berbew | 1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe
Size

74KB
MD5

984f5f755debbcf67548ac8698d8b0e0
SHA1

2d570704e0af5553b3189de8b9ed75e5a3fb1bbf
SHA256

1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575
SHA512

e93640f856918199e81831f512104299de04d741548701d6d02115967d867b495332fded796b364bb9bdab83a260ed546a214bdfecc8b1775d87bb528a432fef
SSDEEP

768:WNTBq+8wewfJstJsmDSzk0ulB3guH0EedqeioRw5lWSCmvl6l2opnV6yDf/pdQqN:W+F/G8ryOBCHPUOFxd9tBJNgZL

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4856	Kdeoemeg.exe
1968	Kfckahdj.exe
1456	Kmncnb32.exe
2928	Kplpjn32.exe
4140	Lbjlfi32.exe
2684	Liddbc32.exe
1172	Llcpoo32.exe
4632	Lbmhlihl.exe
1540	Ligqhc32.exe
2832	Llemdo32.exe
1880	Lboeaifi.exe
620	Lenamdem.exe
3644	Lpcfkm32.exe
2024	Lgmngglp.exe
3724	Lmgfda32.exe
3648	Lgokmgjm.exe
1044	Lllcen32.exe
2268	Mgagbf32.exe
1412	Mmlpoqpg.exe
2808	Mpjlklok.exe
388	Mchhggno.exe
2116	Megdccmb.exe
2192	Mlampmdo.exe
1032	Mplhql32.exe
540	Mgfqmfde.exe
4452	Miemjaci.exe
2796	Mmpijp32.exe
1844	Mdjagjco.exe
4880	Melnob32.exe
3076	Migjoaaf.exe
1876	Mpablkhc.exe
1404	Mgkjhe32.exe
1452	Miifeq32.exe
3120	Npcoakfp.exe
4308	Ncbknfed.exe
3204	Nilcjp32.exe
5112	Npfkgjdn.exe
3580	Njnpppkn.exe
1892	Nlmllkja.exe
3772	Ndcdmikd.exe
3156	Ngbpidjh.exe
2860	Njqmepik.exe
3444	Nloiakho.exe
2556	Ndfqbhia.exe
3756	Nfgmjqop.exe
4644	Njciko32.exe
1316	Npmagine.exe
1216	Ndhmhh32.exe
1444	Nckndeni.exe
3200	Nfjjppmm.exe
2896	Olcbmj32.exe
1752	Odkjng32.exe
2956	Ogifjcdp.exe
1628	Ojgbfocc.exe
1504	Opakbi32.exe
1972	Ocpgod32.exe
4564	Ogkcpbam.exe
2320	Oneklm32.exe
3484	Opdghh32.exe
2636	Ognpebpj.exe
3720	Onhhamgg.exe
4492	Odapnf32.exe
2400	Ojoign32.exe
512	Onjegled.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7020	6928	WerFault.exe	249

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4856	4968	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe	82
PID 4968 wrote to memory of 4856	4968	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe	82
PID 4968 wrote to memory of 4856	4968	1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe	82
PID 4856 wrote to memory of 1968	4856	Kdeoemeg.exe	83
PID 4856 wrote to memory of 1968	4856	Kdeoemeg.exe	83
PID 4856 wrote to memory of 1968	4856	Kdeoemeg.exe	83
PID 1968 wrote to memory of 1456	1968	Kfckahdj.exe	84
PID 1968 wrote to memory of 1456	1968	Kfckahdj.exe	84
PID 1968 wrote to memory of 1456	1968	Kfckahdj.exe	84
PID 1456 wrote to memory of 2928	1456	Kmncnb32.exe	85
PID 1456 wrote to memory of 2928	1456	Kmncnb32.exe	85
PID 1456 wrote to memory of 2928	1456	Kmncnb32.exe	85
PID 2928 wrote to memory of 4140	2928	Kplpjn32.exe	86
PID 2928 wrote to memory of 4140	2928	Kplpjn32.exe	86
PID 2928 wrote to memory of 4140	2928	Kplpjn32.exe	86
PID 4140 wrote to memory of 2684	4140	Lbjlfi32.exe	87
PID 4140 wrote to memory of 2684	4140	Lbjlfi32.exe	87
PID 4140 wrote to memory of 2684	4140	Lbjlfi32.exe	87
PID 2684 wrote to memory of 1172	2684	Liddbc32.exe	88
PID 2684 wrote to memory of 1172	2684	Liddbc32.exe	88
PID 2684 wrote to memory of 1172	2684	Liddbc32.exe	88
PID 1172 wrote to memory of 4632	1172	Llcpoo32.exe	89
PID 1172 wrote to memory of 4632	1172	Llcpoo32.exe	89
PID 1172 wrote to memory of 4632	1172	Llcpoo32.exe	89
PID 4632 wrote to memory of 1540	4632	Lbmhlihl.exe	90
PID 4632 wrote to memory of 1540	4632	Lbmhlihl.exe	90
PID 4632 wrote to memory of 1540	4632	Lbmhlihl.exe	90
PID 1540 wrote to memory of 2832	1540	Ligqhc32.exe	91
PID 1540 wrote to memory of 2832	1540	Ligqhc32.exe	91
PID 1540 wrote to memory of 2832	1540	Ligqhc32.exe	91
PID 2832 wrote to memory of 1880	2832	Llemdo32.exe	92
PID 2832 wrote to memory of 1880	2832	Llemdo32.exe	92
PID 2832 wrote to memory of 1880	2832	Llemdo32.exe	92
PID 1880 wrote to memory of 620	1880	Lboeaifi.exe	93
PID 1880 wrote to memory of 620	1880	Lboeaifi.exe	93
PID 1880 wrote to memory of 620	1880	Lboeaifi.exe	93
PID 620 wrote to memory of 3644	620	Lenamdem.exe	94
PID 620 wrote to memory of 3644	620	Lenamdem.exe	94
PID 620 wrote to memory of 3644	620	Lenamdem.exe	94
PID 3644 wrote to memory of 2024	3644	Lpcfkm32.exe	95
PID 3644 wrote to memory of 2024	3644	Lpcfkm32.exe	95
PID 3644 wrote to memory of 2024	3644	Lpcfkm32.exe	95
PID 2024 wrote to memory of 3724	2024	Lgmngglp.exe	96
PID 2024 wrote to memory of 3724	2024	Lgmngglp.exe	96
PID 2024 wrote to memory of 3724	2024	Lgmngglp.exe	96
PID 3724 wrote to memory of 3648	3724	Lmgfda32.exe	97
PID 3724 wrote to memory of 3648	3724	Lmgfda32.exe	97
PID 3724 wrote to memory of 3648	3724	Lmgfda32.exe	97
PID 3648 wrote to memory of 1044	3648	Lgokmgjm.exe	98
PID 3648 wrote to memory of 1044	3648	Lgokmgjm.exe	98
PID 3648 wrote to memory of 1044	3648	Lgokmgjm.exe	98
PID 1044 wrote to memory of 2268	1044	Lllcen32.exe	99
PID 1044 wrote to memory of 2268	1044	Lllcen32.exe	99
PID 1044 wrote to memory of 2268	1044	Lllcen32.exe	99
PID 2268 wrote to memory of 1412	2268	Mgagbf32.exe	100
PID 2268 wrote to memory of 1412	2268	Mgagbf32.exe	100
PID 2268 wrote to memory of 1412	2268	Mgagbf32.exe	100
PID 1412 wrote to memory of 2808	1412	Mmlpoqpg.exe	101
PID 1412 wrote to memory of 2808	1412	Mmlpoqpg.exe	101
PID 1412 wrote to memory of 2808	1412	Mmlpoqpg.exe	101
PID 2808 wrote to memory of 388	2808	Mpjlklok.exe	102
PID 2808 wrote to memory of 388	2808	Mpjlklok.exe	102
PID 2808 wrote to memory of 388	2808	Mpjlklok.exe	102
PID 388 wrote to memory of 2116	388	Mchhggno.exe	103

C:\Users\Admin\AppData\Local\Temp\1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe
"C:\Users\Admin\AppData\Local\Temp\1457d354b0ccb8ef9f4d0180ebb33ce0f018b5016c6bffd840d811e10a88c575N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\Kdeoemeg.exe
  C:\Windows\system32\Kdeoemeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\Kfckahdj.exe
    C:\Windows\system32\Kfckahdj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\Kmncnb32.exe
      C:\Windows\system32\Kmncnb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        31⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        35⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        40⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        48⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        50⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        59⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        66⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        71⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        72⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        78⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        80⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        81⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        85⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        88⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        89⤵
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        91⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        95⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        96⤵
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        97⤵
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        100⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        101⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        104⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        111⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        114⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        117⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        123⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        124⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        126⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        128⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        130⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        131⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        132⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        143⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        146⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        147⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        149⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        151⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6572
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        161⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        164⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        165⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 408
        166⤵
        Program crash
        
        PID:7020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6928 -ip 6928
1⤵
PID:6996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
74KB

MD5
72f17be28805d1b84f3f8b09470ff4ad

SHA1
71002eda5d7f4bc73ab9e19de96447b722ca8e19

SHA256
b4934f3b13cb15aa35bc474325d127639f2d671ab23aefcfd63cf293aef0ded3

SHA512
72aa094bfd59b9915c707754dd59626e842dd0b3aa0eb73f1de74d22160ad2d0ed3b4e7c3cf5c29d3c39828fc959dbc0b24e58119db9a4c29e868cc03125828d

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
74KB

MD5
cc5a7779022fa6d03c3bac7069f3cc93

SHA1
5a0e4b58fbd67d9daf2f74c8c6f0ea726f1d12fd

SHA256
a48633a3cee4d70089531827f023eec9f1e752c20984500d60582f44a1863cf8

SHA512
f758c8dff180e8b95271eb03856b99b1c946006a8298c5d1b9ebecc5a6cf33b0469c2394d466bcb1edb9c2b4f31920984830989b5c507c60c59105aa32559164

Download Submit
C:\Windows\SysWOW64\Bdkfmkdc.dll

Filesize
7KB

MD5
42ae156afc1708e1cd89d61d57329f33

SHA1
7e22d555325105f3d3fee8bd3531ee95b7a41247

SHA256
8eddc48ac086416999c381b098d6099c316442d021417bb764513b637009d115

SHA512
8f636bd35124da8aa8a8c4e789762b49022612371f959d7f4dee33e726b48ab3744eeea00d5097f721ad21c107e55827c07900b07e7b8971c3ab9f61655e9451

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
74KB

MD5
ea3e320ac992a1d8f452e34af217f2ee

SHA1
8ed7f89387ead414842ccb4eae08e57e343ec2e4

SHA256
0752cfea10acef4d4065c7f243e86a86b443c1a1436ec7b698bb581de35389bb

SHA512
310754d8bbf15b91de63ce919905c57db29349f7588bedb25a48bf805acd8325edcfef1a47d03d67eb88e32ec375b3a9bd6d6149446abcecb8f738c5fb84d29d

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
74KB

MD5
2033b8a7bd91670ebf630bccde698aab

SHA1
e0a81b1bf39ba61ede4ba6a3e629c440cb276243

SHA256
e8ca705c46ee1f3ec84973647fcdbeeb6ae64f804e0f54dd88f1d173a10de45f

SHA512
6c214db10b8a6da18610b0d3a9ce63aa03557b35ed5d423591ce3cf5f612e77bfd04298892499eaa92ff0176104eb3658cf1316b47296cbcf9260f28b622c864

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
74KB

MD5
18b7c4444259d7d3f3b10ccd92c6c4f3

SHA1
15d785a8bf5c39db317607ac11fb2dad122a2659

SHA256
c96a7fc06ac1d778af04bdfbbdc66015cfb6df4a9438b3e6165dc77817c674cf

SHA512
e95c40ebe4e67703fca4ca4714e416fdb4271b226c6efd6731fe9024c023c70eb3e87f1c9cac12d96acc2458c1e309141528a888958eb1961b19993b063b98d0

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
74KB

MD5
6c3731bb1dfc950470804f616ba2ce86

SHA1
4fc080f95b19a1ec60f08531be6b4aacdac14071

SHA256
556cd4487b0b1e00c950aa00dbdda7ad37eacf1f893ee4033cca597888732397

SHA512
2ff332e26fd935e1bb896ef0d8cda1498c1c129192950d8976e43fe11fbd2829075261b1995db6397cc51c48d8cb73f46ec8dacf541a4464d4371d505cb9bfba

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
74KB

MD5
ad7d03b1ac4730295a84de3e9b394b91

SHA1
b962b32fc4217e4ec96f5384aac63ab3c5c0d5c1

SHA256
8bf9c15d958a56f539ea78c1741f1f68738fe19a63f0f47ecf47012ad9757aff

SHA512
e1de96a49a3d9dcdceda5cbf45bc9fe205d7c38837245b0e44d79cd4695d02557774517d8491e1c1e1fadf35a58177b61c7661313bdaa1f55c0a28ad2fba3043

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
74KB

MD5
05b0c89942ba518eef1ea780732df2cd

SHA1
3b533aded466aa899c69cda74d5c3aca7c87e4ac

SHA256
0066c3b9de1ea0ee836a67a1566873ae1a87cf2cd22a6c3abd62be3592ef5d03

SHA512
cad694c9026ec9dc899453b464b14fa058c89744e9e6b8fe37a28cbdb2203b56c20b420a8c302530a240ce0fee1592f4384d5293c56e209da4620b08a2c3e79f

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
74KB

MD5
ede10f91aeefe1120566583735ecfeae

SHA1
abda80c50ccad61fa390010cf5a208b3b4ccb802

SHA256
0be2ba26065a7093ff817cb5e6b56fe7a5eee44183e835317f9a4e64ba725eec

SHA512
b649f38f5f44083d3b976ae00ed6158580e0efbecff8f303b3ac22dcff61073c6ef1cbb76cb82918532bfdd199edfaf354a9ab117eef0677a49016905aec31de

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
74KB

MD5
7238fcee1131fb81ca9ffafb38d0c4e0

SHA1
51fc44c76e260729c5c82bc2cbd515e8849b1bd5

SHA256
62a1a404299b3bca0d55ccdab6d67bffd43c4d781151b5ecc3523931593f40dc

SHA512
af1ad1f9a75cc868c7636402c3465b2b8ce3843c0ad46b6d3478666f19238b667e0ef29198b6f3cd5f0683dcd62bbff2cbd0b1c3ccd35fdfd0d999af6d25fc6e

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
74KB

MD5
e4133e054bc65f72a131ee99653dec86

SHA1
1fbe13c28bc5bcce357e64b1ea7f6fbb53df6b56

SHA256
7dffd05ac4350830dc35be1c8a4d10a38e392f7cf24e46a9b38043c06b105290

SHA512
c9b093e0b020a1e9841824563c3537a27e17a1877c8b3b74085ce7fbec69c51d54170081809171d8b1446fda51c5f19147f695e14066221ad6ee8fffc1ab0449

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
74KB

MD5
45c263423929a2a8e02ee69a726dca2f

SHA1
8a46d51b56b3b99b51a804581d12c1e0f08c632c

SHA256
04422181e4097f0a24345fbbc71c1f830a2317b660d068f61fd8dc461f3d556f

SHA512
0b28c478ed712e31f38565e7dce44ae6d2fc8561bd3fa734aacc19e7709caf8f4e5ff65554c91cb9bb4e118c14cecded69ee8c018acc92b9a250ae6ef5c77698

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
74KB

MD5
94250954cd56db9e808c1a3f7e72ba2a

SHA1
76462e5c7c679810e81a351c0096f4411d3d0e30

SHA256
fa30f2a1e3fe92d7d58ed5a02c4958620355a8056c409af15057f1307e7c89e4

SHA512
88874553f3821857aeb57b6dd91eba38c1fcdc62ab247d4192ae1b773c151449016dcf5e6274405b30022678e0f6b69420c91e02dd34d239786fb4955708aa57

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
74KB

MD5
86d2d776ea4f7691e36500d2a6ce37ab

SHA1
b2e90da6a0e487cf270f5c6387f0b1d249ec95f4

SHA256
60cfafe3aca10fc5a6bb861b779f6b2da989a40143de7afa8372b7cf76910761

SHA512
3c090f37fb9f443e0e42d12cba807bfeeb41cb5ed1f6e1369d1f8b85919a7608b24ffff955b80ecd32b198880cb7b7c1069c17e575f701e6d671013fa3ec93ea

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
74KB

MD5
dcbc6a0c76566c4ebc08540e7ff16b82

SHA1
79cf14aec9222d1d9602997f42644bf9171741bd

SHA256
61016134492234677a2b56847b51e6db0928f05eba5027769064ae16187166b1

SHA512
1a3ece5031d587eece311428d15e3a1666d3f44613c146c12497021b5f38be04be9a2f5b13ea723f749bd8915f1aa3154368c4b5704255f1ec88dd9ee8fb78be

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
74KB

MD5
4936a19ff8bd364e2f7c55ff9f4c3db0

SHA1
744a60e94f783ade8a50321cef94026382e56817

SHA256
3d168785da48fb52019f46c3e3b3e7538380180fc9fabcb20f38450d352a45f5

SHA512
5ea350ca1f2649028097987d062de5dac71c8e225a39e865878358bc7507a8f8d6f839210466e7b53f5ed869e9b0de392effa8759c6543729bd289e8b2f8b2d9

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
74KB

MD5
ea0d04f7980190eff22a6fda0dc41880

SHA1
d10df03557508956fc8570a8204ecf7292d0bba5

SHA256
c1acbd22cabcb13c8ef1e37b7be1f45868b1e6ca1f619314db57323305249d9a

SHA512
9749641340266bb4e4e04d860afac209fd8087a92e2df766e62af4ef8bffb00e0f25bae43ab56f5fee52a9e362ea3c90484a076d8bc2268d7e0c31133ae520c4

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
74KB

MD5
3031622a51c61c840103f99f9f7b14ee

SHA1
f4edf233c0748fd51512bd7364831f91109947fd

SHA256
462b90846d413138531082c99ea370aeb8d61598e199e498b9bd7da8d6eeb7cc

SHA512
30c719e9630d543ec27de3b0532738c2b2872190b42072a5394246278516c63c6f2f1ea54492d9f0224cf4e418f265dca8c66b60d34715640a63c4d7bd8ac070

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
74KB

MD5
a6581f1c89111696a588ad43854554f5

SHA1
12a0848d42f5bf53d988e8364065b313ca571563

SHA256
0689c5d17602cd32c54503c9ea1adecaea6f3bb6b1c72fccd5d79a7f7ad68b18

SHA512
87bd06f86a6d04f444128de621665754f49ab839a30fd4fecb7970d6f2367a504b0c742eafe73c4ebe85a6aa3412109319591f85c11f44a8c0802835e7095524

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
74KB

MD5
8f5f44470641952692f094fb709a9e0d

SHA1
b5f811f5cd5e7e5ec7d2b638aee75f43d2d524fa

SHA256
b9ff21ac5b38376dc29db5b737de1e203247cf19c570874814e8fcb3944bc34f

SHA512
26398faede5938dfa1e781e5dd45818bb37c1a7a6e0b60b595cc4adbfefb970e3d69a8bcdd2e55f0070a55ce57fbbc59d0c32405b9b41add80afd1aa8779e57e

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
74KB

MD5
264e9af59445db2018d499f09ebd527c

SHA1
4eb02bc0e53a9c27b1a458140f19fcef31bbbd48

SHA256
e428e5628b88761f4466c1a2e7d4d8d199e96f614b69e85ad21bceeca7bfbe20

SHA512
b303430815e755900722b062f2fb0dd739eba209c50575bed18950a5dad65d7fd688d6ef9b317b2a2c0ab5933a89aa5ff7f9de8e28d8aa4d756f6ef71fffe511

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
74KB

MD5
1fee9d22b7939b8d739320d24595bf6d

SHA1
7fd2fa85f5921c47071f2214948b8dd967dc1fca

SHA256
06afd99590a06f66a71e7b35c08b253145c6320e0d34b1232e5a186b1dfa005a

SHA512
d5c592205d27d1e188eb374caad556b3c5d0866a6a65f9af898ef11a6e12d535d804b1affb65f248ebf35d76ee68979406ee78297ed8fd6f6bf54d4efb661556

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
74KB

MD5
69a9c9d4f3a61bcd8d816f04a085cc4f

SHA1
9e6802832a5efc21512941ac61dd6d1a057e49eb

SHA256
db61420df87511725cd788d2e78e65f05c305a272220e6ba1b7ae152d37d81d9

SHA512
19121a0a12158f3d7db36033cdfe48c67ac76e82288825f407a532da6e336eb1231193041393f3c3ed912bbd30d646c944371a1dcfacbd4d649d2c4875c9bb82

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
74KB

MD5
10a65bed4b5fc7224b711796f1b49c3e

SHA1
08f907e57cdbce78fcc791de2fc41dc81c1eeca7

SHA256
46d9e9c789a0a2deae1bb5c0bbdea34a039ffecf05e46b914ba88a43ead8d14c

SHA512
1a0b67aec0c8760cc1eb85980fb5b96c038b06659ca4fd77937f51516ded9720700a7ea25a69e93c452cb6c70006685c5498a82882855ae1725069508fe5bb8f

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
74KB

MD5
492e9fa76e43698ffe610a978f1674a8

SHA1
7bf055c4ecf624a3523931e40b24591d1dffcdaa

SHA256
886c0069885d908c25fd73d932b0781b7978c740319ee62a3725bdbca626a846

SHA512
08009f7d6b3a0d14540f38e26baf2fddb66853a3fa94f0dddb7c5fbf6fa8e5cbc5c96d6540c18e67826f175f66416f9fe384a1985a6060bad54328385f3a9d65

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
74KB

MD5
d53ee801f1d6b78a0d5001a15dd9be13

SHA1
b76d59655ab2db5cfabea671883abe0bec278d99

SHA256
668da451e79def357ee398129e04a117e86911a7dbef30864a43f45f50c77cb3

SHA512
3df68c869cfeb88ebf4186a2a3a6ac438691bbff65213aef37f874ba300e96520a4fde95d4d18cabd6507d80298657f72cd08f83207bbf52d78d0e81839936ec

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
74KB

MD5
3b4de705c84a945036b3b7fdf2cfb360

SHA1
5f975b9d11dacc6310d344dd4cbe830160847cb8

SHA256
6a2f6a0d120ee41a9f0536f652f98afc2418fd915f211fa832bda5987eeb5dfd

SHA512
bd8a13f7df4bd429598486f63458a1ed79a5b570b5e73759e90075d021710a5115ed8a471964ef3ed9cada84a5b70ba02d346d18e6922acc84b3f0ce6954b6a9

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
74KB

MD5
7cd506b67212281f11841c543a5690a3

SHA1
e83d857628c882c8a779b10063a49d2dbb38c7b4

SHA256
6437ab28dac1a1b16806c15dca2ac61b70317e8f3c05310e324bb1a401edd887

SHA512
8a8484a6385b6f374f654610e192e1266ffbf6a69c70e694e4c4d3e23a79c1a82324a654038952e9f53a1e6e43ee8664407285d91cd671f7dd6405303be82639

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
74KB

MD5
40ce7e579a1f93134d84eacec7e6da36

SHA1
b285aa6e6c287e4ed038c16688bf5f9c3ecfa6e3

SHA256
33c9086277309b117f62147ecb0d4009f80554efba6b6756e0681b36896c413f

SHA512
27384b440f41a834aaa5b57413720ad1e3877f786e8310617ddab0289975c2a4f919a164fa9a699306b2b7bca666c982ba80d5d612e0eb48ce280282d089690e

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
74KB

MD5
5526ea0e0531e12323216b35c131bcf6

SHA1
7a6ade299c8cb21a99c1061e9de6a1dded6de04c

SHA256
e67069dfa47098f6c56ae89c03a7c0ef72cc330ea1bc959f041e623822fa8013

SHA512
9aca7b1d9be5b00a499419e36c1821346c7ab57affbf6090304ea2cba296a850d45fb35b44cacd0f83c2749ee341fdd71a1554fdf57eee9810480b0b799c4193

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
74KB

MD5
1b119d779834087e3295b46074731244

SHA1
766212610498db2ce4c55815ccb80d63ffc0d7e6

SHA256
0ab702d886187ce8aa05782a4dcfe13589420ff99c50fa1bb4d48d8fb627c4bb

SHA512
0b932760a0367e72cab987cc121af2e7d9aed4136a01ef3eeced8c7f3889bb4ba2945ab3dfc3bb140b88900e2a10ce4d57622df6a2e986f042c767a7a8b49f53

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
74KB

MD5
954088c577c288dee01f27824b643ff9

SHA1
ec4153501dd3d9759943208b6ad1260128fc4fd3

SHA256
7ceb16ac70a2ddda4f79830ce775b127a3fd67386c8c4ebc4442f9006fd80484

SHA512
a4f86e4df70d9e0dd73bf5c71b7e0eab3b6b0745a31465ab740571027b0570c9bc186ed659cdb8bc3478a50602e53c842c3974dad0814acc9ecdd7d6b78718d5

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
74KB

MD5
9692061a0686268634db43b2c6a1a76f

SHA1
a427052a1a8d0cc0a1d7e02b00ed6220142e11f8

SHA256
777d9a34dead66de6338dedccc7b3d9710b3a0a14ffe8c07448fb26017047ea6

SHA512
05a9faf6723817d24e6d635ac73c571ae77a963451e6a7f77a190d07e3a95d11f2e81624e2717167f2107f23c750aa8d1ac482071de46eb078ce698b45c5ebbc

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
74KB

MD5
6c534024873e097288949545ae7c0560

SHA1
d573dedb06803493766e0797aadeb9f3a1a780aa

SHA256
7fb94e7051b2ebc1609b7f00945ef1394fa1e537b1a43ea9cd575e10052d6c91

SHA512
fe44c6152d6bcf7de5ade4db2ff8e5a97a502024753561dfc81675bf6e13d0562d27ce409bf65ed7ca9fedf6389ad50d5a8993282f4a47df1a4177b0e78461c6

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
74KB

MD5
525c8ee0363a3235b2438b29eae0b006

SHA1
cf8d5546a43d30fc847269087e02e9e96f13c47b

SHA256
e25ea9c5787433e8e5b5cbb84ea47cf17530ca31135d945b3acc922a252a7092

SHA512
452307bbee3de3bb76b98a3925881d009fcd47fecef62be515c135cfaaf63104fed6273067de99bf2e8e953af2c30035c531ce311b0a12ecb2145ca14f292157

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
74KB

MD5
b159f30ecc930ea27c081e858540b8ce

SHA1
6df4072ff45210dbf066dc1049c8c69d1e96b9e8

SHA256
f21dbb6e27fd196e2fb5072f79d11f009d738b14a35f8dec0a23c415f1aef964

SHA512
a5aa34b59762aef87a7ad5fbbafc112c325f9494086ad82e09040f7833a177ccb108ae9b59ca1b01a2cc18b355eecb8a94afd83829b7c67fbec79ebd564cde02

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
74KB

MD5
68eb7e6e26a4d59abbc8ea5575b583df

SHA1
79441c4d1a9ad967cef2e9e2eb5bbcda2441efdf

SHA256
4588c54735433abca2d5ce662af6a346120be4c09b91544d1b05e4451096849b

SHA512
e0d5ff1649cb6897320f3ad64b25a1ebef269904040f45e413e121becb864286d93affce0726051c7f798366f2184159625789ec34cb43d4ad189441b2063bff

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
74KB

MD5
90190c12c45ce54c1152def5f5935df2

SHA1
0e1075fbbc2eeb33dee0722c5b873c537a603cd5

SHA256
1abeaa0d3f1cadef822d59fa0ef27085b2e5d9a6626f426ef04f280b59b6cbb4

SHA512
3f64e8864ab8a4ff01a42b46f0bc9780de1b6411c543fcb9fed98fbfa96585ebe55d93af20c8373073d201021312ea2dca7ad444397e263fdf12122f757b22d4

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
74KB

MD5
76f7146e8565ba8fe342b07af11587f9

SHA1
b6284188a9e88f088e7ff5dee9aa713e0fdf1c2f

SHA256
2209e68c298535033dc013a88ab9ab2a70444c3fcc801a1a20d448de29af2efd

SHA512
a6fe30a72e16bec9ef9469404216f644e858412f238cec00fe7ce17b66f01c185fcf37482ff17980c209700923d78ce038f73806258f709a6861fbaee412aa3a

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
74KB

MD5
2b3fab292988786ff4826d8de67d43f3

SHA1
c5df7215031cb3bbe799ad21767b207b9a7fa589

SHA256
796eb3f3605f7128e0b9b84523fde817f0a68f7761866864f3782891821390f0

SHA512
bd754385c8590b85fde1e3d36d7d1d9b0c4e44ea3ddc6f502a26ffdf61e18eb4e29577a0136854fc13b8ad3b57fc713eca34bdd431c405513bf7c1fabe5b838d

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
74KB

MD5
9449c4b94d4e22b5dd698901c30437bf

SHA1
b186293d0984656e43847382320cedeff0d563ff

SHA256
533ef8e4130853aa90e474d68c5d90224c4b488a5577b1aed46cfd59193caeec

SHA512
4f854722942e1687971086386cac77587cadcc77ec1c7be2a4e311d827ae6dd837b56230b0b86cb78cf9a70172bdee2e8d93379443d92ef501cbbbeed7beeca7

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
74KB

MD5
74a832668fce81058fd2b6b852e946ce

SHA1
16bb035005dd10e8187ed609bd39d76bb6424a8c

SHA256
b7cc19e0c5a7bb1708b0da6368fbb09920f2e9f227a5fb5b405514231217d2a8

SHA512
983bf0ce84685166915cf62acd95d8159c9ce80ebfbb38795504317c09c3ebc9a2c4ca8a96852025f21bca4bbcc6f8af96502305c77acc03888afdd460444aa9

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
74KB

MD5
ab0b65e057d99fb26d6000c28ce89072

SHA1
ae58af80ad981c27355341822ce8984c872e5dc8

SHA256
2938fa0a537daa51157d5f57a073f3eac5f3dfe15a48f7cd717ad1496d55f8c1

SHA512
5eca7da98b3f3b6598c6191638e291db550a512a14384d1d82d0ece1db0d76053738e04730b7a39432367a89c9bdacca3c569e6193e295428c9c87f8435c3d0b

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
74KB

MD5
6713b8d7a98e521731946b438b942d88

SHA1
c1324853e8c34b16081a56a00406feef82a3c344

SHA256
a865c0288148263fcacdadb19af432ecbdeea05955e6ba683fc0531ca68e7754

SHA512
a8b5c7d3be6b8ae05ecb1ddad71bf76f64beb5bc458872339cb862cfbd0b7e1d6ef3d5f04330ec3a35caa47bfafc3be852f58241d75419072633d116c0a8f045

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
74KB

MD5
618843b4e1eb5cb5e2d1f5aa57236510

SHA1
756a3b0524d2d79c18e043bb0a739419de01324d

SHA256
8f828352cd65f9010fa03f729cb4064f8783e3120995c01445ad6d10c090264a

SHA512
c1d709cef61f3810c961e357e55798129800e85ff0a0937691d5191e39573d6e47c6b002d83e558b04fca76fbbbd752e0bed42f6cb5cc2bbfa35ec579963d5da

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
74KB

MD5
359bcb30d8b01e9050e9589f0e1a5cd0

SHA1
213c09931d92c19f0a3a4882e8121da16189fcb3

SHA256
f2e2a586cba54d798624027a4e5332f26a82f19005db21005580524da4d2960f

SHA512
62b40f50e0ac5ef593267dc0d63c5650dbdf1bb6edb5084f8a2b6d3e88cd672ceffc6f9cc7154629eba3cea1cf92a0861d3975ac0b5ba60facecc5f3cd5ccf7c

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
74KB

MD5
06dbe85ea830dafb04eb05537ac93087

SHA1
77e6e5a2a22e7af0e3ac83f2b8c8755b7dc15ee6

SHA256
7520291e17568fe9af94aceb3f7176268687077cb626f876854e12498a8718e4

SHA512
779a944fab126b44b4367c4d4d0f82e063546d1d5752f6cbac054dd90077918bf21f47b854b8f78f457e3e16d1be129b4732e9b45ae2c3b5da1c98c4cb88f28a

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
74KB

MD5
9718f4d53ef3158402b66beb6c9740c9

SHA1
428bdd2e65191be3769d4eff829381d4cffb10bf

SHA256
2a60b41e74345a0371e983e8cb2cb316ead06df1a48a7ef93ae1a5e13c5b8df4

SHA512
dfa808aa6ca8aad4e1fcea066b434c051c7544be28d017589d9a5458b229e390779846824e6da7ba9e4a49ab035160b27f59f792a84ed67312d9168e1b69f870

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
74KB

MD5
5801bd69d7d63d4e564068dfe35e720c

SHA1
60ac74f70bf8aa66b5667b0f8e32435257884db5

SHA256
e3107d11ec1bacc46acf4c994b3e8a1f06b97f653f72aa60527a9594cf537b20

SHA512
a94596f2f3af9e45ec058f81c9adbb1f5be5a60ad3e64b7ec80ccad30ca88e07e5a078ef1b6bad6456da1b9cb76f1eb1dbed1733f113a56dba1c9d8018b4f4a0

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
74KB

MD5
94c8b2e55bae64e2802ce49ba8e59357

SHA1
13a151ad3d7f238df659ba022b895bcfe5149473

SHA256
3608a8d08d86f5ebe56c5eb65b62167efec2239134d21128929b9932ab67bf39

SHA512
7dd0c4fe5af51d6befd108f5ad231e15a31e000adff76d96e53e417e9c063aed1656d20a9f7566e274c62b1c130f635a6618ae3587b63d042f0432e22c0f0e2b

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
74KB

MD5
319347ec8babc562b6b3ac4a94f40383

SHA1
cc53742445984928779d0094f7de2ce0b41b928b

SHA256
c6a46d54184f0abae4013c953f5e992c510bca64c7cc26232ad39362e6d82999

SHA512
ec20d5ed6fa16e2d4029b81240190042ea083811e0f44624d661b1c62ba4427a4c28e93833dd453fb1d18315255c6fb2de86a70e865955cfbfe7fd34a9ba05a6

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
74KB

MD5
eb804cdaf1689218967785b1f0e18f8c

SHA1
622bd43370221a7b3f5a792c68ca8be9b8757fec

SHA256
b6a8f77267acf2b795002c97f38eb9bbdaa188079dc0aca3c75095df3ba1d67e

SHA512
5275050cb188111223f4d267a855cb047360c60e38623b42b2a8504dfa3cf2f619369fa28bfbd4e5b1df519f6037a7cb0e8421d6c383248c436e32acf6d9e5f9

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
74KB

MD5
020f945a1086aa84dd121a6f676daf4a

SHA1
d11a3b575f53f6d620eed218f9e09a49e9510302

SHA256
87bf3547a5eb886f8741c1666dab37c48c3e49b9c1d159f0d6237cc4876fe74a

SHA512
2f2514a859ec7175769e964e031adc2965b739db6110988a9e9337804937cf8a02c8a0d8e95d04b8a87c305d81403c616f62957023fd5ae8e3ea79c71ec7da6c

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
74KB

MD5
302241a04e4c8fb00409dbbdbf3e4795

SHA1
2a4512ec69c9fec1791c4720b91e2e4b3e8e138e

SHA256
dc91fab4a404b68b311849d25379ffd625b38f866fd68d7427b15cdb0e0e7204

SHA512
76f37d1fd6f696f8ea93ed40789e1ecc9392eb32194eb1beb213b45c0d4f660beaa3cb35bb7d212311496d89336d2d93c4271b95492bffb11cebb401d4e0e152

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
74KB

MD5
d964e4d97b376111427484877248140d

SHA1
ec14aa1004d752954e915dbdc0a2fea1fbeb41ca

SHA256
b3c3bc47501c9313e10035e1fef90305c605d4a78fa20914eb1dd74fd6c0d1e9

SHA512
b95fea748a4efd60c1b3c15a488b42984f39702d62238dff0c951794bb4d1dd7250c36207cce6cc80c5659f16f2f3165fd5782fd6958b49a7cc14988ee99c210

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
74KB

MD5
8182705fdd1192ea94d7400aad0a176e

SHA1
2b3b5b37f1e4de24453060dea30a4602fd6ec2f0

SHA256
f2bb2dd9ebe489ca71559f07da86bf68dc9707cbcacc801a1a65af1d0a3283a3

SHA512
f139d1bbf497ffc579b8cd5f46020f46f92e2e46092d99d9fecc97323763f4bc351af16fe6259c94df455d858e0e21756e8166aff046159ae77ced6c5d071185

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
1ae239e9b7bd90dabf6cfa8d102648c1

SHA1
26afa6ede9eb8167b0d3e9c825f54a1636cbb6a3

SHA256
62e203db1e3096adab00bf6803c124c4c1b60d193be029f07d1ea5eb09feec84

SHA512
d013754990d70593ebeb0e3239f61398284ef0890c699ba026c04f72c0c75d18ec41bde1ac7b84abc5887fcb89d262ae87ad823387078862d36d51bf8e4fc380

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
74KB

MD5
89b20883f392252b77c4433a6ea634eb

SHA1
13d2d8f39aa79dd5c41c5ec8e25a2dc108cf6756

SHA256
907b884f676b2ced932151bb767b52380962c8ee58e7c767266cb148f8a50a4b

SHA512
5f1fd23f9d8b3fa06a9ff4f1072ab347af4eaaf8b07a7599421b117416533ef98ed81ee3afa28560c79a8f55890d0aacfec839f8bdf07b7751f2ef6e5c2c6bda

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
74KB

MD5
2b3583137a6e338df5c80fe125f3f762

SHA1
bd21d8483d6343e71c3a4b3d7d5cc9474e8407ab

SHA256
caff7375130628dfc3266c6746664b2c180dedf3c12d532db8bf2e5998fa0acd

SHA512
5c9eded03db94a2cabc65563130c4f50cb9499814643fca33f90b8d05261cc03e117c69c6ead61152903909fea93b494768cba33c3d3c6a9facb21524bfcd84f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
74KB

MD5
6c9f5f0440530e0d00a4665fa369aa71

SHA1
d67a0fc0c10540bdec20ab80072c4a1f21d0aff6

SHA256
a35c954a825294e0e1ac48afaa3385b0918eca89903b019616264e63f84ce6b9

SHA512
aa7301a9c8f778cc42aa8b65293ade41a3d1ea22b05dcb25462a585b63e6a9e1f8b10afbc16e636fee96206d9ee59f84374e84641dbb6317d0cde5c86488eb7d

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
74KB

MD5
a97c76bf698d9c6de5632987a9f29ab4

SHA1
b58577890474bcd6a5cb15595a99676a95196a1c

SHA256
7f709f5242e0110cfbb4d08d6a0629ed3db84c2a48597ce90d0679b87c8e7685

SHA512
3e037a8fd6ff5f8154f29b231aefd108987798aaf73c468cb0c9e4e0c46f78e84f68bc2794327a6d0861e3b7c530db56edd591faf6cb8354ec27c0154299c5f4

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
aac073db2d7e10f02b4e0a63ccfbb4ec

SHA1
5c5075677f01145838a899ac9c649077a781f493

SHA256
7fda9d6f22f57c61790d52ab963747ca57beb9a4304090696f28c59719c16052

SHA512
9b599ae4d592b4621f295ff1ef259c190273de0192c06fed7033e1c33d74d9fdca782694f3b14043e16f94db8493ea1a6a23ad7f9ce0496c40dbe2d4854abe51

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
74KB

MD5
812b4ea206f4d1cef5d752de3cd0219e

SHA1
15724628fc84fd39489f54f2f13274ae7e8a0706

SHA256
e3b13e3b23f36dd40fb96deef5fa8b4e2ae23942b1864e9605a55716a6cead36

SHA512
40d42999535ac11d9e4abc59b7125856f9b9e97e938a964595780781616ca125b139d35ccf7559b01241ff680e733a252dad92c4678bd003fac6830962e10841

Download Submit
memory/224-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/388-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/512-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-205-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/620-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/848-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1032-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1044-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1172-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1172-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1192-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1216-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1244-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1316-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1404-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1412-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1444-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1452-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1460-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1504-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1520-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1540-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1628-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1752-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1876-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1880-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1892-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1968-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1968-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1972-404-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2024-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2192-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2240-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2268-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2320-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2376-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2384-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2400-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2556-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2832-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2860-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2896-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2928-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2928-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2956-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3076-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3200-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3204-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3444-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3484-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3580-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3604-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3644-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3648-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3720-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3724-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3756-338-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3772-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3824-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4032-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4120-584-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4140-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4140-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4256-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4308-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4396-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4452-213-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4492-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4496-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4564-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4632-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4656-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4968-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4968-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5112-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads