berbew | a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0a

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe
Size

236KB
MD5

a989bb6cdc9f93511010a59d7e33bfb0
SHA1

2d60f8f49893d46aaf134a5e887bc6c466f24d33
SHA256

a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0a
SHA512

b89ea3acec282759ec38c041c1fe8818f05bcf87d71e388da7681f9a831c8083e8337562862d3043e9137a95ef989018dde72833321d4a18f37ec750ea308e57
SSDEEP

3072:UWCrnVVsmDcIDuj3ZYKJ9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:IrnoHIDkYKsDshsrtMsQB4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2288	Kemhff32.exe
4172	Kpbmco32.exe
3736	Kfmepi32.exe
2172	Klimip32.exe
216	Kfoafi32.exe
4652	Kmijbcpl.exe
5060	Kbfbkj32.exe
3648	Kfankifm.exe
4256	Kmkfhc32.exe
4584	Kdeoemeg.exe
2144	Kefkme32.exe
3092	Kdgljmcd.exe
2344	Lpnlpnih.exe
4348	Lfhdlh32.exe
1276	Lmbmibhb.exe
2636	Lpqiemge.exe
5104	Lfkaag32.exe
4424	Lpcfkm32.exe
1028	Lbabgh32.exe
1136	Lmgfda32.exe
4644	Lljfpnjg.exe
244	Lingibiq.exe
860	Lllcen32.exe
5068	Mipcob32.exe
3544	Mchhggno.exe
1164	Mdhdajea.exe
2100	Mlcifmbl.exe
2924	Mpablkhc.exe
3240	Menjdbgj.exe
4200	Mlhbal32.exe
4824	Ngmgne32.exe
3904	Nngokoej.exe
1656	Ngpccdlj.exe
5112	Nebdoa32.exe
5064	Nphhmj32.exe
3312	Ncfdie32.exe
2412	Njqmepik.exe
616	Nloiakho.exe
3088	Ndfqbhia.exe
832	Ngdmod32.exe
4624	Njciko32.exe
1888	Nlaegk32.exe
4372	Nckndeni.exe
4464	Nfjjppmm.exe
1516	Olcbmj32.exe
2024	Oflgep32.exe
1580	Opakbi32.exe
4792	Ofnckp32.exe
3440	Olhlhjpd.exe
2400	Ocbddc32.exe
2764	Ofqpqo32.exe
4272	Olkhmi32.exe
1752	Oqfdnhfk.exe
4008	Ocdqjceo.exe
3892	Ogpmjb32.exe
2964	Olmeci32.exe
2120	Oqhacgdh.exe
408	Ocgmpccl.exe
3612	Pnlaml32.exe
2056	Pqknig32.exe
532	Pdfjifjo.exe
4312	Pjcbbmif.exe
5020	Pqmjog32.exe
3500	Pdifoehl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kpbmco32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5772	5388	WerFault.exe	227

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Olcbmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 2288	4048	a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe	82
PID 4048 wrote to memory of 2288	4048	a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe	82
PID 4048 wrote to memory of 2288	4048	a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe	82
PID 2288 wrote to memory of 4172	2288	Kemhff32.exe	83
PID 2288 wrote to memory of 4172	2288	Kemhff32.exe	83
PID 2288 wrote to memory of 4172	2288	Kemhff32.exe	83
PID 4172 wrote to memory of 3736	4172	Kpbmco32.exe	84
PID 4172 wrote to memory of 3736	4172	Kpbmco32.exe	84
PID 4172 wrote to memory of 3736	4172	Kpbmco32.exe	84
PID 3736 wrote to memory of 2172	3736	Kfmepi32.exe	85
PID 3736 wrote to memory of 2172	3736	Kfmepi32.exe	85
PID 3736 wrote to memory of 2172	3736	Kfmepi32.exe	85
PID 2172 wrote to memory of 216	2172	Klimip32.exe	86
PID 2172 wrote to memory of 216	2172	Klimip32.exe	86
PID 2172 wrote to memory of 216	2172	Klimip32.exe	86
PID 216 wrote to memory of 4652	216	Kfoafi32.exe	87
PID 216 wrote to memory of 4652	216	Kfoafi32.exe	87
PID 216 wrote to memory of 4652	216	Kfoafi32.exe	87
PID 4652 wrote to memory of 5060	4652	Kmijbcpl.exe	88
PID 4652 wrote to memory of 5060	4652	Kmijbcpl.exe	88
PID 4652 wrote to memory of 5060	4652	Kmijbcpl.exe	88
PID 5060 wrote to memory of 3648	5060	Kbfbkj32.exe	89
PID 5060 wrote to memory of 3648	5060	Kbfbkj32.exe	89
PID 5060 wrote to memory of 3648	5060	Kbfbkj32.exe	89
PID 3648 wrote to memory of 4256	3648	Kfankifm.exe	90
PID 3648 wrote to memory of 4256	3648	Kfankifm.exe	90
PID 3648 wrote to memory of 4256	3648	Kfankifm.exe	90
PID 4256 wrote to memory of 4584	4256	Kmkfhc32.exe	91
PID 4256 wrote to memory of 4584	4256	Kmkfhc32.exe	91
PID 4256 wrote to memory of 4584	4256	Kmkfhc32.exe	91
PID 4584 wrote to memory of 2144	4584	Kdeoemeg.exe	92
PID 4584 wrote to memory of 2144	4584	Kdeoemeg.exe	92
PID 4584 wrote to memory of 2144	4584	Kdeoemeg.exe	92
PID 2144 wrote to memory of 3092	2144	Kefkme32.exe	93
PID 2144 wrote to memory of 3092	2144	Kefkme32.exe	93
PID 2144 wrote to memory of 3092	2144	Kefkme32.exe	93
PID 3092 wrote to memory of 2344	3092	Kdgljmcd.exe	94
PID 3092 wrote to memory of 2344	3092	Kdgljmcd.exe	94
PID 3092 wrote to memory of 2344	3092	Kdgljmcd.exe	94
PID 2344 wrote to memory of 4348	2344	Lpnlpnih.exe	95
PID 2344 wrote to memory of 4348	2344	Lpnlpnih.exe	95
PID 2344 wrote to memory of 4348	2344	Lpnlpnih.exe	95
PID 4348 wrote to memory of 1276	4348	Lfhdlh32.exe	96
PID 4348 wrote to memory of 1276	4348	Lfhdlh32.exe	96
PID 4348 wrote to memory of 1276	4348	Lfhdlh32.exe	96
PID 1276 wrote to memory of 2636	1276	Lmbmibhb.exe	97
PID 1276 wrote to memory of 2636	1276	Lmbmibhb.exe	97
PID 1276 wrote to memory of 2636	1276	Lmbmibhb.exe	97
PID 2636 wrote to memory of 5104	2636	Lpqiemge.exe	98
PID 2636 wrote to memory of 5104	2636	Lpqiemge.exe	98
PID 2636 wrote to memory of 5104	2636	Lpqiemge.exe	98
PID 5104 wrote to memory of 4424	5104	Lfkaag32.exe	99
PID 5104 wrote to memory of 4424	5104	Lfkaag32.exe	99
PID 5104 wrote to memory of 4424	5104	Lfkaag32.exe	99
PID 4424 wrote to memory of 1028	4424	Lpcfkm32.exe	100
PID 4424 wrote to memory of 1028	4424	Lpcfkm32.exe	100
PID 4424 wrote to memory of 1028	4424	Lpcfkm32.exe	100
PID 1028 wrote to memory of 1136	1028	Lbabgh32.exe	101
PID 1028 wrote to memory of 1136	1028	Lbabgh32.exe	101
PID 1028 wrote to memory of 1136	1028	Lbabgh32.exe	101
PID 1136 wrote to memory of 4644	1136	Lmgfda32.exe	102
PID 1136 wrote to memory of 4644	1136	Lmgfda32.exe	102
PID 1136 wrote to memory of 4644	1136	Lmgfda32.exe	102
PID 4644 wrote to memory of 244	4644	Lljfpnjg.exe	103

C:\Users\Admin\AppData\Local\Temp\a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe
"C:\Users\Admin\AppData\Local\Temp\a77ecc66da194a017ec0c59e83e311c7ea6afa3bd885f385b93e633d47b85f0aN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Kpbmco32.exe
    C:\Windows\system32\Kpbmco32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SysWOW64\Kfmepi32.exe
      C:\Windows\system32\Kfmepi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        29⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        40⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        49⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        57⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        62⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        66⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        68⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        70⤵
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        71⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        75⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        76⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4344
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3340
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        81⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        82⤵
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        84⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:424
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        89⤵
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        105⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        108⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        113⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        117⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        123⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        130⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        137⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 212
        144⤵
        Program crash
        
        PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5388 -ip 5388
1⤵
PID:5664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
236KB

MD5
14c11d24dc0e36a9b311165ba113979a

SHA1
9e7d75ce6b621b4fb131c950ed58540810e44e66

SHA256
c9e59bfe1bb12b95bd03640a98d12382abac6165fa9bac053195c6f54e06e598

SHA512
001c46b3276e850403b51819804aa9de4c2f422e70271dd32b2d96203f0bd48551c5617eea3a2e8f043f8d5efe999f1678f111e6789fb98784777ef7455bbd6c

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
236KB

MD5
3704ed8cb23d4d80bbb3c25398068954

SHA1
2e0ff9227b19762df7d729ae5fe9a2410a467307

SHA256
e273f622c6115be485a84f809b37f4911ceabd37dda49b17896672829548bdc8

SHA512
8fa29f1ace0359dc307b35ac7687f6492ad6c67ec1bdfbe5078a7e85c2329338e198fb8127b2207c1f084822d33a76a532241cadf0ea12f7ddf8cf63fe7f084b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
236KB

MD5
b6fee1bbe42852f9c16f271a319aed5d

SHA1
a1e9cc307f606e1709e6dfc2d873eacc361ae602

SHA256
303dd632a50584e8020e73aab6ff545bd7523409ddd97725725607d442779046

SHA512
50a7e0bc1afcc728a8fe171e4e8b99e7f8ad63104339e0f38f4eace6f7d07a5a1f91b19bfea736d95cc29974711db6d1e6aad47c2f1e90cf9ca99927c86892a2

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
236KB

MD5
2db46c4f84c88c990941e7deae11d2ab

SHA1
93e2e530ba36be2ffb9ce01adeec54fde9537ee6

SHA256
9e51431fa1153b9330466d932d5988ec0fd6d6d122a168ff237016fb5fc5efa9

SHA512
b6ba3927f345e7c02b6561712040df589cebe1a40f7bdd2e2bfd99983bcfb13971293f4e01a0a1a7a2630e38a22fab6a84880c108b18dcd2449c2b05d7cf1749

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
236KB

MD5
b232c3b77757e88899f53cf6a082210a

SHA1
4316340c0b9818af5dbf2ced172f036baf5f1534

SHA256
ee4833ad411281b319b043aaaf7d5f6b9f06536be68d055acf4481de7e60a603

SHA512
8da6e9e85d33c69bed8fd8455363fc7c89458f9d24330aa8009227e6d664a9d23c1bd6c8e6e965074fe2430a8dbdf5988deac7e467081c7e40c81d54db44fa58

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
236KB

MD5
244bf9788f3ca0c62157b1c5f0236cbf

SHA1
efc07b2e5c5786ac7271c79715e304aa9ef2cb2c

SHA256
1987ccc61a9243943e4d9a14b7c2fd6167bcb81525f9bbf0559279fe2ab359d2

SHA512
4f120411e3c6a2dd2aa887280eb7dd943d6047a7942e900bf2c18dac3d413c0f4ab840cacda1f818582620aff6347ca1429ee3f10d3ef0dd372bc99e9b004a5b

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
236KB

MD5
09143ccd409d4c87a10be2a284a7c348

SHA1
a4cfa4098cf7ca4f3f35a48db2c3de8bff31633b

SHA256
f8194f52794be608172b05357b85016a3f0c2f8f71b1e47edddfc27f440134d9

SHA512
4e905365e8a5464bf1782fed9d0ed621047ccaef25d3ae97d485f12a34dc3ae54a6f6c3b3c668050fb332c041bf7bf9381e671d5faca2bdd82332c57186ca495

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
236KB

MD5
193f4e23380f6f35c9730430d0f0dd3e

SHA1
01d100b00f431091ecc93b448c4c54b9080b67cc

SHA256
c1845d29ad1052ca325c2b169760220f7791799b9887376f4ad0434c787b87cd

SHA512
9d4b4341c09e234cc02091a5b76682fb3da2eb68e044402ae712a90483d7b8a279360152bafddf2eb58cf49dceaa0da4cb59da9543c5af3ed896bf61bca8de06

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
236KB

MD5
b0edb50ae83508b3bbbfd95ed3117a82

SHA1
2e2079962223148ebaa49aa518072b9effa13b58

SHA256
5541f265e6705142ea5549ac7dbb2d220bf3181abe25acb2773af18a3e50bafe

SHA512
479c6ec87071723c0860f925c9f908c597b08a719c9ce9844b1b439facfd0bb80693a2032caab3cff6c540a59bb71f1a7332cac5ca83c1289ace592743fbac2d

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
236KB

MD5
b1067e8cfca2acad437b03d8942e66ec

SHA1
d70e4db4e294832db2341a5b35d84d9c49d66fb5

SHA256
1b917d882d3e17885ce911805f7f4985db98e0b781b402cfe6164e464637e081

SHA512
596689809a21404a47936a59d89eed68ea0a04fea621d99266533f398e2115c39bbbb59935d918709a6e906f3a7d2432f4625b6a1864d613540c954c0853ebd9

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
236KB

MD5
028c3f946b17c10af99fc307dc2b836c

SHA1
6964645668aca84e6e9217a9ee6a03489d7cb01d

SHA256
5c4434d5213a07d19b3b90ed66efb9a65f16c24f7fd0ad2786d27e31d90c4bf9

SHA512
ab0aa46c26b55eef9cd01732757b01513d5e0e4de37bb1e0b7b4dda4d6a324aedc4149af15406c2b6c8b38b1e9c024d1d3b51af7ccc616d0ca9486580efb68d2

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
236KB

MD5
43f53ed63e963cdee25de6f47149c9fd

SHA1
4836880f404bfaf9db47f8b71bc4af8b9ee842e3

SHA256
e7862506373aeb459a8b8de01775969eb4642d6549b595d14a13c931689e8565

SHA512
c2b4fbff276fa7af7bd602b7a92ce55241040a95466bc0d9a980e1fec2ebd8d47458a9df74398737b0c78f24d4b5350c94c17da8206227410ee3bc1989641a59

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
236KB

MD5
a963f4a870e58cbfa37d4cd834816b3d

SHA1
51098e8248096386e257999c33da3a260bbad484

SHA256
31a879d6cbe90b4714c862e8bbedb9a8b942fbb44e8db905d4299480faeb8910

SHA512
80123a31b7b81c56ecbed101189448e915ddb620728a4e71622f317c8fa9f0bc3f2b30337ba37ac13a26e250841e1b10cb5bb9413b3f6d0f745ac9f82dded171

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
236KB

MD5
32dea05f1a5d62a915ebd97eef076381

SHA1
6f6f3f01e09ef1cb3fe434d8f5cebb9e59d24169

SHA256
0002ff4a34cc1a5377ad94e5a52a02f2298628ce043714a9a35c5937d61b67f5

SHA512
a30dc0222b0736d2d8ecc39d2fd4722a819d2ed23b564a5a1760a7d42787b78f39d2682a5bc0cf4918d6060d2061bd9c72b4af8660dd43ba17d135c38e5e5bfa

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
236KB

MD5
7db5b93cc03df9e13c5f1a970de136b3

SHA1
a2b0f86b2970b0566faf4f85e67b2144d025221c

SHA256
e6de6252e5fd2304a8d0b647a23a815a6ec4eaec19cd4278828918db5165a6fc

SHA512
fa302382fc4dd0dc99cb9700e0cd69b2b35a12a75365fa09c36bb0df5a2337a7256a3b06d81fe5778f724a8e25b97d31a91ae0fecd9916cc93ac4d0462322932

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
236KB

MD5
91aef14ff90010603fc03bcbbc2d430d

SHA1
ee122c41ea6eb3b42b0d9a1cb3dfd79e285d0de7

SHA256
2635348cf7ec07f413435ee686fa4f45bb9b1ae300b28dd3b3b72bbe622cff64

SHA512
d80d855c19e8140c2e130e496e901e8d88ba575286a7bfda2e0244c67214cee8876c56ec321bc1da878a14c5b6fbc4f59d42381e45c9ebb002790d74962ccaf9

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
236KB

MD5
f9716af4d59762ec83bd79c2e8f69910

SHA1
f1a086784d7b9cecee63180a9eb6511ca51b6c92

SHA256
8b4bde3691dc0a7818a2f469c3006afd85a903f0ce0b277e8c396f89ef931f7e

SHA512
3ac9add679800c7b75fc11ab5d26a11d4013338e01ff55d503362f309a4c1a6431cc663a79e659a4bbe3d69cff0803ffc1af5a8c031de4187ba2c844eabdce4e

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
236KB

MD5
e88ad605f369ec839d07e12100a9bc47

SHA1
d549918dc320ce89f2ca7387d4ae3f92eb8d228b

SHA256
06702da3b50fd16cdaeadc802b1fd739d02291ed7c98db0891b075cee225aa47

SHA512
1d20dae920e7c832867e7d903c4db3df15487eaaafef3f16c5d0b89a1f8b2e6fecb082f074d1bc6339e28e2c0efe5ea2aa63963420853442df801087435fc6b0

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
236KB

MD5
e2da9376eedb45632678b1186fc2b00a

SHA1
9d0f9164c5a15e573dc62b52ab119dfe11db983f

SHA256
33c958b286027e838eb8e5671756c441dacab8db98c9b9bf81d219a27e758a85

SHA512
605d6920e3f175b14e8c384238488407ad82c5640f61729896157e55adeb182695f935658deb31307d1f86ba325c7e540c0237350e86de9a4ee28401be8ca8d8

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
236KB

MD5
c6ef3592e184f02d46e2c5721377d838

SHA1
071c244f70c1e266319c6ef6db1779b8fa6c8c95

SHA256
e39db16d8afd696fc5c51828226d395c58c573edd3b3e1be1d9157c907096175

SHA512
b764b61d42678bf81afd462c3f4dd9b500b2321e893c0d537a5a39c21ec8ece7c10b9c329ba1ba86ff8d1a4768edafdbb625df91ae3070e698c2575cbd868ee7

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
236KB

MD5
4c0b014549f9b3d20b455a058c70d578

SHA1
3b2893799374e6e3c952f5d0c6e6a06c87fc681a

SHA256
a714e379b42f614fc774e69d459cd3ad167e5f9b1f19752f22dae7b02d668e17

SHA512
a4be9290e9b5c24c94c6d67781440e87f4c510d6278991c342b5b773db7d868c5c836f5bc5c9dd3ecff729df39e2af0eeeea1767ed6ece1d4c3fcf808fcc2bff

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
236KB

MD5
dbd5d979f7b60a58e07572780d10a560

SHA1
f8488ae34ee6f31964ff247428410c7677de55fd

SHA256
9b0f98a9c3eaf62531ff578f63f2ca7c8994f0038063198294ded1967eb9437b

SHA512
f5cd3c43a511a29fd42b6afe0043826e83ff01ed3301155075d410189e367bcdaad6f49f9c6dd131accb292ba0a77a05113d569e0e73bbcf8860dbac38137750

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
236KB

MD5
0549d804cb8403a3cb644992ca2b703e

SHA1
93b9a8b96e7baaa61bd3747c813aa0c62a2dc136

SHA256
a7e798ab398bb92c53ef4575a9741d9e03b5ff3819f44e0b62af1dacb28a4020

SHA512
c5173740e5ba325a4d4ddc188c6f561653e453ee735121358378218c11efc0149c56b2fd861892871699a12d89b63ea8a5fcd288bbaf41a2cbd30da686c8406c

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
236KB

MD5
6a6cdab30709517b7c5494192751e6fb

SHA1
e603aed2f06fea85237d06ab071bb47893b8343e

SHA256
e53277578836b8319b47c34fce702546991ef562ded39c34183a935a55986c7b

SHA512
fa09e9f848cbaced1efbe50b1401a51a3555fb228cb0bb134bb19fc0b96f45ba87909dea9718797d2a51afae48c193b28aad8ee346494457e7eae14c7cda392d

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
236KB

MD5
9832b5a6f73ca976fefe3f403265aa6a

SHA1
e6a6a8f963776c3cc8d150adc2956f9cdab918fb

SHA256
aca07e9ce0eac38708b99c9c2fbda0d51d47051aa0f289c547f8c5597ea9a8b0

SHA512
3e2ee9364388d9f4fe23476aaa9b077851bb86a058cdebbec5382adec1478f329af68790e8e4ccfa59e92df0f1de66b4a7bb3914f60ece07fba116ee014915c2

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
236KB

MD5
dd2921fcfc07d3b2095cbee49f32b851

SHA1
afcec2639b94348b8fc9bbba290d64917fca87b7

SHA256
ce1c155203c138b2037164aef8b0e57d81eed88b3639104a4d32975329e029ef

SHA512
235fcf622be6fc7b5c89e429775d572568afc774f8f4ffc2e734b6847a32b7b0f1a9f1938ee028cdb1a8dc9ed734add98719f6483cc6bfb8631c71907c1958c1

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
236KB

MD5
c5d379b6f1adf7c17bd36669516b06e1

SHA1
f3af16627181d9f97c345b4128df3549374f339c

SHA256
904dc461ac0372f65af9cec822b5e75000fb08038cbb01f04f065bc66d322160

SHA512
dbdf9ac7d999ffa7692a2ec4ab50c27bbdc212478e130ea40110a0c53d578b16d04f99cea78bb74853bf2375295f59a30669abe60fdba24aa9e98147be281de7

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
236KB

MD5
4d5c629649ac42a8b19871dbc13143c7

SHA1
dfe19f464c4a0064b1c0107e5baf3d5882ba5426

SHA256
e319883efb4a0f3029df008ff4c1f377987f44ea137ae044d6e91ae28359c150

SHA512
b8e3070074b9bcaa1af8cfcfd2c27c752bb3938e9c4e4cc8b926664a3e152b24b63828b086a0c629001bd03bab49a629bcb22cdcf130a1f335c36d02ca8e33d4

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
236KB

MD5
afa4dd0d50c71c2c8ffe2a2dfa305963

SHA1
32d48f62e9f3f5e8bb7cb43dec406e00a1957756

SHA256
d39ad1cec21019c572cae0b5ac19608742f2335c74ef2d8d7c3c9bda44b88a43

SHA512
9c1de0e36192c77cc077484ebf84bffad542804c84b48968c30c1ee5ed2fd9ece7ff1742457e5f9868080ae828ab88baf49d1c363f745b09f2ae90bcbc17a086

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
236KB

MD5
9bf6ce5bdac07d27f96ee53046c9002f

SHA1
882ec840c2ab2847f845633f493c67564421b72b

SHA256
65f6e1bcaad387c5e92d05d6e7fff256e0081b65fee786e75c2254fbddd0aa36

SHA512
ab35cd82f3d2fd2dfe6fc0f279086ae538e952efa5742167d7c74c51e7b66d27aab72a6587862250681238263b126af8aa8b874278a6933c60ea06474420aa12

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
236KB

MD5
d112b20b2fe5fed7a804969fccc8595a

SHA1
5e88b460e698ec63eac15986eb03f799152b28be

SHA256
023d566c8074e739c431e5f993ebc8a900e8986af246b5a57b0735dc6bd30c55

SHA512
487db76a3360e9b4ae8efe50d720ae780d48c4839644f5896f00faa4ae122f63d4849c5bbeffb0b070907618b5f8006b220650130a956d5e4086c8e99c47fe1f

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
236KB

MD5
df6068bcd9222478dbd867def5b68da3

SHA1
c22acfecaa813014313dc04a20ebb586dba694c2

SHA256
c40f9d3f099475bcfd8ecff82df16813bf878cdede40f9c93bffe3a5406d482b

SHA512
6e7c89884f8efae1c11d9233c4267229920081dac0f4f659f4ce7fc2819d39dd9fb90ff9a167d5e300ad20ffe636d0a5929fd3da116baf875f54b2b1215f61ab

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
236KB

MD5
c5043304614760446863afd16eeea235

SHA1
484d8ed3a5c12ded4b748746664ec894bb299944

SHA256
643c48ab0c25b56ff4c06328bf7dbb054569a284355634bfe30f9b8144586485

SHA512
4c44ec85704670f500a9979a2870ad35763aa377d8135d9ddeb06bf73fe9d84c5b3f11666bcd2e8e16c3fdb88da5ec8a9d544718481683dce16c62f5ee066af8

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
236KB

MD5
475a9bf2aa146ce5de8a7725bd81bc3a

SHA1
e0a9ef76aae2c9c001b74e4edc7b04ea806677d7

SHA256
7407865d4f670970a1a30f08c26186a90e828dfc04ab98814d439e12d42578d5

SHA512
4da740b4c8c982cfb5ee43e8efb808dd388c63915405816e554624702d8eb15a7fe6b4bbc13e551f406f1b5d2cb55d024708dcd9e6067420febc10a8a0d1ad20

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
236KB

MD5
b233f2c4bfd524d2fde611f6a2c56fc9

SHA1
b05add32982a5ff862384086b84475d009236f36

SHA256
e7627b64798b2c8f0943c295156b82f992a3149ac9f187d3aed2707b2237d335

SHA512
100f99c8f3a2ec4b1dc18130a6915e47196a277f5b44beb9da760745ebd9928870500d33d9fdad11433ee7cfa23cb9e7f86ece9698b1097b43690f8226d1b8d1

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
236KB

MD5
d222921c55d2a18df68fcaac94546a66

SHA1
33cfc3be001ca5bde55942172cd64c405282c3ad

SHA256
9f0f169dcaa379b432ad9aef814d0d95918d2e04c16cd6865783522f873e36dd

SHA512
c8a5a941e42cd8aa3f4667d509a4e8f811a8dd57d176983145663eacd8a88759cc076f72af82fa3d56ebd42ac9ad9381800c1d7e896d954365654d9db80fb12a

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
236KB

MD5
44a8199de2c4e1b7f59b9da7dcff3a5f

SHA1
d9dfd8e11f5b3fb8d3c564ed2096bad33b888a2c

SHA256
7d475a4255a57a6b2e123d0d42687dbc9f563a88a3e1b977639c447d82b02d61

SHA512
dea94f897e6ab7dfe00f7405bde8189de1cc335dd8cbd9970c4c7969bfdb29eece15c79e35d8802b3426258f273f258ffa6871b66304d314b47a5a8c83c86c6f

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
236KB

MD5
f10e79b9ffe65db0f3708f0a47ea323c

SHA1
04bdec58ae9d0b9478632d35b46ce260c29cc39e

SHA256
40f838d4c5a14085c2ba5c32278ac827c45073cf676fad9a69a8b4625b4af3aa

SHA512
ee40b92014fc1031ab12813be848683d858428707cbadc7a2c57b66dfa1855126d8dbd9e3f8e86e6db79a1811d01b22e6aea349087d3c4f0023360daaf338bc8

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
236KB

MD5
d6afec5a51064c6b1897e0239f650d7c

SHA1
b854fd8811fba0a753edfbce6720043545d06a0b

SHA256
02fc07890feee38d8c8a2912b32cc6f51c7f5805aa4e28fa882ab505b5927e15

SHA512
abc03314b5183065be6d43aaee93e90d0b12ade72298b1237ef72c537202c840242c03943a58d6c00005eaef942bcb4b3dd2de865f0a53489f24ad45c3b809bc

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
236KB

MD5
b9ef81bd32a0bc73b1213e716647a33f

SHA1
f5d6d8bf2984f333e0e50f3e3e698cf2393b72a4

SHA256
d1d345fea5c4a770bee80568eb9f6205d5642607afedd16df336e677e37de44b

SHA512
6df5714a00f4c6f6ca53f8d43803a08c7715323c9665890dc9914dd95194cc933cbd52ff07c4e39f987ab62781fd727624619ef09a00efaa3ed51f4bd930da31

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
236KB

MD5
aa5c54fb817b029e7148a0f1bbcfd5d4

SHA1
9b8ad8cec440de2ae9b2aa44c0ff0e98a4ad9de1

SHA256
ae2b28d4983ad26e8e8be54a0ec46b0f7c42190b8a4bab1b10f185200a6ff52a

SHA512
58e57fc6b675042ecd8a5e68237013005a41d24942ede31e03d816d2dff75c001b5e6dff4a4b956674ac04620be17f76bc14bc0cb35a900e691bcb481db2132c

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
236KB

MD5
5567e4464cc1f9710b7cc4d82a72e6a9

SHA1
853b38f74cf6cec4c3dd881f11b25ac8006fb5c7

SHA256
4f171ae6b687b0651f1cd5802999e70b1f3b71ca95610ecf2ea36ba890a4051f

SHA512
c98782a50de94f8667bc1f8dd49d32135a14e04991d46eaf2e97fbb55a6a0c90f6b7365851bc7d4b35677d86caa01c41d3f0482107765a0c59db0eb1f3f43d72

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
236KB

MD5
24795bbe79246aee87c49322e70db2b3

SHA1
03d4d0657464ee248a5acd7c3a69fc073f6c56fa

SHA256
c863da3e62a25e188066d50b8cf0710d446ee992d82fdab10b219aa33ffc2707

SHA512
8b7a4b636c31c0a9385a6e5148b5f41781bc4fd94eb99e160f2d2d554083ba89ae730a0b53b937ccec4cf0b17bc261e734aede283c3f8d39329a45632da9438d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
236KB

MD5
46aacfb338aa380200deafd3f1298c4b

SHA1
4482e77d44574d02a1bab6faf4227a4b1e58e61c

SHA256
777f23593069686e668cdaa8f5a134eefa9cca1c01a6a70e82e5fa5c7fa9f062

SHA512
5a7f4210a22491b5e1cf7d4bd2d0071207cda9586fc3712a97d512232f81809a1036b11260179b12d89d236b5a9f8e035f30d67ad4695d57529a837ee2c0c84d

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
236KB

MD5
eed04b1a7dc98cf23d602674d2136fb1

SHA1
972fc2814fda9dec30de0bc8f4dd47681c306f2c

SHA256
f112410e1b85c0af3eca7394603dc7aab9995e306a963a68d0d347eea0acb76a

SHA512
890ee42edf6932860422bf995f432a04af8f6a3862b8133d865b5fe72c06253ceecd283d556a0480451be1617de4433496e8a5f1949cbaf424e8dc868af1cecd

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
236KB

MD5
e514f5606062ccb8752cf8083790a5c9

SHA1
6d620a06eaf5db7d448a7a29dcbaa233e79334a1

SHA256
95cf1396c80a0c5af0311c4163e7ec6c7f9af494b3b168fd050fa7af628ed7aa

SHA512
293e18f9fd22df426135dbab28d62a4519c5f9d6427b579c45c4964b2e06355bda2ec296451b99fc2534de908c4ff266f5c54694ec70315b6f767df8d7c13e5e

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
236KB

MD5
8715b0e2b82d2d13d25aedfc476bb70f

SHA1
0b53899039758fcd42daa4bf2450b75dc9522b90

SHA256
32b5c46f74313f9766ea43ad6718af490dcb9a37be8862aa08da3bb12460da24

SHA512
ccb87f76b392995a83a5a1189c4480d812c0c69590b2d504125e643da2a97d728db33cdcc9ce052f78c4d09a96adee85690183bf87d1aa6696afcc0f33ac4a77

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
236KB

MD5
0bec44ea690fbbfa73b7288433b05df5

SHA1
f907f7f75ef70196000f7e2e26f88f4c951a6045

SHA256
40177165033a939635dac493d3bebf2353ddbc699c09be5e2d661957a27f3b5c

SHA512
6ba7cc6b83c57b70d30b84a056e98aacb00a26cdea44deea35b53d5129c6a696f7edd50ca68eb526a739d8629a692098422c34dee2c5319193be9672fb4705a9

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
236KB

MD5
5dfcba637d2f7b88048d4279752a1554

SHA1
2ca67fc75a5809e1f3607710fefacd9487fc619b

SHA256
b16a214e01c7c4ffbc92bb53f08c057ddde711696e17ebfddfb5b648c486c8f9

SHA512
7fb22bf08ba06807e027ee266637d473ef72c66a45023cc9065049dda1e05f0b73e1e8f18f83f4f97a70832851841242e9825c86d5f6debfd1ce8d27b2982c76

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
236KB

MD5
bac0d5b874041ebb3ad1268e5f199b6f

SHA1
8a43acd1f348d75753662783f8a97572e470b145

SHA256
d3b302cd77e7e07cd6c2ff57ca9140808ff977783fd8b0d923887c14a381466c

SHA512
bb4d679735bbfabd97cded19d7ad41ceb423293a8dfaa2fd8e9b5dcb09c1dc7d6b6c99001b9dccbfbad223fda07764b1762a6cc77b0837866abeb2a76fa729f2

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
236KB

MD5
c9bc77ec432c7ed49e2d3c0ff9de1f4d

SHA1
e3b90486105aac4102878835ec2f68fdf49f90ae

SHA256
c12af74bd04083d00eec5a5da5d64edef2b28dac6628142a21857d55c23b0295

SHA512
a88c13b9498cc449fe20b7137e797921c3a1b70ea3ce1d8a91df35bb7ba7c16466f383ef07bf3cdab1c385c6c181524bc76ccdb2d96d0013c02f7e92913e2a1a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
236KB

MD5
d29ce8555ab9b559e954091c5ebbd1bb

SHA1
de5f875af8ad8143eb284e04ee32205bdde0e30d

SHA256
9af172f7269a8cd48907f8d50df96c7b1efc1edab293b2d0c4e86b3a0700957a

SHA512
ec42531348dd54ad292aea6ec07ec80978339f39327657ca7984c286827b024a9720180a56b95b1a2eee2b3c549fbb4f5d0d8054f7ff28e052f360b6e62477db

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
236KB

MD5
6ce0a1046f39fb316658f0e818886109

SHA1
ecb41c3ace290689387dae3ca32e09621f1fe016

SHA256
c6fc06510989644f314ffa18fbdee98a4c252f607b77554b20c229788192fb87

SHA512
ff03f44dfb1f48711186036d796a410e56e1dcfbc384d07b51b59dbce48f2546efa8ebff5e0b31c81d90a57938b7a69b32490eb59fc76d24df299cb82d0a932a

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
236KB

MD5
2eb3bad07873c6e963f576707b3ca393

SHA1
f06c57d7c6769d7fdbed11edf445c5be69abf613

SHA256
19ab3a412cb381c9c45eebb6372429cac9d5b1d4660b8bca4bb63436048de100

SHA512
db13c4835076880d17f36cf4f584b28c71de8540934d13c4b071057d333ec723cf465759b5a0e618a6904d4aa9701fdc6c9f9dd6a1e5823ed9f828ab502cbe78

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
236KB

MD5
cde7e523e611deae3aaf5ee3b43585dd

SHA1
31ff373d62313a9cfa5e22d29f5e1b2700a72306

SHA256
3eadd91a5e70f0e14a7770caa4cdbf2f7d56ea3087912772f503b22936d5b246

SHA512
2ed676aef4fd241417501ca5c3b12d433eb03227eca0aab481eed00a1b748ab3ca8383c88eed10c93d5d6d23229598a99dd1380070101be132e82622c94982a8

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
236KB

MD5
d1ae3e05690a260627ecaa731db20aac

SHA1
d76e2d90b4587f94d3423b717710a366c7467a49

SHA256
5122340d4c9e35b5d1fbd47d2b52800b16ad8b43252b6bfeb8bb0b35822baff0

SHA512
24a948d6f9e7cba6a560d18bf668c943e924e91c31ac89be01bd8d6071ff75067141a1461065b851a12408323caf7aa930a8a97eeffe5eaba9e130461ee69363

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
236KB

MD5
dc151fdcda059bec4cc75158b9d054ed

SHA1
a871ca7740c095e5e102dc5f060f9de131af753e

SHA256
ee84c236144fe79d3f89744ff5d9765fa1ac4221ee3d8027278c45c956544fca

SHA512
c518b0718c4b167ac8a2e0845dbd1f284ef6e4bfd5154db8af37deacd4b774d980afd3cd092259da9a6aeb91a44fd572a8ed27e1325f8d9d323b6388c77bdea7

Download Submit
memory/216-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/244-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/424-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/532-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/616-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1136-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3276-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-537-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3648-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3904-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4048-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4200-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads