berbew | fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe
Size

72KB
MD5

fc6f93cf35b8223e247fa125bf14b300
SHA1

bb7ac7c45e08268ea392fe21879ea6f0236ff0d4
SHA256

fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696e
SHA512

b3328b19f662565d00410c793f063c31a99e82a2cbb9c04ba3b601e6af626c3b96435c21a8a2479c6497ff3a33527261d865749f857bf2e4c4dea135ec221447
SSDEEP

1536:cv+CTwjqYIMtzZx0A9jiQ1NqNxLe0/n80aWBhgW2wB2L3U6+lWCWQ+:lltkYik0E0aWBJ2wak6+bWQ+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2292	Jianff32.exe
4572	Jcgbco32.exe
3488	Jfeopj32.exe
996	Jmpgldhg.exe
1628	Jcioiood.exe
980	Jblpek32.exe
1604	Jifhaenk.exe
2988	Jpppnp32.exe
2380	Kfjhkjle.exe
4452	Kiidgeki.exe
3932	Klgqcqkl.exe
1644	Kdnidn32.exe
1264	Kikame32.exe
3820	Kfoafi32.exe
4904	Kmijbcpl.exe
1768	Kdcbom32.exe
4768	Kedoge32.exe
2024	Kpjcdn32.exe
1772	Kbhoqj32.exe
3672	Kibgmdcn.exe
4612	Kplpjn32.exe
4504	Lffhfh32.exe
2484	Liddbc32.exe
4524	Lpnlpnih.exe
4696	Lfhdlh32.exe
1432	Ligqhc32.exe
864	Lpqiemge.exe
1540	Lboeaifi.exe
1496	Lmdina32.exe
832	Lpcfkm32.exe
3432	Lbabgh32.exe
2268	Likjcbkc.exe
4764	Lpebpm32.exe
4584	Lbdolh32.exe
5048	Lebkhc32.exe
4428	Lllcen32.exe
4060	Mdckfk32.exe
1480	Mgagbf32.exe
2116	Mipcob32.exe
2796	Mpjlklok.exe
4468	Mchhggno.exe
3824	Megdccmb.exe
4092	Mlampmdo.exe
4856	Mdhdajea.exe
3668	Meiaib32.exe
4636	Mmpijp32.exe
3576	Mlcifmbl.exe
2460	Mdjagjco.exe
3752	Melnob32.exe
436	Mlefklpj.exe
3388	Mdmnlj32.exe
4364	Mgkjhe32.exe
2244	Miifeq32.exe
1796	Npcoakfp.exe
2784	Ndokbi32.exe
1464	Ngmgne32.exe
4300	Nilcjp32.exe
2260	Nljofl32.exe
3064	Npfkgjdn.exe
4872	Ncdgcf32.exe
3636	Njnpppkn.exe
2068	Ncfdie32.exe
116	Neeqea32.exe
1600	Nloiakho.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Empblm32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Jifhaenk.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Jfeopj32.exe	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kfjhkjle.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6704	6548	WerFault.exe	260

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2292	1648	fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe	82
PID 1648 wrote to memory of 2292	1648	fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe	82
PID 1648 wrote to memory of 2292	1648	fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe	82
PID 2292 wrote to memory of 4572	2292	Jianff32.exe	83
PID 2292 wrote to memory of 4572	2292	Jianff32.exe	83
PID 2292 wrote to memory of 4572	2292	Jianff32.exe	83
PID 4572 wrote to memory of 3488	4572	Jcgbco32.exe	84
PID 4572 wrote to memory of 3488	4572	Jcgbco32.exe	84
PID 4572 wrote to memory of 3488	4572	Jcgbco32.exe	84
PID 3488 wrote to memory of 996	3488	Jfeopj32.exe	85
PID 3488 wrote to memory of 996	3488	Jfeopj32.exe	85
PID 3488 wrote to memory of 996	3488	Jfeopj32.exe	85
PID 996 wrote to memory of 1628	996	Jmpgldhg.exe	86
PID 996 wrote to memory of 1628	996	Jmpgldhg.exe	86
PID 996 wrote to memory of 1628	996	Jmpgldhg.exe	86
PID 1628 wrote to memory of 980	1628	Jcioiood.exe	87
PID 1628 wrote to memory of 980	1628	Jcioiood.exe	87
PID 1628 wrote to memory of 980	1628	Jcioiood.exe	87
PID 980 wrote to memory of 1604	980	Jblpek32.exe	88
PID 980 wrote to memory of 1604	980	Jblpek32.exe	88
PID 980 wrote to memory of 1604	980	Jblpek32.exe	88
PID 1604 wrote to memory of 2988	1604	Jifhaenk.exe	89
PID 1604 wrote to memory of 2988	1604	Jifhaenk.exe	89
PID 1604 wrote to memory of 2988	1604	Jifhaenk.exe	89
PID 2988 wrote to memory of 2380	2988	Jpppnp32.exe	90
PID 2988 wrote to memory of 2380	2988	Jpppnp32.exe	90
PID 2988 wrote to memory of 2380	2988	Jpppnp32.exe	90
PID 2380 wrote to memory of 4452	2380	Kfjhkjle.exe	91
PID 2380 wrote to memory of 4452	2380	Kfjhkjle.exe	91
PID 2380 wrote to memory of 4452	2380	Kfjhkjle.exe	91
PID 4452 wrote to memory of 3932	4452	Kiidgeki.exe	92
PID 4452 wrote to memory of 3932	4452	Kiidgeki.exe	92
PID 4452 wrote to memory of 3932	4452	Kiidgeki.exe	92
PID 3932 wrote to memory of 1644	3932	Klgqcqkl.exe	93
PID 3932 wrote to memory of 1644	3932	Klgqcqkl.exe	93
PID 3932 wrote to memory of 1644	3932	Klgqcqkl.exe	93
PID 1644 wrote to memory of 1264	1644	Kdnidn32.exe	94
PID 1644 wrote to memory of 1264	1644	Kdnidn32.exe	94
PID 1644 wrote to memory of 1264	1644	Kdnidn32.exe	94
PID 1264 wrote to memory of 3820	1264	Kikame32.exe	95
PID 1264 wrote to memory of 3820	1264	Kikame32.exe	95
PID 1264 wrote to memory of 3820	1264	Kikame32.exe	95
PID 3820 wrote to memory of 4904	3820	Kfoafi32.exe	96
PID 3820 wrote to memory of 4904	3820	Kfoafi32.exe	96
PID 3820 wrote to memory of 4904	3820	Kfoafi32.exe	96
PID 4904 wrote to memory of 1768	4904	Kmijbcpl.exe	97
PID 4904 wrote to memory of 1768	4904	Kmijbcpl.exe	97
PID 4904 wrote to memory of 1768	4904	Kmijbcpl.exe	97
PID 1768 wrote to memory of 4768	1768	Kdcbom32.exe	98
PID 1768 wrote to memory of 4768	1768	Kdcbom32.exe	98
PID 1768 wrote to memory of 4768	1768	Kdcbom32.exe	98
PID 4768 wrote to memory of 2024	4768	Kedoge32.exe	99
PID 4768 wrote to memory of 2024	4768	Kedoge32.exe	99
PID 4768 wrote to memory of 2024	4768	Kedoge32.exe	99
PID 2024 wrote to memory of 1772	2024	Kpjcdn32.exe	100
PID 2024 wrote to memory of 1772	2024	Kpjcdn32.exe	100
PID 2024 wrote to memory of 1772	2024	Kpjcdn32.exe	100
PID 1772 wrote to memory of 3672	1772	Kbhoqj32.exe	101
PID 1772 wrote to memory of 3672	1772	Kbhoqj32.exe	101
PID 1772 wrote to memory of 3672	1772	Kbhoqj32.exe	101
PID 3672 wrote to memory of 4612	3672	Kibgmdcn.exe	102
PID 3672 wrote to memory of 4612	3672	Kibgmdcn.exe	102
PID 3672 wrote to memory of 4612	3672	Kibgmdcn.exe	102
PID 4612 wrote to memory of 4504	4612	Kplpjn32.exe	103

C:\Users\Admin\AppData\Local\Temp\fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe
"C:\Users\Admin\AppData\Local\Temp\fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Jianff32.exe
  C:\Windows\system32\Jianff32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\Jcgbco32.exe
    C:\Windows\system32\Jcgbco32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\Jfeopj32.exe
      C:\Windows\system32\Jfeopj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        26⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        30⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        48⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        49⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        50⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        59⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4100
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        71⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4048
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        78⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        80⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3204
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2768
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        87⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        90⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        91⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2888
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        101⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1960
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        103⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        107⤵
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        110⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        116⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        117⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        120⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        123⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        126⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        127⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        128⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        129⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        131⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        132⤵
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        134⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        135⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        138⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        141⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        149⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        151⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        152⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        153⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        156⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        163⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        164⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        167⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        170⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        171⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        173⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 396
        178⤵
        Program crash
        
        PID:6704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6548 -ip 6548
1⤵
PID:6660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
72KB

MD5
33dbfd2520e52bc794c69a5fce7d4244

SHA1
caef8c3d1bc44fa875554d8591b6a981c20e02dd

SHA256
0ea12e0e4f3eee9ecc5decc239b7b3a2ddd27a8f6ba22041179c5c4f4bca5f22

SHA512
6c94ea2f60489f8f781fed982dfed89d0a745f4c595da05eaa6a7670c15481726808ede94139a0c48a5daf955f1991731bf284dfe27c668b8451ffc1a24ca53e

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
72KB

MD5
9bf8c2c51c4ff0ae092746993bf4d226

SHA1
9a1cb44b8a99d717abd051cca93710ba9f2e80c5

SHA256
dba790c054b4a5fce0019f2dc3da2b11ece6013e89ae3b08f934ca32619765d8

SHA512
7b2ea698b8dbf872ea8ad8e3b969b7932c8f53679252cc235a8bf613a1c7f1018ae317874d79a2d72a41fb3d0f54a3531c0013cec743277c476a540a9ef56741

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
72KB

MD5
c71286eae7be448a14bac76be634d828

SHA1
8ea7cca44153d0673174d72773d8db33c216c4fa

SHA256
268ea03fced170f3b450c7cc2b8dacba56539a6179ad4475541f62df3682ecdc

SHA512
105345ccf59d34fdc084f9e6e5b36004fa9b806f6ee87d887f8758e9e24e85009211a5a44458bed91d8ad8ab7250904071145686f8930305f69130ba5ed84fac

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
72KB

MD5
6906317cc2da7142bc5f736c5ccfd7c1

SHA1
7e06d47061093199293df6c8154e75720b7430e1

SHA256
e70a76c93c8674c6531b99684be8befeb7ab0b1a58af8b85a067034610b40738

SHA512
33634bb333acb97da745a91133762ddf9f530ea9e4e0e786c449a1ba56445b090e4acf425bf6cfa1aaf51d35b8613f16f984e04557ecc0d4f94ad8a9ac450da3

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
72KB

MD5
fc1315639b8f746e95c343b6465a0210

SHA1
1bc59801115d474de4e20245d2cb45788d1917ae

SHA256
ad0e3119704a8a3b22ddc7fd9442b0295e0c815db769e4f63c47d357e35efe89

SHA512
effba1e1dd2ad73e060393b1518406d08fb90885c0aa718cff9625bf95efe1a298a1535c483351b82d25e845c0aa671f03489a9203d2818e9d4986271a4da78b

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
72KB

MD5
0f0edcc9bdc0675d3e46511bc8b11697

SHA1
d29a2a439a9e48e00a0ae986721a5d3489d2fe04

SHA256
82e29190fc4a3f4995b517f11caa8e8577cb298bf74e0ff05ff36972334e278d

SHA512
afee15e187f67fa63eee834b35d685e37b201ccf9d184436aebfdbc9f1bb22ae537aabd5ac11cddf068ec5b0eb3381909ac9fd1410d9476c67be62b74f5c5727

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
72KB

MD5
7b457221bc3fa78715ce2d6707658ebf

SHA1
ff2404bececd38df87fff2d81d9adace2c1f0ab3

SHA256
54c0521417662ca9758bc6c0ac336ea79cec0447ea771bea6f5fc582bb36231c

SHA512
c7911c44b2ab936f965fdb0e280c8518e9c2ad309f98f74e2dc87a52716649dd45c17ae63830afe75b90e6db1564604e3dfefbd9f99963834022439a7e4f5ef4

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
72KB

MD5
d849a1107b2b926c1dc408153f3744ea

SHA1
3adf9b25fd21cf9596965941c7b221427635abfe

SHA256
4f0300453f7072da5ed619b987fc24636df0b9f8527a524286c1b46b619e764c

SHA512
6a2ad5b00733eec2e220a09fdeee34730565c7422b4514ad4acae5aa5b73e2eeb01c207bacf3f5af890b91747246810904e21f01d12460fec1a90fa7d8f5da25

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
72KB

MD5
f8dd6821864098ac1407d7ceb2f81a52

SHA1
3f6453d5ba60f2a299e388d6c2fc21b6bcb8e39d

SHA256
8b3f6dc85f77ab7144767106d82fc9e5bbd1d5f7aa6c44d88a0154d560efe9f3

SHA512
aa7fd9490d5fe20bca37758b5a13ffdc509e86ce623f1b72b8c5ac565c0acbbd7dda7f0dba80e4fdd85db1b36c0ccb6a6c8a32064740903db9974027cd0e9e53

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
72KB

MD5
9bb7aeb6ce62c5eb638c2ea31b3bb12d

SHA1
86b4625d4a0c14578aadecc3d8d9df87e6620133

SHA256
633d747e538a2bb7fc41359624e9f6cdde808cf89dfd1b23a288e3d829274f27

SHA512
1320eca387ec53a1a4bab2b135915386cb645fde89d0084388252ea6bb600979ea2d75f2c97e852e4fef2d923a635a84bc87ac02acbbc7d64e8979edae1ac70e

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
72KB

MD5
8becbdceda443c1cc6095099ab11ff83

SHA1
081dd9028a99a84cefbc89ebfaac8a11d90007f4

SHA256
1a05a3303881ff5d492f3e20e471e734386f89db17c5eca4524e8029c5317f5c

SHA512
1f4c5c3f74d33ede0676bb90e473e4c5691b494c216b25e8cc70204b2a8be80caaa83ae57c1fd012475187da4d5a666fa92d3ef2e66cd2d3e92b31d82cd76df8

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
72KB

MD5
cd3fe32f3942226389b178da2bc6879d

SHA1
9bd705ebdcb39d61be0e74847be03128f8d5fb0f

SHA256
7f3e9890211f5e718c87ec66017cc54c5ce66c3f10bc41c4eb59bf70c2a600a9

SHA512
8a83a4cf0a074661f873b278baa7b62aa76f3761b9931b4e2c0fcb671ddb57355c1759e5fa089d014d890b7a7ff2a379acf268def4a20ca1744b032a56c3e6f5

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
72KB

MD5
72291fb5e67b059a9a6acf7211940b35

SHA1
57305aa146fe0c1284f0ab9f3f1442963cac9288

SHA256
268093233de6025a5a9a4f264b708976c2afdcfc18396bb5a78f4c5d7d8bc64a

SHA512
e5786581b8ec544ed963465f98694a7640c7dc4f882d40bd1b831831dfef5b4ab0acfb93a142caeaaa0416ebe1bb3fb17580b20a10489c69633e0e9e0c46a493

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
72KB

MD5
4463aadc5f6a8602ca923064cc6821c7

SHA1
2adfa38c392647aa99bb5417b1e11e65973179b9

SHA256
2c8a1b1b05b20fdc4ffe18fb27a7f73413edad4dc2ac1e6f9535446bbe83cdbf

SHA512
7fbcb1e8fbd04b51b809b7190d1e647f01db61432196982a68bce02ae99f2e274349a32c7911a1da8feca01f1f6193cb5dbe2d4381239b57d937a586c0d5e0f8

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
72KB

MD5
5be99327a3f03b774eea1d703fe23312

SHA1
2f3c5eb2fc4ca40f369e2773df1a713fc3286b0b

SHA256
21c74b9e2ad1c2ba94f279390f80c898a0a995ca7be1cf3791b41740b784ac25

SHA512
6835e6ab3970eed71bb65490bbba06f972632086bd3b0bdd267ad051d8c580c1f536aed7c435e3c66a0de162e816bf58e2038bf7d23e275c2e2a179115c191cd

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
72KB

MD5
c7f0d344e26d94dc1a664ca3c0d502cf

SHA1
676ae1b4c6efb57b95ea997b3785f0a2c19b062c

SHA256
025beb012c322d4f4abb64367371408cc4adaf58e6b8351f7b1bdcce9bae844d

SHA512
7d0cea715bb9dc49dfc45713f1c67183a8246bbe2cfeef5d0459b275618d788978eef6a68b8f06c3b9d643e54ce28b62f1ccadd2891f28b5a92609d5d4f087b1

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
72KB

MD5
bcb088276a8cad14ff63507cda2fdbbf

SHA1
9487c1598253fb5077f5e64b24fa998846ebe2ad

SHA256
079f3872203f87ca1f457b1616c6e53f2976c94569e5857ca2ccd68ef5334556

SHA512
58d39848d886f2c1c060848341b2bc28a4d906df83c54759d6c549fcf35f746bbd51178951ae32500ada36bf4fe39c0649dfb77766e2bad2b941d16fedaa8c9a

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
72KB

MD5
e30aa9f210c343a407eb86c8191cbda9

SHA1
8fe81ee11f37537e6b3fa4b773677c67ba7fce03

SHA256
939f19d0412cd7a18759cc47ec7540cb85627b0cb69e87074996605fa48ad4ea

SHA512
15a4dceff0a0ef79b1c0db173d6d5cd04f9b137ecd7fca5b62e001bcc4d08d18ca1a94f471486ff4204c7e95688befd3b4b82c6f8d2e05dbd5f669f20f4eac78

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
72KB

MD5
84ad322bf8b1071588dcc2d437dcf146

SHA1
d100e237c3b6c02b1553408fec6474d822a98a16

SHA256
aca6e90e63a7a8a8ef70a5340d7f354ddb79f2dd3802981668ca7eb70cd74d00

SHA512
11f57592653070ab190b955f5b20994f0a611fd5ee740711dd4aa34b21b429e8f44d3130b36e9cea301d26f01fcaf590ec183eb67a6a3d4a05ab921d3bd8f5ea

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
72KB

MD5
234c6b9484addb8273d055dbddedc0b2

SHA1
2f30d88dd1dc7c4208a3b37fa1c15258e381b532

SHA256
a5e19ed08be0c7d04754606f8ff67d0ab5f57ec9f575be47cacd3acef5b24dd4

SHA512
248a1322f58d95d90728607a4684745208ebd0a1260f8342207440d696253d8554e3ffddf6c75dd40abe94582935cb3913aad02e97e89625701912a47fa8c665

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
72KB

MD5
41c96206c8dd7844eb59b1dd820826ef

SHA1
11834419f571bbe49e763b5b1a9b9d17fd99ea81

SHA256
f82f9c4cb543b560c81c5cb1700cf337eb6d3f3eaf8697f342859620e121b67e

SHA512
e86043236542b62424a9dc6583cf30ae821bba6fd7eaf54f272d5de0674e1e1717b1262b56f123cb09749309ae8a9f5995dd43ee394b21fdd6c2998b85f32d1f

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
72KB

MD5
0ee942ee00a8e2af1354ee19f2510ba4

SHA1
56df359f26d1faa08c42dcb7cf75a5fc8153dd7d

SHA256
d3debdad93121a615fd20f3bfae440831420be4bec0741ffbb9b1f4019bb803d

SHA512
06b591c6e6ebb7a4c3087abf451ee81b278d7f5f6140452306d687b944ce465071451e08f9e9377d0211313952d311e24d54e513bd22aeb842dd4b64ee9733a5

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
72KB

MD5
b45a1364d5c9bbeda7279b1e8f36beb6

SHA1
304b267a3f5ad9480fa64021ff254976dace69ae

SHA256
78300466817d65dda20689d72e346050a92fe33d612d123a02f4150187bfcc99

SHA512
d7287b9851825b91464ca57d319f2c162e248253a172b5e67e8def06f35ba5efd29ee038876e5af4fa4cf84e19986750c5c226e7d022dee1efb09fbf51db3e09

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
72KB

MD5
39ccdce5ab24c2db4e5e069ee8093fb9

SHA1
839dbfdcf372497e9bb774e67fb11befaf3038dc

SHA256
7a7d001cf473209837ab30bc79a6575be3625d85ac4c6b3b49252a426e7cba40

SHA512
1b040c064f7d0a0cd1bd75d76bf972cc5227fbd7acb449cb9a165c5a059b76c952f43bad840e4751ec01c163b6f54a42ac1fb41b3c72367129e64f56c127e5fb

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
72KB

MD5
6fbb32905e2f7e5ab2a68c083b23900b

SHA1
12394fcc9c84390ae48a60070136d05682983e07

SHA256
c8a427bc01fe3d5e94b2c5626582958ce5e18e29eabf2340129a0d71ed3dba05

SHA512
df4f702dcaaafd8f8b4af5b3191ca259dd27fc6beaed591fcc66c8aabe7b7ed352fafc753e4df779eb26a6ef284da9c93bd511a106fa2ae5c067df3b7fd05741

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
72KB

MD5
8a88a67bc3f1b7052654155c9ba60093

SHA1
fce48803a88eb62ad463027a2358aac71c62d9de

SHA256
19624ec505d1bb2dbd2f52bbf10a4cfd29a5415d7b3d85db6eb095120b96dbe7

SHA512
5570ece2ff205f289a3c8b4eadd39d9e79da561cec723ec072d5d646a16d8536fbe5da289c05a0103b975ddc4830e43b36356ba046fbb6b4950f015d3665f0ae

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
72KB

MD5
8a3d26400a12ea738550a4f28ee346b1

SHA1
cd49061041aab6b61da1a69c87420a887e438109

SHA256
24ee8246513720fce30300366c50832ce3312a1b4910d194157bf0e9a4507e7b

SHA512
807498d9dbc3ebcdc3d4f2df66085d03d4c5263a0ce99871d4e29f41515e6e98a5a444e4a9c84d8e4b459ab9ce36995edebb542a1d827452ca11c6457d439279

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
72KB

MD5
257496303947fa977145fecdf728c9b4

SHA1
386a468cca32e8cedca49a72b76ffa147986a045

SHA256
2eb5cdba932e14179d216e2297101265391b617ae1c7a2b17ee5c709f25ed929

SHA512
bda2e14b65df1957f3fc017702cba08fb1ba2c245514939e16f8315d4364741d5f405412d8da5413b08147a36095f5d64380abd74b9b5d9117f717a76c96797e

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
72KB

MD5
d10f7d91066f9db26262d61d697885cb

SHA1
c2da2822cd3180c91c2b1b3f9f238dc1f13802c8

SHA256
f8e41a460646d5fcbe6aac304bfb375548c2cc9b6fb01b63bb5b4ba2c7ca92bb

SHA512
c425c0d89995d7065124e5417797cd02e0361ce84ce0cc507f32c25890ad23252695d152a5f6e6c58e03531ce5abf1d3829d2a963a205b8e602b101ce287810b

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
72KB

MD5
ba486f7c35a365d561656f9115a023ca

SHA1
722811114a95a0a791ec239cae620115c1019490

SHA256
8646927183a012303738c9db86e94527128d021d8048113614a8e899d059475e

SHA512
13c5fae50c90e7fe52a75308f3bb023e21670fe498404b93267107e02ca11fe2e50a1adad5fd87cb3d84de6f5266c4c0e02990dc717ad6214b3e171fa0084b8d

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
72KB

MD5
876c61065ecdc27e454ed4fd0433439a

SHA1
0579ad592c665444205d2720ad6e7c953d6f3112

SHA256
9a0f0eba0e29f7f5c5fa7e851712b066205c28bf4bf2d605c720147a88916bfe

SHA512
ea37fe881280639cf0ed9ef7d0de5fe2eadd9fe366529024c05cca43c02cd8413f4325708c5ab53f7a9bfe0db04bae96c1957c9de22eb84574ebbc1f9cebd036

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
72KB

MD5
8376ed29316da181c00271352c20c0db

SHA1
c406f97ebc260d8e4703f67518868b074c67293e

SHA256
fb1078e4d03129db633eebac753217561636ce7703ff9eabfa0362d706b78844

SHA512
78e61f7656d2fd8832d2d5b866b7b3461a0310da3c9dd69fb5a59a536a0347810d94eb4c608b0bbe1aae10479351e73259d1ef5aa83be7796ce0ea93577b8db8

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
72KB

MD5
92ff9c67eeae7a7af909a65cd22d8df5

SHA1
178faca106e19357d9f9096b3e0829e64b09ad7a

SHA256
0e33fe6c4990a05e8743b5d0a3043766d09b932ca22628376af19173cb5f7a2a

SHA512
43180b216897d4346728ef8b6d908ebef22d0cedc016761c7a0414f98a7ba995e07cac416503fbeaa4dc73a4735048864d3a9c32ffc7ffdbe9b7e4c85afbf79e

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
72KB

MD5
a221bc5e46c381be8ba15bab9fe9297f

SHA1
0738f6d728dc0d04f780eebfcac765d1f0221296

SHA256
499703a87a2cdbbf4ca3a6a1397780d9dab8eddde8d4dc897856a00d18d8aaa6

SHA512
05f7b874e7eee9c39e7c617db79d39d98d1f6ee9c8fcbfa7fc93449bcec072459e756ca25745d7fc2273f717d467a07e91ab5e67e90af79bace17b3cf95b4b8d

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
72KB

MD5
5fac05174165e77ae377c3c697994093

SHA1
19f27bf78752c10f86eb66b80200cda28b99cf17

SHA256
0eb7bf551f2c75baebf2d116e9bbf15d3275b24f70d19404b6afc50e5389d47c

SHA512
11c50796a4c4bdcf06eb2830f5bc3efcb8ebedb27d7ab65553a863db0e23317d2496884f645e01181cf923e4db80436c90210107c7962142ea37c12af1631d56

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
72KB

MD5
a588e82da814b32be9fba3b78f0c6590

SHA1
3e083c9abe9bbd990294d7b5c0457a6ddb1296a3

SHA256
10eb50b2f7dc7402ed15938c787bd77cfb7ea71baf8eb16e44b3c9e6a713e5c5

SHA512
a71785ab090cb300a78add6f6dd05df2e255d23c7436fc972bf3f55cd0c16dce1414cdadb81e9fbe7965ade49e8a7b44d45178eadde33833f5459096c58c46c3

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
72KB

MD5
1f578ae96b82e90f46417b1c938f3973

SHA1
de069bcbd70c82408e2cd4151bb5295455b8ba86

SHA256
7337f8283402d724ef7b051710a56b829b1e7ab9e12194d1c1f656a08ec14ff5

SHA512
d22d6b6ee08bd75467639bbd50b3d2798e0a548694ecc40580d4325ed1616a446c3961292e2e41a9cd4fce2915ff58094d34d3ed70b086dfa9434ec21752cf97

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
72KB

MD5
311c15e476fac7e3930c672637ca3193

SHA1
d36849a074cf37a70af59132aeb4663ee82b08d2

SHA256
0c67baeeb6332fb779c95d076359f8edda2e53791ade68d878a92f6ab42b5605

SHA512
dbc922c719935e4574557936a677de1277f2b595b9cb480cea229cea6c743416bc1743cf958f05189aa7afebc8c5fd20df43d238c1872dc02d16717f6eca6590

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
72KB

MD5
14d191293fa8470f6377af95666d4be2

SHA1
61ef0027dd117bc5e1d6e418cf74ff7501cd6855

SHA256
da2d4ecc729d77469ca575cca99b47ac0ac60d871cb2a4648b47487b7d14ea04

SHA512
9539a39642ecf7895a631d35efdd3e900a075c74142b73603b6b30835f0eeee4e2052d5681492dec78e9d84c0937e5eb322a16df5eee39513d48231f122b5701

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
72KB

MD5
4237020012e7a47597140c96d031a63e

SHA1
9d6de77f76e9298e814ee90a46d675c523b21d84

SHA256
6f9b7058ba633944e2cd5129330a59c32dccbb2c85ba05da2ceb2085c26383dd

SHA512
92ca7228d62e44c029acc347de820640768897a1e323a8409c4332da0a7274f1a4efa8bdfbebb805f2600da268162b233bcbeb1be5464c82d0e95aafa67316e8

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
72KB

MD5
16bb779a8fd0c57cc92efd61ac0762a4

SHA1
5593a5659d071c59cdcf432eae2b379ad02c86c8

SHA256
af4e509ee0fe953d222a1d1257542f9418dc41db18f80405aeb576917b22ed19

SHA512
826912477c4f7d77d2960faa24e104ef2870431ffa9970142074d7f6040fdadc989ef857da3b4c83dfa10e6dfca869f62c7c4433fed6d78d429ded42e3ade1a8

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
72KB

MD5
9e0fffee20b13316de6a04c0fd135b39

SHA1
80d6fbb3ed14dcaaf1dffbf9e4846ea6176e6a44

SHA256
abe3e51fb2d4ed7f1eb5a1afe29355c34a9fd2ca34f9c87d4da7a09012acb17c

SHA512
bb39ea64141e55d59245e35ea6d00a85b9e9909f1dca86bc9e12cf509384f66a4f4c6e601282cf2b84cac0e04e3fbcc9a839a5ea2145d665a1bd0da3390cc09a

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
72KB

MD5
c57df3792a372ebb50ebb229c30bb2ba

SHA1
4768cf49dbf22412ce5401b2676a594b1ef256da

SHA256
3c8210cc4aa5e94dee97ac6b206c9df38585a29b0bb46f8d3d65f61ae3c45933

SHA512
06120906db8bd42db972356bb9e35f622bda965a595516f7a1892391e7dafd8ede85621d943998f3d35bd5541ce120ddc9d5301a603db022c9988301fbd7afa1

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
72KB

MD5
247cf86169e82fb2c8eb4242ae4f4310

SHA1
64760594479605fa5e801d509e1130107e966d7b

SHA256
66d6ecfa7286835c534e7a00c8f0f0416c5f70e0957d8d85f751bdb6cfe3ce0c

SHA512
3b1660d5ef6ccf396aa9b203611211bfc38cc5c905306fa40a052733f20e975814f4eeae5e4652cfda6285dffa9b71ecbc6c778d4466b8c39c4bc949f0480c2f

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
72KB

MD5
563a23415fd310ac44346f7e8ac40b21

SHA1
c9b02f6e7e4493e3ae30df24333e045cae0b3609

SHA256
3fe3b0816d1ebdebeeea62066c42db796eed2178d37fba7cff8ac844c9f0e41f

SHA512
a9d0f14aa02e3b5630b397f3572c397f78fb71f2b4dfa8922ed89ae2f30951da392a25a5d1a60d8624962f82e02b093251aa7d332e56394de6ed6de8b449db55

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
72KB

MD5
57e4cba4d734a7e1afae6c9e3c5ec44c

SHA1
5da1af2762bdb7cb623492518d6ea969e35c3e59

SHA256
5ef88232c48b40e02bc0a39c2d34d9b8a847a5cee8c3da055fb7d6c15023356a

SHA512
6371d6ad6ea29bd0e4407ccc0ab9be6fdc3183a411de4d5e736e13c105058a8a81499033bd943eb6c4f08ecbcc0e5293f594230a70369dcd736caeaa393c5cb3

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
72KB

MD5
13a2aacadb3bae7d5118492299667c32

SHA1
5f33129cde0d1b8f2d3b3fd349a8ef9f368b4274

SHA256
97846c86b85e65d232558614eca566d1c49ca98be961f8adf9ade8d1a5c7501d

SHA512
d27bb7fcdbb502a1d5de6f11a658dc158adcb571d1ef3221e0876a3a0816570664ad982f97c18498067bd04a0eec78b848884e73d494b510c6757709110eb472

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
72KB

MD5
d6000c4915ebe1369f53700a427fd0b6

SHA1
09508c86e9a2b170d453b2182e43722dd3dbc6a9

SHA256
a14833b056cf7eda2c622272220b7b4cc639a9629914001f0cde57d936b5cf3d

SHA512
b153ddd141e8471fae2d31de65c3b999f24d40bfa30159ac1d6a447fb7b1ee5be272cf8c9f712087c44eb607814f0698e0d4019511a402b99e3c09e492cb4524

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
72KB

MD5
fcf523aebe7848f17f27bd3c698c8400

SHA1
798814a727b716a17ba77a226ca03ec8286358c5

SHA256
42f9ba517d7ca5b561ac1daf366a9ed94ccf04d0018dd0a28debc3b3623c0b59

SHA512
efe532b1ba87fc39a6bd9f8aa4b4596207f94c62e2b3fc1309d6f2bc309e1ec14fc1fd828fefb23e6ee0364c3689c7cf61b84ea273e643ac898a55504075b09e

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
72KB

MD5
a9d39a44f3da5353477326af740d5b42

SHA1
87eb518b4ce42c73cb8c6a8f7943c7b34b971ac2

SHA256
b031a44aefffd97643524f11bb8052069e35958dce3ec77775745c3298a5eb7b

SHA512
cc72749ae81ed514c6ba6747b401ff48b44d6ee9a926ee4835cb95a6bf7179cfebc4b44614b99ebc96a0329eea4c8e0510c5371464acc531686448992b300b66

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
64KB

MD5
20e42cd76b2acdbb04cf4e9b78aa1bb3

SHA1
d54a32fd7c0e23941dc87f039c98e8aa5d1b9ef3

SHA256
6404be8a7f89e45cd3718685cebde66475c8d69451e58accfb463f110e874044

SHA512
99afe975d992bc24cbf4d2453d5e8d80e901ea2b21a4a76aa08de639f21d3d2cb64e33fd39b18d22ddfa89db04848a225c997a872fcd984a75451202461e6ee5

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
72KB

MD5
9d4e464c4d1cf305b69d381f617f7f9c

SHA1
a7b190f04d197ebe936ff6f88fc14d7dc8588a61

SHA256
834188b2e7a8259e820f3e5b811b6fe3a87e9d587bb4271d3fa798c369ab0f01

SHA512
4fe1ad90d8d36de5e23b18ed0c2aea38ae1517bbfaf64f106ddfa2f486ad49642bc8cd23d36f8e878220910c358264a682894cdffeda0253ffaa2abb53f7c885

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
72KB

MD5
4abc8aeb8f310da1b0191d9055441109

SHA1
5d2aeb72fb8646119088e4bd4b24cc6a1ea617c3

SHA256
c86e4181226039f3c7c75626f16b0d2b208d5eda5f576b54eae6c5291d5f2636

SHA512
b8064b26bd746e38e5fa514e8c80da83dee164dd30865a5c30979d94c8e0b0e7ac1f570c27e4fc088f6032fc63bde0e77e98b145121cc1bce552fe31103e2564

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
72KB

MD5
3b817376d9542b6663efe9adbf60ee81

SHA1
23ec4e6f54b24685eeb102a93cba1b51723742c5

SHA256
8b864be9b2f4da9fc76a3e18b0b1bd2635fcd71dcad292fe5abbbf7f1f6ecd38

SHA512
9d3a36fdf9650d84fbe113870a8d677e7b2fc357e608f1c54d204972c02fb59a51a46d9cd70c6bdfda2247cd417c98569fd8b5cc57569fca99d553cf18311d46

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
72KB

MD5
42fda8a53b8b5da3995ee580ea3d8e01

SHA1
b4c9dd5ad7f38be307dae0d7a717cedbe664088d

SHA256
37aba882fbebecb479a2c428e056e30e89e1589e101dc69c1844ad0c8deb4532

SHA512
6e2a4079bfab57c055e7b7bb7a77a26fce2b01f28895a1e10dabcd6e320fbb55c2d001a78033b8e896e49811b719f148173d42a325fac979b748e157e9808e55

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
72KB

MD5
6e520cf6d651ed5ac56c843f3caaab2f

SHA1
77dc8dbe430613532ce2409dbc9713885a046868

SHA256
c1d63f75870e6c04be2a4266bc0b81775e6303476521bd572311035b2fa8bc9c

SHA512
cd0a6f9b8557778893bb7549aad5b089aaaae5cb5f046e0688cf0ad2cecc695acb01f3cc9f1a0e6caa6891d028f203f34fb97662cc55dd4ebb66f7eb663c3a03

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
72KB

MD5
28585d3ff463b0fb0154239451c0e7f7

SHA1
08725141116db43a3aa51ea009e0803230ebb373

SHA256
bd81b7b013b18c3d2b3b425fba7d9692eefb3c1141d744020056daafa4eb713f

SHA512
fc320a9dc61a52ee54d10cafaec7486fde7532373396228781fa28e68c3de6d0c4dc108a210cd04c301ed97768f7ee6da9e776c85ca7b9118d922016415dbca8

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
72KB

MD5
3ce27de5b965695ad363d2bcbfb739b1

SHA1
06857fe67e5c11aa54e5edaf8c06807e2707e301

SHA256
6bc036327b1d588cae88bbd9f81a7a4ccc62e0dd34fed0e75264ede183fbd47c

SHA512
311f6faf2a7ddd42cf13d17f12149b04bf1c976a80de3c2296fe729dfeeb79af59def495629b97622c7190dcc407d074a40bf070f09e1de10ae743ad77df7fd8

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
72KB

MD5
2618fdb15b2a2ecb3a4c257eeca9467a

SHA1
bd76a9037abb9422094892786729e5c26d5320ed

SHA256
f8f0c3a1ec4eee3fa3147b40fcef1ad076dd74400006f5a173117be3271ac9a8

SHA512
fc6490b23689baf8d5733773160a5eef4dd36ed919d632646c4a8cc07aaee6644eda32c7164eca16315665b72c8fadfa2d2d5af65290f96c94b7ab951a337336

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
72KB

MD5
a92cb8af0958b9d14a1e4bda1d7adc2d

SHA1
7ff5b6d7661457ef6a975d2788f03e07012b9c6c

SHA256
da263841ad56fd98165ff4d8b8e820fe24919865ed99dfcec488dc8ab75d060f

SHA512
ce13ca5bf08a02a5cf1c64d78ce3509340c7f98a8e29f4168f9622980fdd24b1ab35ef491c332c6f7c39cd0ae8e921c4a1128d08dc6f166e87e11225ba8432b6

Download Submit
memory/116-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1648-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5740-1263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6100-1301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads