fb1bd1ef09c50c739c1ec4b1578514c9c893e9887462e5cad7dc45c1ae23288b76197c57dbe84c

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
128KB

MD5
b0b20e234be6c1f0902a96ad42c9fa16

SHA1
6f16149b4cac464a9f9d6ff80f427edbb1fb4296

SHA256
a29056f2c4aba5bf7060a4df38bb8fb9bce7498b6dbb941e6d34c210d21f5692

SHA512
0258e6a323ff98c56412fd077aa503571a9a74355f78ed852f53c1a69992e3280793a1111034305d5dae64777f09a9eb482b895df65fc89344905361133fcb8e

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
128KB

MD5
c6034db798a45095b484fa378e8d18f9

SHA1
2567f655edf9f142e8f242e3cb3a061502848915

SHA256
b108a5a1899858cbf16cc53bd103592af0dc8560e6202d013621d07aa255759b

SHA512
7b357b8ed44a7e16ee14e0def4e371c51837b3b5bd48ea32e122e87d70e16561de308719f81c726b2d335d9dbb5806d15f0971e6989313a1e4870651f8faf3eb

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
128KB

MD5
45827856c4b1fcbee36f384efb98d8da

SHA1
a7fe3a4ba946fa7901580b815de45be31b11031d

SHA256
6778d63cef32c250d3fb646a2a83c0cfd4dcd05798fdb668cf590bf3234152b4

SHA512
75b33eb5488fc8342709215e8c1d8cb72ef0410a110b23570fc1dc487c0e9c6c9e4e509addae3a161805623d7bc21440aacb326c8cb760a021c3b85110a6b975

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
128KB

MD5
3dfa062e62f66924c905f4d6af2faffd

SHA1
50b077b17edcbfcf1a3d89d55f54791e288befc6

SHA256
a2cc40eb6c5c32464ed16b8b8eecbc010d64dec951b759ac4744a5f10fb42925

SHA512
a739becf1d51299258c4f02ef5c977f665659083ed04a330228ad763404a7d0d6024e9c24318cc9f862b2d142748735ebbc043fef468bba1c56130bfdf664cf4

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
128KB

MD5
28e62e4fb2fb948b58e7f40f2b7fdf1e

SHA1
856d57a55bb9a08a936f95c7b6179c3ede542d61

SHA256
d2f1dd93954e481e0172f3b906066f774e9a5ea34b727e6711e67335b77d6f7f

SHA512
423121bbf7d6cc3d69d02374f3ad8e8c3064e2df79218fe18cab7ad82e71b4e6bda1007b0dbe87d163234aeac3734a3f20c71b65c9120c07874ef774712d7ea2

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
128KB

MD5
5eea7e5f03a18f6540f5878a1b439ce9

SHA1
85eaa7fabfc484ad37eac9c7d41be21dbcdd2bd4

SHA256
2acb5e724399b8500f20d9b00ec8e349e25d871d2e8042305132f1bc49686f0e

SHA512
1a76c5346cf04f9ed88c891ea49ae1918fa3293950d064de11dbe624af1db4fe61a7f84f1feab0f1df4fdae52ebe62c2bb1598d3b444e74683700930347b1132

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
128KB

MD5
a9dd2fef1a7e81d64f7823a281dfae18

SHA1
076499d6b44d528d72bc08be0d7da6a76c1ac86d

SHA256
bfd5a898d0ce1fe2131656dcb0d14aa320fa686ece25b15b6ab44d5c13471fec

SHA512
758bd027a1674ee669d181b2bf3e29f8580afbe91e9b2903960f2223ae0e21c273a9d944580909406773ca0c6d826277ade2f04efa66c780eddd96d4af7d3e7d

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
128KB

MD5
f82f17ce678badd6d1f27822ae28bea7

SHA1
9c48ce03de3040dcfd019694a1eb843da1faaa44

SHA256
c08db704adc1e76e627c1e683ac13f0cf175b652ac7530444e4ea7f6372f4a1b

SHA512
e662e7f122abd720fc2d10f2cc88be7bb5220643a44c1dc09c2844310c77c86dab6227604cc3b904be50c6920763c48168dc80b966751f9016af0f21a097a948

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
128KB

MD5
7cf41095c8af1e3fa45d91a228e935ca

SHA1
652f4e07d902128e94c056a15c80d38985b6d2a0

SHA256
ff18d9820f028245fbf5bed53cf83d53d6aebf58cbb4aa81ebc56301b566db97

SHA512
08a070685121b493ac17b277ad21f4fd9d7f7fd2c3b59bd0ed061787a8d90dfa18fc28cf1ed4118220f9733f97618822d2cf494575b42c5773e0291e75ac0617

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
128KB

MD5
49c6b41cd4c967e6b255a8540a5e1a53

SHA1
2e615de08532b66b48e43771de20633c356edadd

SHA256
42b8ceafa45bd99495371e4912526bfa30405744d8debab838c49653525e6b31

SHA512
b033f6825dc0d64befb81502f707ab6081ef803de402aa40d07c0952c19ed966053179a3bf8b38b8b172266f7fa3382089df1c011ceab207f5d75463b6899ff2

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
128KB

MD5
e9fe6a920b13ce79f284dd7cefe1e9e8

SHA1
1159b530d632b67679a33e7ae309e138e86e699f

SHA256
34b7fc1054939789abd8229cbf1f2756ab8ae09794f2731606d7f8227307f8f9

SHA512
c32e0800aeb23797f79088a4202cb3ad1a4aa90bcbac9595efc248c4be3fcb17e32350b238b7351671b473cbf795a36820b9b507876c1d9dbded4e3688ba988c

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
128KB

MD5
1c0b8c54f40337cc0c9e646eec162501

SHA1
30e22d1d0f848f00b93894c36fb0a34e67e6fb0e

SHA256
622a11a7bb9b88975f2ec16c51dbcf79de4216d937243cac76f3007c5eae0685

SHA512
6c15fb651cdc6f64b8c8233a3131818f4e79d38fbe4dc658daa246049bcc0cfcf59962269628d05cce6b0aa1b519b554b636883c93457a5a3b5f084b243c2867

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
128KB

MD5
a5a9b01052ef65bc6822c81e0d3c860c

SHA1
75a81a21823ac22fa254200980cf1a228a55d964

SHA256
6fa537fb2dc064a6d8598892e023fa7a3935a22edf7128697ebc3fc3be040a68

SHA512
3854f4ed1e7cd036e298201019562ed9f0b58b8da44caad4dbba88ac845cbcd87f56af46a5babbf59d9e50b43eae13391a800e454eb8ebfa589e232a6062d79a

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
128KB

MD5
e7291f7b1ef214fad659f633733d7ee3

SHA1
a65656b0d190051256f32ecb69985fa6d455f0b8

SHA256
98746f3426dec4b24a1dc03f32babe11bf453f2a9addda77bf7eb8bcea3eabf1

SHA512
e87e23a4e4c6c9883121e9b8e8d89b5666d133fe5b1517ab3e05c56d62d2e382554c0f928ba92e10074302113ec72eaa5a22e17dbffe09fd448e32969ff2df00

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
128KB

MD5
7897eb7764345970e72fa79c95c5cc97

SHA1
9094f91a35e8df357ab9abbc7dc0314af5db90d9

SHA256
3a0276fed9c7517d309dfee38ca8309da12d8b151baa8eba079236931f28dc86

SHA512
c206216222e096da9f25a3204047f5222dae13aa93104f1a4b70c93435ebbc32267c7857533325bf93ef926321806bf83b01b3c8845b337b3134e644db16118a

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
128KB

MD5
b7f835549e0d6507ff6298569d2b142a

SHA1
d85146384524e8d8dd357540c7b02cb2d73311eb

SHA256
9b7b7a42c60215e5b16b606b8ff33d68b777ee5274870100c88851a40bb81fa3

SHA512
098ab6cb94ac200020ba28a7d608c9404794149e26feca9f307b1ede5b0c0b236a8967166b8da9e23b1dbd06789eae8cf41bb22cea92c2724c26be7f9d16368b

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
64KB

MD5
b2fecf28bdcd38479ba49a704a9a51d0

SHA1
01cc15ced2de01260514b84d2438b193bb2f142e

SHA256
afc42748c09d9ef48434d661485a948c6b1c125c2d209b950d764b35dee9efa6

SHA512
145a0ad885255cee935a1a1aad33c350c3d877aad301c23a9f88d764155e2497fce9266eff20f94fa8c40c9694e11ffe32c4779cd4cfbf57d6cd5092d8dc6f4c

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
128KB

MD5
f44a82fffdbed8cb64a4668c5c7d13f2

SHA1
70e25103c4cbbe29cbcc5d2b3d476d1c1370978e

SHA256
73c13cc15526f14fd3b7ac9a98658801bb71519b7ec25ad95a8fe242dacb3850

SHA512
4b463f036dd8d86f189422f79b1417cb88a718ab9a214a56ca1af6a153ddd730df86a7c2134e08c74992b7c41124b54d2b2a5935765732defd91cfa2b3d79923

Download Submit
C:\Windows\SysWOW64\Qmgelf32.exe

Filesize
128KB

MD5
66b47ee36adc7505afa0e14a1871e89f

SHA1
7b42f9c3127de3b1147520938308f15d614b008f

SHA256
163549c0d7e9ca6951dff14d858b6636ca7fb59cdaf9fd040a398c91a7b7afa5

SHA512
24f1f20545d23e0497667c83130547484bc319d5242b292dd2ce2470a6c4f04d1c64ad47a9d0352d4131bd02a3936723b4ca9ab69de416e086485d09912b7f89

Download Submit
memory/64-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/232-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/512-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/624-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/720-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/740-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/844-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/928-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/956-591-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1008-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1180-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-430-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1372-448-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1424-472-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1440-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1616-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1640-580-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1648-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1656-484-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1744-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1776-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-552-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1868-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1904-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1908-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1952-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2184-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2216-545-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2300-478-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2640-446-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-579-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2676-103-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2780-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-262-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2808-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2824-21-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2824-558-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2856-532-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3036-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3056-112-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3168-559-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3188-494-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3208-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3332-526-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3360-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3360-572-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3372-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3428-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3436-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3616-570-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-593-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3700-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3756-565-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3756-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3920-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3928-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3928-551-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3932-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3932-544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3988-520-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4012-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4040-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4044-586-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4044-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4184-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4200-508-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4280-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4328-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4408-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4424-514-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4432-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4436-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4556-468-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4564-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4608-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4616-594-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4688-502-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4752-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4792-496-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4808-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4848-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4860-322-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4920-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4940-573-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4972-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5000-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5056-542-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5076-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads