berbew | 982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822ae

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822aeN.exe
Size

94KB
MD5

7b067971f03b4a177f13adcc61969720
SHA1

5b1cb491dc3e4a8b96ae9f7fe29716b7f0354717
SHA256

982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822ae
SHA512

78f7af09a9b29e3240fd55fefbf3b6b4707bda2e788ae8b6d76fb71657be948dc089e20579b91181d3efc859706e5ece9d3950588baeddbf691840128cd6c159
SSDEEP

1536:q3SHOLtpIywACDePRg+w/fRZKVCQCkcny1ZqGUY7BR9L4DT2EnINs:oXLDhRxAaVC1BG36+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
5052	Kboljk32.exe
4492	Kemhff32.exe
3460	Kmdqgd32.exe
1956	Kdnidn32.exe
2868	Kepelfam.exe
2476	Kmfmmcbo.exe
1428	Kpeiioac.exe
2040	Kbceejpf.exe
1672	Kimnbd32.exe
560	Klljnp32.exe
4168	Kbfbkj32.exe
5020	Kipkhdeq.exe
2300	Klngdpdd.exe
4776	Kbhoqj32.exe
1340	Kibgmdcn.exe
3220	Kplpjn32.exe
3956	Lffhfh32.exe
3444	Ldjhpl32.exe
4384	Lmbmibhb.exe
2356	Ldleel32.exe
928	Lenamdem.exe
4388	Lmdina32.exe
2904	Ldoaklml.exe
4516	Lepncd32.exe
3712	Lmgfda32.exe
4500	Ldanqkki.exe
4056	Lebkhc32.exe
2804	Lllcen32.exe
4432	Mbfkbhpa.exe
3504	Medgncoe.exe
2068	Mlopkm32.exe
2552	Mdehlk32.exe
4876	Mibpda32.exe
2404	Mlampmdo.exe
1936	Mdhdajea.exe
924	Mgfqmfde.exe
4452	Miemjaci.exe
4520	Mlcifmbl.exe
3716	Mcmabg32.exe
3420	Melnob32.exe
4020	Mmbfpp32.exe
4632	Mpablkhc.exe
3228	Mcpnhfhf.exe
3332	Menjdbgj.exe
4360	Mlhbal32.exe
2520	Npcoakfp.exe
4192	Ngmgne32.exe
2752	Nepgjaeg.exe
1796	Npfkgjdn.exe
5096	Ndaggimg.exe
1232	Ngpccdlj.exe
2576	Nebdoa32.exe
4044	Nnjlpo32.exe
3172	Nphhmj32.exe
1120	Ncfdie32.exe
4028	Njqmepik.exe
1976	Npjebj32.exe
2716	Ncianepl.exe
2480	Nfgmjqop.exe
980	Nnneknob.exe
932	Npmagine.exe
2240	Njefqo32.exe
2172	Odkjng32.exe
5092	Oflgep32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Hledan32.dll	Kemhff32.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Klljnp32.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6632	6552	WerFault.exe	252

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 5052	3028	982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822aeN.exe	82
PID 3028 wrote to memory of 5052	3028	982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822aeN.exe	82
PID 3028 wrote to memory of 5052	3028	982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822aeN.exe	82
PID 5052 wrote to memory of 4492	5052	Kboljk32.exe	83
PID 5052 wrote to memory of 4492	5052	Kboljk32.exe	83
PID 5052 wrote to memory of 4492	5052	Kboljk32.exe	83
PID 4492 wrote to memory of 3460	4492	Kemhff32.exe	84
PID 4492 wrote to memory of 3460	4492	Kemhff32.exe	84
PID 4492 wrote to memory of 3460	4492	Kemhff32.exe	84
PID 3460 wrote to memory of 1956	3460	Kmdqgd32.exe	85
PID 3460 wrote to memory of 1956	3460	Kmdqgd32.exe	85
PID 3460 wrote to memory of 1956	3460	Kmdqgd32.exe	85
PID 1956 wrote to memory of 2868	1956	Kdnidn32.exe	86
PID 1956 wrote to memory of 2868	1956	Kdnidn32.exe	86
PID 1956 wrote to memory of 2868	1956	Kdnidn32.exe	86
PID 2868 wrote to memory of 2476	2868	Kepelfam.exe	87
PID 2868 wrote to memory of 2476	2868	Kepelfam.exe	87
PID 2868 wrote to memory of 2476	2868	Kepelfam.exe	87
PID 2476 wrote to memory of 1428	2476	Kmfmmcbo.exe	88
PID 2476 wrote to memory of 1428	2476	Kmfmmcbo.exe	88
PID 2476 wrote to memory of 1428	2476	Kmfmmcbo.exe	88
PID 1428 wrote to memory of 2040	1428	Kpeiioac.exe	89
PID 1428 wrote to memory of 2040	1428	Kpeiioac.exe	89
PID 1428 wrote to memory of 2040	1428	Kpeiioac.exe	89
PID 2040 wrote to memory of 1672	2040	Kbceejpf.exe	90
PID 2040 wrote to memory of 1672	2040	Kbceejpf.exe	90
PID 2040 wrote to memory of 1672	2040	Kbceejpf.exe	90
PID 1672 wrote to memory of 560	1672	Kimnbd32.exe	91
PID 1672 wrote to memory of 560	1672	Kimnbd32.exe	91
PID 1672 wrote to memory of 560	1672	Kimnbd32.exe	91
PID 560 wrote to memory of 4168	560	Klljnp32.exe	92
PID 560 wrote to memory of 4168	560	Klljnp32.exe	92
PID 560 wrote to memory of 4168	560	Klljnp32.exe	92
PID 4168 wrote to memory of 5020	4168	Kbfbkj32.exe	93
PID 4168 wrote to memory of 5020	4168	Kbfbkj32.exe	93
PID 4168 wrote to memory of 5020	4168	Kbfbkj32.exe	93
PID 5020 wrote to memory of 2300	5020	Kipkhdeq.exe	94
PID 5020 wrote to memory of 2300	5020	Kipkhdeq.exe	94
PID 5020 wrote to memory of 2300	5020	Kipkhdeq.exe	94
PID 2300 wrote to memory of 4776	2300	Klngdpdd.exe	95
PID 2300 wrote to memory of 4776	2300	Klngdpdd.exe	95
PID 2300 wrote to memory of 4776	2300	Klngdpdd.exe	95
PID 4776 wrote to memory of 1340	4776	Kbhoqj32.exe	96
PID 4776 wrote to memory of 1340	4776	Kbhoqj32.exe	96
PID 4776 wrote to memory of 1340	4776	Kbhoqj32.exe	96
PID 1340 wrote to memory of 3220	1340	Kibgmdcn.exe	97
PID 1340 wrote to memory of 3220	1340	Kibgmdcn.exe	97
PID 1340 wrote to memory of 3220	1340	Kibgmdcn.exe	97
PID 3220 wrote to memory of 3956	3220	Kplpjn32.exe	98
PID 3220 wrote to memory of 3956	3220	Kplpjn32.exe	98
PID 3220 wrote to memory of 3956	3220	Kplpjn32.exe	98
PID 3956 wrote to memory of 3444	3956	Lffhfh32.exe	99
PID 3956 wrote to memory of 3444	3956	Lffhfh32.exe	99
PID 3956 wrote to memory of 3444	3956	Lffhfh32.exe	99
PID 3444 wrote to memory of 4384	3444	Ldjhpl32.exe	100
PID 3444 wrote to memory of 4384	3444	Ldjhpl32.exe	100
PID 3444 wrote to memory of 4384	3444	Ldjhpl32.exe	100
PID 4384 wrote to memory of 2356	4384	Lmbmibhb.exe	101
PID 4384 wrote to memory of 2356	4384	Lmbmibhb.exe	101
PID 4384 wrote to memory of 2356	4384	Lmbmibhb.exe	101
PID 2356 wrote to memory of 928	2356	Ldleel32.exe	102
PID 2356 wrote to memory of 928	2356	Ldleel32.exe	102
PID 2356 wrote to memory of 928	2356	Ldleel32.exe	102
PID 928 wrote to memory of 4388	928	Lenamdem.exe	103

C:\Users\Admin\AppData\Local\Temp\982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822aeN.exe
"C:\Users\Admin\AppData\Local\Temp\982de8aa2b44b4f0d04b74657af79e59ba669c3d34682e857294bea38a6822aeN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\Kboljk32.exe
  C:\Windows\system32\Kboljk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\Kemhff32.exe
    C:\Windows\system32\Kemhff32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\Kmdqgd32.exe
      C:\Windows\system32\Kmdqgd32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        23⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        28⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        33⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        41⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        45⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        47⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        57⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        60⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        64⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        68⤵
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        71⤵
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4652
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        75⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        76⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        78⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        80⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        81⤵
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        85⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        87⤵
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        90⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        91⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        92⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        93⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        100⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        101⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        102⤵
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        103⤵
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        106⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        107⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        111⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        112⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        116⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        126⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        127⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        133⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        135⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        136⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        144⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        146⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        147⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        149⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        153⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        157⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        158⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6248
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        165⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        168⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 408
        169⤵
        Program crash
        
        PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6552 -ip 6552
1⤵
PID:6608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
64KB

MD5
852813ca709ab78786b930a99dccd924

SHA1
406bc198a146725559523aa2f0029f10cbd3f01c

SHA256
84d7d702b10db5e11e74186291e20a3f5ef5ec475ce9b44a43c0a4a9572aa00b

SHA512
edef10eae2e35fff3d7e7a99ca699ec2b8be337d65b0bab8e89b30cdd3b7b6648aa057ad908cf283b2571856c0e669fe3db6ef9ee4e7a364ac8b6908a9f4a567

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
94KB

MD5
1b81ccfda412ad2beac649de1fb74a4a

SHA1
db40f00878a1652dc85ec4f32618f62957fb66b6

SHA256
88070a3c568c6456bc96d0915124e961f9b11119bdf988e81bc5f01dc23ca94d

SHA512
a5b59f9496c681661286c2da420a7def1df2a59f5ac66f91b7b7819b35019f522ba468f5f9963975f60cc3f1930c30084db25148f65a1bbd092b9b321e85f539

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
94KB

MD5
969a003f597856e5e85cc82dd716e296

SHA1
df74ba685ce30d204161c360ad3549f57609cb4f

SHA256
ceaab1f44af098b604ef8a081f1fa2e9accb0636b13eed6ce115465df3194be0

SHA512
0495bfa6decbb72ab78ccda5f7cd792b4210af68dddadd1a0164ad127bcb6873a64887c62d8440572e5f63e41348ba8a6d8f2c2aa08c73dfc052dd843e69dfea

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
94KB

MD5
f5b84bb7151fe488f308df32ac0ca677

SHA1
dd9b84c55f83dab9f07980bb4ae4d6d9a6acb78f

SHA256
e8d544e30c3ed28c3ea82f2781137783a7d5de337ed1f3eac4a965497617a75b

SHA512
8af27df21c3a2aea755b313bd9a605e632f55076faed450d6694b749ea890a340d0cfa26057c292aad1c0f0f247e5a0b3a7336b45b1d1236248f6ee54d1d3df6

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
94KB

MD5
132233c052562a97a4f8d9da811ed135

SHA1
c0878cf117ec26c6caa72c213dd86e0e718a9cfd

SHA256
bf85c2c04a3fab04cdfeb6da0b7fe552effa5babfddf8162b388e053d3ebb6cd

SHA512
6e80db9a64f1b0d9ff814b0c6b688f35060628b65e99e55efbbb76a729e99b44450614a9cdc94415200109a0e17dee26577a0f4d84bfb381ca7af05cdc2c777c

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
94KB

MD5
f9b73982ac4022259ba3ce7e06f5f899

SHA1
5f18261b68360fac6f6873b022ec251a1bbc62bf

SHA256
fd21011d8d58ed82bfd57c07e192ffc5fb7b3d63e5c0ba545ebd1f92e020a019

SHA512
40c53f90f766ea0cc1985c02aa99a346482854c17f984159cacd6f5f4e1108b4838c3b6b9dc1797d0722fc6b0471eefc951d935e2fd8aac23b5194fe7f8b1a93

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
94KB

MD5
5f22679c472efc0a10eb52595b1c5318

SHA1
888f3a9382fd9c0e1e995b4cffdab008e9d45765

SHA256
cea48bc383d97dbeb058a231b998ebabd1209bb4c264d76a41737c2cf9a4144d

SHA512
93ed0faec075ec1d0cdc99e0a066e04a2d1e685f1cb0a9b337e4f2e3d8169e972ea7b674add9451eff9173121b4b5b256ac0748d915085574c892e76a14143aa

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
58acce8ab7734b6e51d6f452baaa2a5d

SHA1
cd0ff0cba789ae3727ea3e184b97dc92a5d8a555

SHA256
5ef47d94d52dc5f5ad21a57687432489ee22f4f8652ce901ab8c0a2107cceeee

SHA512
9f3f61e11f80f9b46c62be17e4f3a32934f804e923cd3e4f00fd3670f05b7e7cb10615c4c756011430744fa4f64b0a6f324fd7e94c34aa79920d21ce97991e1c

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
94KB

MD5
010269e31a95dafb655707012890a94d

SHA1
6d412de29009500da7c7ecdf30988eb9346dfb29

SHA256
e64dea56b0ce0dd5303bf4e6cb2fa2a0beedbe96c9f356b63fa23b4ae35b52de

SHA512
22b3c104727921774acc028e2af7d23f9eedc9ff62439ab291bdf795bd0828cde102d8051bff3a11cb0655589f51b5e8862c4c568b389aaaae02eddf9968fb67

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
94KB

MD5
ac7faa1931bc4d5e1afd561f39583597

SHA1
9566d5f0dfeaf4d099a6d5dfb66b3df27e10870f

SHA256
6f3b771e65b6e2164f493d6f062742ce54a3ff94b2701199576e68cd2ba5a9d2

SHA512
9c84d9391c386048190e8eb272f9ae31d00c51cd95dad1b67a1eba7fa3ec7fb152fe82640c323e398334477466d17c88f55a676a546939aa904e2a4674e7e047

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
94KB

MD5
42d4df256e38d0518b7df754b6fa929b

SHA1
cd89f97189331f45c4d7ad0a41d78d04a53027f9

SHA256
8c1eefe35a95d9dde82267988ab95def1af00f77801786ecab3bf59881317490

SHA512
2ad02343c2a8d05fd553d2c749b97cd9f17c5cb9470aa5c8f81dc5a72f22fd78a3faf27fd42a161696abef6c2ac411018528db3cad2c1ea885a13fc3931d2140

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
94KB

MD5
c58d68382075b83689aea6fc6dfbf988

SHA1
011fee283f80ebb2de257d72c288e7470857ea87

SHA256
6a217ee6c259a878412ec32b38055514028702ab5806bf769248526b3f019367

SHA512
720339f2d4b4c83f6ea7fd44daa0883c4c1fc986a0cb6bd76af882e0ae4a695bfcf5c160be2294b9b77067016f1fc531175f6efbeecd39622be87ddabee38513

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
94KB

MD5
9eac034e8dfb75da43b9850226b805e3

SHA1
e978ced5139af30ea2c8a03246b6d56a5c004625

SHA256
11df8b8cbda9d534a41d8374f9769186211f689311bbf08f375b971b8bc07512

SHA512
fd4206e5ca4e71e0c8c077e16eeb968f619d1ea8c173c955fed55d9dafe2638447df81ba56dba64b4e3d302262a9f9eeb711e443c7f5d078af6cbe71a92ea4ed

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
94KB

MD5
06ad6ee3b6dd8d2e5141ca81f6edf081

SHA1
c017e2d72b528da56555f17a1d4398c1f5644f20

SHA256
2bcd777607297fc32c670c570c3a9d308fa69dcb26885d0456e25cb53846b21a

SHA512
7956fd4b42175bbd6fb8c1ac53e28611a444f78e6103b80a5dfe958de7c11c742188fd7e96d52745b75dc5f237d6b51d440a325c6cb6f0596e4a136529592828

Download Submit
C:\Windows\SysWOW64\Flpafo32.dll

Filesize
7KB

MD5
07188ffb52e1c28dabce0cf6cd0088c2

SHA1
1593c402b87dc02bfecbf47341a487733f87e707

SHA256
03cd536cda067b526717a6a7bea83326a51e3e2c3743ca812b92acc545ba80a6

SHA512
a92a27de5a4f2918975b23ba610b96d4f9c0d6fcfef61562f925e72cd524cba8d678f7a929f529568dab9a2e15175d0c0e88685cee7fb7b11a716b4549d68ce4

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
94KB

MD5
6bdf0496e7efbf8e09d2eecc6ed8d151

SHA1
be589b7c991e853c26934b0bd4975043aeb563f9

SHA256
365475e9c4f4db47e447ba854ad7cec05824f308d86940ce94cc69aa10e529df

SHA512
7a350e7ed4850567287f8c39689521236066d51e80d0564f656b74772d50b37e95ddab8ab9fd7761b93f6231deba10fc5c04d6fb67bc7a61bbc1624e785ae089

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
94KB

MD5
34c594202ef99e9354eae7c314522c5e

SHA1
5ce29fdea73dae8c43102b5f4341dcb6e18b2ad6

SHA256
cc515832275597ea1d99f9a368be8b3d221cf6d9cdbe47c86e493dc8f69fd456

SHA512
ef9aa739c8924a392123b042244f2471f3ce92958363937a302ee4a633f6b386da041e24e18e8b3284eff2d9a75a9d14ed2080c711ad5b6ac4ada60842760e14

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
94KB

MD5
236c4dd8a3f8f3887133a893aaf64a7c

SHA1
8cd38fbdebaf9b26056b89a784ed6d91403a2284

SHA256
3bf40febe4191b7a5f4d641872419498abb9b235173d230fae65461bdc518ab6

SHA512
996c1ca2a164f7d1da28ef2504e8925223be6a4c2212a35c1dd818297351a2cbf1eafd22e932f639c7b4891d374bdf8b940fbda8af8a835e5f6b2d1679e61aff

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
94KB

MD5
c5e7e188275c8ad0aca9d99cd8263cee

SHA1
9cc3ece81efee9688dba9770cfd18c1c50e01ba1

SHA256
3d0b4a321c7906e51896e129a3840091a29d800b50cc07039b136063427a891d

SHA512
50541b5ebbde977e405363c4ac3edc04160adbbdeee49aa3006a3ddc5d503f23b9b08f4fb619419073224f7c989dccd43dd5cd63ee7f61350eccb96121525f17

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
94KB

MD5
7b76ce0baea511a986efc19f619fb7b1

SHA1
bd5ea948f743385168770fb3a13c3efc7d4da629

SHA256
8295ce3d6481fc0897db0a104d322752513d95eaced22e28257facdb84188217

SHA512
df92fd09005ac9cf2d2dfbbe087bc200557e2c16fd25f5bc3a26c071777df3dcfba10f67f93b1878538fd2f4ad0e504dd60bde7b631eccba73c97f9ff9937d74

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
94KB

MD5
3291a78d1c9c2ff15cde4fb21bc1a1ee

SHA1
82b80827662829d376c485f75a5b6855a0ceb12d

SHA256
76df2e7956c336d34a368876dc88eeda005ab908387e1dd2c7017bf7c4377c28

SHA512
aaefae3e457861a1120cae451d53587a5240750f5f86ee3e077129389ba3f0c34700e93a0bbe6fae685089d8c80d7697b9537ae1f84f5a8aa83118e3ce288c3f

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
94KB

MD5
9a41c27bb0b4fe92263cc02541b0b43f

SHA1
5a975ba3ffb35138ad96949df2b004f4fcbf3991

SHA256
1030d93ace5478b51a722982043f0c9d361f1ef708750591b5c6a410a653ea70

SHA512
b62dc4ee2d2311cf0e4c569718bd5ebbcf980d11c2832ef0fd606aebea9990629914e9f249aeda8dfeebc6d923ad543348cd20b7b9990912c78d5c49f37a66c8

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
94KB

MD5
33e4db94d85d205c78ab4bd1bce1ecc4

SHA1
b050f3ee4883a4bd521f184a296f902ceda1e7e3

SHA256
394a919bc1cfee61732d28fa55e0d1e2903b165cb64ded0eb16c8422c7616aa8

SHA512
54c65e260faa7489d25e4ee0cab1b63313424d32f9f92fa3f96c6b66aa669e49d27f2cd1b6fbb99403b002d12ac6ecb3785138f1bdb0ee629d81be77bcdf18b7

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
94KB

MD5
4285b157891dc3b17dc36c41d9bcf319

SHA1
8ccbfe3ad63fe5f9fd402e90ca2fa155fc5e9ef3

SHA256
30843bbf73aebe1ad1333cb7c461443ab910084c50ebba4c612e0fe7fbf53734

SHA512
c3bff94a562c162468149dc53397be253e8692d291146d78c0a24f915a31b45df4c760f52921a570915cad93eda76003e3e79e28fea5e7ebde753e003efef745

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
94KB

MD5
98761f3d924809e8b62fd088a8a60389

SHA1
6885e88d4eca9edc3681707f60c49d7cd0372e8f

SHA256
850c08b50b2f1cc4d3068e61874271fbf00e70cd2a24318caf1fdbc4870429c9

SHA512
4b8ee070aacb0bd859d890356f38a75930bcdfadc2aed57ca34642618be95cb5b5b7117e6451926885ccce2ab0a1604f600af4dc18f6e9d8c34fb03c1862f35f

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
94KB

MD5
35f0496f60b9b1223185591d724681e3

SHA1
c84bf149f56a8578ea0b31f42dd3074597446e32

SHA256
dce0e0a4609aa15ae4711f49aa272931d2c6b96f108073868b7f6481e9e57eec

SHA512
91bcd2301350f4081eaa495fe19c52c7172062b05196e66fa5a244bb8143a5e06988eddda2baf44d145dbd61a44429d73b2f5311dacc5cc8ff59ba18b53098ab

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
94KB

MD5
ba427e222825e919b0e38e056072e122

SHA1
e7cf57a57dc34137799258fc703aa77a83db8ba8

SHA256
c0e70e9dd9ccad3843aea3f2758c4db7557be0aaa76d33fec3e3d0af7ff8f3d7

SHA512
3c32d22772831a64bdb1ce9bc1db71f1efe73f218b2015e6d35496643fb9c01ba6add8224185a1b7b15cfb21ed28cedb55f1d92b3132acfe5742328f36cd5de2

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
94KB

MD5
9ae3045a2b9e2f1efff6b4dcea4b0cac

SHA1
6dcf2c00f77da53fde9cb3d3b40e29287b5f80b5

SHA256
d6bb2f8177f5ea066e00381d685fdfc10b49395f88fa938a11079dc143bbd529

SHA512
9b8f6782b4b4a14c4296c96a01537adcf9b1d7bd1342fa0db0d728aa4765dac285bf9108a828dc6148919f61a120f90b193343cf16fc333b15b527d0a37fe987

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
94KB

MD5
2f9f1785882454a5ce00e5af32285c88

SHA1
8993576eb1d7f75dcc27884143077a3d9cf57cd8

SHA256
e9f37f9ab501e4e7186e7abe19f39b6eeabf3257f345c1b8585b79a68ab23d20

SHA512
7f147dd6d43f97609babaea730d4eb49d623b2417270b9429e76b8f2c610f8eaa16fb775b0f610cac9fbabbdfa2a13cec598d673da11a9743040c0f190016a19

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
94KB

MD5
2ad7d050beaafb0c6fd9348798b8298e

SHA1
844fd340843acc585f4fb6c0667f7609f9cb1cd1

SHA256
323845fe40d9730e29ed2978ff81e6f7bbe0349b3d773634bb597e9196899593

SHA512
35696334276bee0c836b1c69dba33eeb896ef490412a5950a394d0f76376315cd1164257838899946e53f7ebc8ee6e791386cdb47651c29c0944d01b1fe0caaa

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
94KB

MD5
8acd464ab9a3dfe82d63db92f4ef5c47

SHA1
98afa259b72588f9818ab66aa9645f524c096557

SHA256
9c96412453c8f79fbdd6cd156b2da09f5a3409ec4ab09cb2cf13109c83f7c0d5

SHA512
9181fb19e31c510c2e11b3d8c37f49fe3d24b673021fd706dbca3bcf0399ef06e7df1b36c9034781ec0ab13d84b238017fadbfb4f2177801622be37a098b03f7

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
94KB

MD5
7c237df33aab8d3dcc5fcdc3922c720c

SHA1
fd001e1845232caf540e5d96c7ffb05cecec37f7

SHA256
46f015369f416dd1509d2bd3567a2ea32b93e4b6b5719e6c4040fdc3912228d8

SHA512
ad8fb89ef2f50bae86bdd00c7ea73195c8841cdb6e11c6eb68cb39aed8a5048b91fdd69fadd472e33ce7462aef15d807986c6bba99567c364e5a847c0b7184f4

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
94KB

MD5
5d7dfb8639685a9c493ea366b448ea20

SHA1
b2f39b6ef02a6c764877a37e123e022cedfeb72c

SHA256
1084eca06305469ce7d66aef78d15b6ca16c9917833d186ffd1feed15d4e0df4

SHA512
9e57e181f1c3b7874b67ba647b1638272083d20cc094fa739808d80580749c334a250ad7d96249c3dbda83ef33244e3a744daa520c287b5879bf85257784c206

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
94KB

MD5
edd706cbc4e893c0ae6df99ed0f0c332

SHA1
de202158c987e46f77a5072c14ca9b036ca08a57

SHA256
70b36daacba26502af649b1142d2226c6eaaca00bcb43aac5e431e51e61a0c29

SHA512
4c307d76c6cebab9130675191ea8e9bf2deb53c3015a7744ff7b96cc506a38ddadceb9fc08aa7334b13a3448b28b4af7e4fa907a63e94499a244cba3d8c7e622

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
94KB

MD5
e751d94d8c88fd31c3109795bbf0073c

SHA1
01a2abd62efb915a5712fbb5600cbb2ed436ed42

SHA256
0789ad2ee7230085527487f8c3ae79809ba7e50b3d301e245b0e31d8ad6b532c

SHA512
f305a49b3d1d0021d7ff96d3268fe8f529984c39947b619085bf686c2423f2913c797b2762ef21e0a3b9d5949df860f6074741d7d68d7f88be042f107e12e4d9

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
94KB

MD5
565a231d9191a8f2a4ff6763388d2f76

SHA1
e885c91631eaa9c9c12655330495085718e6d53a

SHA256
935c003844fd6a3fe62c681b8870f287507e70558556cc7ce8b6867905ed61d8

SHA512
fa3b2be42c41862cfb1dce2c7ef4f26f98ab0516400cc634f1ccdd16f3228ed643e39191efae7985aee740c6996b0f8c72da11c019fd20c0f98f6fcd603a48bd

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
94KB

MD5
a1dbf47fd0bbb180dc3bacdde5b13c86

SHA1
c7e6c024337a26e839588ad3ea6be833aa320e07

SHA256
f138ae9925ea4bb6be82ea6fd8d9b72c1cd921cc2a80978776e747559d58ab19

SHA512
798660b4ac73d129c2cd4aec7d7f9dea8f8fbbc7507af4e9ca5e2a938354b3a363770310ef9addfe63c1a8a1be91231258eca85dcb2a5fc3c015d11306e10268

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
94KB

MD5
7b09273c18c9077fdff6095a2a14d893

SHA1
cde6c388597fc9787c9312ecadd5c793c7bd7521

SHA256
f6d81cce35112abc653f031069c8946183e4490474b03b626f85b5134a849a53

SHA512
73e02138efe53fa3ef37ad3bd965cf7ecad8a27c1635f15e77283a8dcab75fe1f6654d3fe935619cfb612ee4debd5bd1fe1d23178b4768b526708a44e2123be9

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
94KB

MD5
74b239e4cd399a124b0dd82a624a568a

SHA1
680c541f836a1ffca27dfef832897369b950a631

SHA256
e32a8f9a2d8a77aff48289224d1c828445512101808d6f2b1e43c9b081c64b15

SHA512
0351a7a6b8d1c3fdabc9a4996fc055c6451fcee82c09081491b8c759c4b073796a4bb333c6ed4b9bd2b4c2a08c4e8bd8dd792f18c7847a0b9c90ba69e6560652

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
94KB

MD5
7a7a10d0ef5518e7ca5c888ddd72eb78

SHA1
5ab76301b3024cd682fcde522637858dae0797ac

SHA256
fde1adcca87de7a97781cd4a4f2094580a19fcd75cd5aca24bed2d7f02d1bd2a

SHA512
7280d691a1dd422fcda0f867595476625e74cc44ed0eb6d8bf49f1c5380dcd19ad77e1b0eb2526bff4f4ae229246564fff438f9d0b16ab6df3d6ad4d0d1f9a5d

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
94KB

MD5
2ffab602273ca662e44c34b2a2492dbd

SHA1
045ccb0fbfd98191cca1e60c7ccd11e2e7800975

SHA256
a96b8f8d18f15fe20b3e68da1195c6372414328e0786b32712c19df6abdadfce

SHA512
99f292626fe2236cc7e0613aa63ae36e8b0b909f6485756bf46bb33cb50714f5ae1c5958369884a89a5efe69e81b8a7fbffc1e81db5e3283655b49cc48cf37c8

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
64KB

MD5
e932edaac3a0266be9e08893d5eed2a7

SHA1
7c5c3c42b9df14100d1ce82946f848c50e049944

SHA256
7c0db5bcef423b79387d6a804334d639c2eb6593b09d61f26b89329bc09c5a01

SHA512
2ffe2b0f1043e145d3aaa494a1073db99d414b09f6a02a831a66fe0cccff7eb655aea318f541b00acca28ef1c8bffc0e26f9deb699a6cd47eb74aabb114dff80

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
94KB

MD5
3df47240f2cef0c03c4918f1cc75bab0

SHA1
74b402b7bf9119b09bb73df61df0edea57bcbc60

SHA256
3592898c744efbc97fc9a7a37847b6bcd7ac14b125549922fe9fd05a5caf6626

SHA512
4473a1fe8ea8e4bc22107eb6494f4cd041a258bee854964dbb5a5e4f3f509c74a54902418e205b73ba81d089a5901b86635f16ae35817bfe5c119e5094a8f4b3

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
94KB

MD5
0cdf48ec0290a3a2d6263060e3493c3d

SHA1
d885a61cba50be5a4ea9efa52738a06838aa3bd3

SHA256
76b0aeb9ca434915b2c424184903d0907ba7a8d491123606ddaf87a09e5a52f9

SHA512
cf7c8df0d741a9078764e12b1c74d77fe3aef24e70b825c7a05c688763f443bd3d1ba7dca27f8a23f0e83825ee80ab38d3b0e992038ca442e55bbcb40b4463c8

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
94KB

MD5
bc699bd846efe6c6ef3470339161fa7c

SHA1
8ebaa2073b24ea4a4cc15ee5545e003789a995be

SHA256
af3828e3e01678f4346f3069eb62cfd9b5dced3872559aba9d8dd19619d80aba

SHA512
143c517487560e2ae067e666fa8d942ad9d3e7b5de26c6c207fd46a10d6b6870d7c7c2e42907ce6e0e7aa479e4c20d27bf2cfb1c712b3b6202bb8e26601dcc9d

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
94KB

MD5
7e5787aeb4baa5322dedc57700402bbd

SHA1
2d613cf8b2f95d117f22dcb83823d88f331f4f01

SHA256
98ee5748a08c1b2abde6fede89cbba8e179c9864bfef6a86e6bf71bd2900a106

SHA512
8330b2b8e077385d28975f8fd8532ff7329fd88f59a8505fa73bcb8cad264880822313d2595b446e8233874651d208583182c71103a2be8ea27905f1a02b0323

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
94KB

MD5
dc3ae214d6676a9c5964ed9e90866b33

SHA1
58496294adbf0d6249b2ac450472187fbc33c28f

SHA256
cb1e429e677d3997bf6af0268c525dfdb102b1651cd8aa2a34635be396976d22

SHA512
9f6b545ff4065ad0e81019143e5f3cb0cc511e9713772420b468a03c9a54b9de5ce78e319cbe50a0b98cedaaa30c7496ffb10e66ba4395d0efa163a482707585

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
94KB

MD5
b094dd0f3c3233d79273a22535f502bd

SHA1
6f8fb9c8d8095d67388027a6c2bf9ad9a57671bf

SHA256
64a74184eaadeefc5615f5ee9bad4103b5a9519c0689421a5eae8c6f3ad4acf9

SHA512
6306c4620d76a43e49d972933faaaf8970676ed864aa4a452a640c216937867591edb745d136d91b1cb279ac6d2440c53ff3ad1c1b016e84dc4d838852173ff0

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
94KB

MD5
832f189bd4c5c6fac9bf513c5b2a4d2d

SHA1
55c136e91a514808e61caa4bc0db6a9c5bed6550

SHA256
81347074b1c4f90d4c76e7b292ee2b28565cac79d769ebcd2750cfad236b5e4d

SHA512
0e5b02915af93be28270112f66e55940db362416ccaf888a6ec3b6f4da5f4d370959278c187593abedaaa4f1bd4bd8042146488f68c6214632d17f063fad6cff

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
94KB

MD5
ed2c9fc5e02083cdebc8793691020eb4

SHA1
7ad926ae618d3077ef7b5f8a1d0855746bd5a3d1

SHA256
495c7cf27014806e8c19866e9bcbf06f679c440cdfa2baa7c7052f64971f4910

SHA512
6cdc13173c7c1f041ed0ba9ffcd87c11c334db1a0af50c291e3410d74dcb0dcc57f9707ed20f8d472e8ddd150f4160204b95f5e8cd13d8368abadca49fccc38f

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
94KB

MD5
3604dfe191e2a8188ab12bfafe05d5df

SHA1
ee0e247a89b879a3e428f9c305b138612b37e910

SHA256
bb9efcf99da32287787f814f370b178111d8d1bd515dd930b0619f42b2603b9b

SHA512
37fbd838e14dd7644af9f13a375a87517f75dfa4b0cd8d0e290655fd2e6b207548ad759b70e4598629e415bf51e764d4b2b998879711a7eda0571cf8043a0274

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
94KB

MD5
ff5a8b979ca6ed4e9e00d8ec3f1d6d94

SHA1
68f47f06f188ec86bf7c31f7b962fb566642c727

SHA256
5aeb9f69c8a4ed9901699fb69447d96c4be97bc52b376915d77f6d71a536886b

SHA512
972f2e8fbbd0201fbae832945e5036ae03d7065e97cc5254abbdf0647c9e585a46fd168cba91f60dd942f1511d8a329e0f9f6895429340de9293ca61d834a674

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
94KB

MD5
5486a4c5a35ebfa546d50cc1d56a5df5

SHA1
237bc83f2af977649068baf3ef94ffd6efd915de

SHA256
20999eae2675cbf373fefc9948265f513acac8534a330f06a0ce193cdec1ef38

SHA512
6e8a0399b517ef988f43479b95476a4dbcd5916a56381a8c38d91b1d0dbf1a1c7fd500941181ca615b9144283a5fbfecc2077046905c9222a9e3519dbcce1c2d

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
94KB

MD5
609ad7cce76edd00e7c7cc502a7f3769

SHA1
ea88aa0b65ce267d6e9b24ddd6c766c782614d59

SHA256
a2faa001d96f8403e891c0bc7a822a11bdd657142c9dc614ed6abcf0efc54b8b

SHA512
3267b0c5a58b51e8b9a660f697192c213a2e6162edf8e8b84a0d8e0726204971f22a6cfd8f3f1f00b1b9cde8d41669993ddc33f06532cdaf13f5a7134c45fc5a

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
94KB

MD5
42c2e9a83ed75e095f574123287bbec9

SHA1
b7edf780281e9104351593b48a9eb48d52451d52

SHA256
20c5a57de4592d6f4db6dba073ba943f525a3e589550187e3f4f3f0fed437a02

SHA512
5d48e8e88102ea7cb031b1fa1230d1d56810bb73ab64f4378d72efc7b2a29049abd6d048c03f6d655f1692b65674dd3b7eb21e1d748e3881c0e83cf73c40d0a0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
94KB

MD5
947f0795407302523f0e7d66dcba5976

SHA1
44992d2af1239b5cf44521ef358651577305a510

SHA256
541de4b0e8b63d66722f3c266407845d0586d4923db7f84d9460a49e0cc81b3b

SHA512
dad92cbf654847b0f936e8c739d1050f40d36af44379974a746a6b6c2d9eb5d79b770418b7baeeccae835fde5d6e525a7e3af950c15116d73fa9935542081bc2

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
94KB

MD5
9d45c7a4309addf7f4dcdad311a8fb54

SHA1
d0cb3d5859be33aa3aae28ac1030317039071db7

SHA256
d10734e097f3c151c4d08cfb4e27f6239d740ace3c1c59b331a6e72666e8aa8f

SHA512
cbb85ec07861f776ddc83802ddd7ee8710992c7b2ceb7ded9bc4d1e8dea7d26034f85f1052c833bb23c6d790cc54ee9facef2b4ff52824aa2e5eb578b41cb153

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
94KB

MD5
69c76018da7052c7aee61ea53f6dc3c6

SHA1
e1d889148054bbd9994cc8b4a41730d9da61c2f6

SHA256
4b0c312b6514bc6cd203a7c23165967acff407cb4f263c920003e10cb37c382a

SHA512
8efe2c5d32b958188a105791407a2f3c1a367bdd049274b0da14509142d00ef0b9a1efc648458f94cd4c13c769d6fc23cd0f7c659e15f238350131358139a6eb

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
94KB

MD5
9bae6f1de3bac712e4809fdef1cee331

SHA1
34be527c37dc09f610d8024fd2b5c8488a47508c

SHA256
e9b40e74ecede1d039874f812358d308126d1b2cee6c07aaa533e7ae97acc06e

SHA512
d7dfc59e78cb0345e85b14f938f17d49cb3ef72e6294edb0ce76a8b70384f2de5fc66f4747263b7e04dd74505df96715feca2c77011b6766fc34116f996184e5

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
94KB

MD5
76ff7e3cf4d4296f93c3c1267d180186

SHA1
3e54bac93e0c46a43e6fdca4ad6e3c496034e5cf

SHA256
050292944bed9baee4ded326f60942a2aab78320994ff0fbe105d12859bdcf07

SHA512
c201809931c11f43ecd88310e26b455d9cac2a27006a4098edc6bf16c7b65ba32c2c431874dbee2d01172337b222708d080fec189ca3722694e78f76f8290491

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
94KB

MD5
aa5f9450338ba7f375a2c44bca2fa555

SHA1
3d680d173b816cd18e037da7c05b651e59008ca3

SHA256
18678ee56cdf9510b1e720d71fc762d7dcb03a4835e4b27f2ab582e0882f1af0

SHA512
e11ac981e18546f2ec4825e647b4bd1b33e1382b8860952ded89b5fe9f9a150e0ab108ce0dac73a0ca44bf88b4d944e605cb750af3a2528deac20fc16d2241f9

Download Submit
memory/60-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/116-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/444-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/560-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/928-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/932-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/980-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1120-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1152-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2300-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3108-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3716-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4020-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4500-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4628-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads