berbew | 8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 10:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe
Size

96KB
MD5

1dcea81cf6bbc013cff8c746c070c890
SHA1

951ca378fab8e0165c30fba2e2a1f17a11e83108
SHA256

8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501
SHA512

36215da33c5ed70e4a8bbbe71639c172f73f7a527ac06e36cceee6e6c3b0abba392b8c9c9d968c553e81b0a923e9b8f430883247d2e578d893e282e9416cf071
SSDEEP

1536:U65KH2WGxGF0tmJlTOzfQX6adRQ+fmR5R45WtqV9R2R462izMg3R7ih9:qH2VxGsYOzfoBde+uHrtG9MW3+3l29

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4888	Kfjhkjle.exe
5084	Kmdqgd32.exe
4796	Kdnidn32.exe
4880	Kepelfam.exe
4712	Kmfmmcbo.exe
2728	Kdqejn32.exe
1356	Kebbafoj.exe
3732	Klljnp32.exe
4360	Kbfbkj32.exe
4460	Kipkhdeq.exe
1552	Kpjcdn32.exe
416	Kibgmdcn.exe
2752	Kplpjn32.exe
1796	Lffhfh32.exe
1880	Lmppcbjd.exe
2104	Ldjhpl32.exe
3644	Lfhdlh32.exe
5004	Lmbmibhb.exe
4044	Ldleel32.exe
1084	Lenamdem.exe
3812	Lmdina32.exe
3920	Lbabgh32.exe
3960	Lepncd32.exe
2400	Lljfpnjg.exe
3276	Ldanqkki.exe
2536	Lebkhc32.exe
1148	Lllcen32.exe
3116	Mbfkbhpa.exe
2288	Mipcob32.exe
4872	Mlopkm32.exe
2988	Mchhggno.exe
2708	Mibpda32.exe
4708	Mlampmdo.exe
1804	Mckemg32.exe
2344	Meiaib32.exe
4452	Mmpijp32.exe
3728	Mpoefk32.exe
2020	Mgimcebb.exe
1456	Migjoaaf.exe
4264	Mmbfpp32.exe
396	Mlefklpj.exe
3260	Mcpnhfhf.exe
3456	Miifeq32.exe
5016	Mlhbal32.exe
4940	Npcoakfp.exe
1416	Ngmgne32.exe
2168	Nilcjp32.exe
3560	Nljofl32.exe
1568	Ncdgcf32.exe
5080	Ngpccdlj.exe
4716	Nebdoa32.exe
412	Ndcdmikd.exe
224	Ngbpidjh.exe
3216	Nnlhfn32.exe
5040	Npjebj32.exe
4680	Ndfqbhia.exe
4084	Nfgmjqop.exe
3164	Nlaegk32.exe
3912	Nckndeni.exe
2632	Nfjjppmm.exe
4220	Nnqbanmo.exe
696	Ocnjidkf.exe
4640	Oflgep32.exe
2248	Olfobjbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Fhccdhqf.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Lnhjmp32.dll	8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Flpafo32.dll	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6388	6296	WerFault.exe	255

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mbfkbhpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4888	3492	8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe	82
PID 3492 wrote to memory of 4888	3492	8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe	82
PID 3492 wrote to memory of 4888	3492	8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe	82
PID 4888 wrote to memory of 5084	4888	Kfjhkjle.exe	83
PID 4888 wrote to memory of 5084	4888	Kfjhkjle.exe	83
PID 4888 wrote to memory of 5084	4888	Kfjhkjle.exe	83
PID 5084 wrote to memory of 4796	5084	Kmdqgd32.exe	84
PID 5084 wrote to memory of 4796	5084	Kmdqgd32.exe	84
PID 5084 wrote to memory of 4796	5084	Kmdqgd32.exe	84
PID 4796 wrote to memory of 4880	4796	Kdnidn32.exe	85
PID 4796 wrote to memory of 4880	4796	Kdnidn32.exe	85
PID 4796 wrote to memory of 4880	4796	Kdnidn32.exe	85
PID 4880 wrote to memory of 4712	4880	Kepelfam.exe	86
PID 4880 wrote to memory of 4712	4880	Kepelfam.exe	86
PID 4880 wrote to memory of 4712	4880	Kepelfam.exe	86
PID 4712 wrote to memory of 2728	4712	Kmfmmcbo.exe	87
PID 4712 wrote to memory of 2728	4712	Kmfmmcbo.exe	87
PID 4712 wrote to memory of 2728	4712	Kmfmmcbo.exe	87
PID 2728 wrote to memory of 1356	2728	Kdqejn32.exe	88
PID 2728 wrote to memory of 1356	2728	Kdqejn32.exe	88
PID 2728 wrote to memory of 1356	2728	Kdqejn32.exe	88
PID 1356 wrote to memory of 3732	1356	Kebbafoj.exe	89
PID 1356 wrote to memory of 3732	1356	Kebbafoj.exe	89
PID 1356 wrote to memory of 3732	1356	Kebbafoj.exe	89
PID 3732 wrote to memory of 4360	3732	Klljnp32.exe	90
PID 3732 wrote to memory of 4360	3732	Klljnp32.exe	90
PID 3732 wrote to memory of 4360	3732	Klljnp32.exe	90
PID 4360 wrote to memory of 4460	4360	Kbfbkj32.exe	91
PID 4360 wrote to memory of 4460	4360	Kbfbkj32.exe	91
PID 4360 wrote to memory of 4460	4360	Kbfbkj32.exe	91
PID 4460 wrote to memory of 1552	4460	Kipkhdeq.exe	92
PID 4460 wrote to memory of 1552	4460	Kipkhdeq.exe	92
PID 4460 wrote to memory of 1552	4460	Kipkhdeq.exe	92
PID 1552 wrote to memory of 416	1552	Kpjcdn32.exe	93
PID 1552 wrote to memory of 416	1552	Kpjcdn32.exe	93
PID 1552 wrote to memory of 416	1552	Kpjcdn32.exe	93
PID 416 wrote to memory of 2752	416	Kibgmdcn.exe	94
PID 416 wrote to memory of 2752	416	Kibgmdcn.exe	94
PID 416 wrote to memory of 2752	416	Kibgmdcn.exe	94
PID 2752 wrote to memory of 1796	2752	Kplpjn32.exe	95
PID 2752 wrote to memory of 1796	2752	Kplpjn32.exe	95
PID 2752 wrote to memory of 1796	2752	Kplpjn32.exe	95
PID 1796 wrote to memory of 1880	1796	Lffhfh32.exe	96
PID 1796 wrote to memory of 1880	1796	Lffhfh32.exe	96
PID 1796 wrote to memory of 1880	1796	Lffhfh32.exe	96
PID 1880 wrote to memory of 2104	1880	Lmppcbjd.exe	97
PID 1880 wrote to memory of 2104	1880	Lmppcbjd.exe	97
PID 1880 wrote to memory of 2104	1880	Lmppcbjd.exe	97
PID 2104 wrote to memory of 3644	2104	Ldjhpl32.exe	98
PID 2104 wrote to memory of 3644	2104	Ldjhpl32.exe	98
PID 2104 wrote to memory of 3644	2104	Ldjhpl32.exe	98
PID 3644 wrote to memory of 5004	3644	Lfhdlh32.exe	99
PID 3644 wrote to memory of 5004	3644	Lfhdlh32.exe	99
PID 3644 wrote to memory of 5004	3644	Lfhdlh32.exe	99
PID 5004 wrote to memory of 4044	5004	Lmbmibhb.exe	100
PID 5004 wrote to memory of 4044	5004	Lmbmibhb.exe	100
PID 5004 wrote to memory of 4044	5004	Lmbmibhb.exe	100
PID 4044 wrote to memory of 1084	4044	Ldleel32.exe	101
PID 4044 wrote to memory of 1084	4044	Ldleel32.exe	101
PID 4044 wrote to memory of 1084	4044	Ldleel32.exe	101
PID 1084 wrote to memory of 3812	1084	Lenamdem.exe	102
PID 1084 wrote to memory of 3812	1084	Lenamdem.exe	102
PID 1084 wrote to memory of 3812	1084	Lenamdem.exe	102
PID 3812 wrote to memory of 3920	3812	Lmdina32.exe	103

C:\Users\Admin\AppData\Local\Temp\8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe
"C:\Users\Admin\AppData\Local\Temp\8e91a3096db341b746fa56a677eeca9f7f06f680bbe9ad026d1f57e8900bd501N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\Kfjhkjle.exe
  C:\Windows\system32\Kfjhkjle.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\Kmdqgd32.exe
    C:\Windows\system32\Kmdqgd32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\SysWOW64\Kdnidn32.exe
      C:\Windows\system32\Kdnidn32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        23⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        44⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        50⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        66⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4464
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        71⤵
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        76⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2212
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        81⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        84⤵
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        86⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        87⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        91⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3396
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        96⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3156
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        101⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        104⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        105⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1152
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        108⤵
        
        PID:956
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        109⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        110⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        112⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        113⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        118⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        122⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        128⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        130⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        132⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        136⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        137⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        140⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        145⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        151⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        152⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        157⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        159⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        160⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        163⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        166⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        167⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        170⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        174⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 408
        176⤵
        Program crash
        
        PID:6388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6296 -ip 6296
1⤵
PID:6364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
cae14631bd6a0edd7d52e419ee01c53b

SHA1
924b2fa26943d8b753d1ab75ff08664a4cfc7075

SHA256
efcdc3e3e6c87347d47efd2a9045233bcd8eca06be5fd24bf728df67a2c8c0d3

SHA512
c24b802ff7f19e983a8426e418835bfc99ed3e7ba3d9c0c320c5f8fba82f17dd21ac3931d38394856a13c0e5fdbc7bef13e735726e40b47dab0557c4f11ad54a

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
a8ef51a19bc16d895fa0d8b6ed349a78

SHA1
3ac9ea063c0476f75aa68dff42b4628255ae7715

SHA256
60102d427d6e497fc93a66fffa65da48695214052e688d5a95ac9d359811c67a

SHA512
af6ede5d5161ac6ac0211c332a66295a0f99b670236c3f30763a092bd82572117ed83c6924a0825b25724a404c3bcb6450cbb2d8def1d9f753f3872b4791874b

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
5e032bcc656e020fdca8984bef346f8b

SHA1
218cfc182d804721d07145130cdd1ecaf1b84eea

SHA256
8f73a62f873c6c4987f2cd518cecf4011b6b34a02aa12722b54d7d1b1cec704d

SHA512
2d417116cf9dfd237d28b57aae0268daf82166296d0671163bc2dc0c5f2bedda0e0c5a3779036ee585e9c258bd83fd0f9f533f1966abe0190bea1107de2d4eff

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
c41cdb3e22ac5ff733a7872e02beaeac

SHA1
361dec8bd4a0be5adde0ad2682c88238e27c0725

SHA256
bce79beb6681bed39a33e8404a2572a4dcf352f7096c5290dd260a14b3b8081a

SHA512
a54ab8f582359e9d7fce0fdae9711f2a2e539b41b34ca53c7a8da98dd0df17ebc2e82f9ac5d5fc0911b1493d5986aa1aeebb11f240342fed3af17f33965f506d

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
477256ee89a7908aa87727e21ad57e75

SHA1
f61d6585cf34de95d1f7503fa5b4d3cef591fcd8

SHA256
7ba79f305ad9336f7893ad7fa26d75325d3ec99f0f4433e06bb25258f6cdb48a

SHA512
e4e40b7b9ca37c34abd9302339f456134de888785c9c44bb99adf283802327002046ef500a4b0eb28b54f74a0e5d50a36e06c5bad5a2ed9e234b09b5322351f2

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
246d8b8092f3908a586a8f4f1f37bbff

SHA1
74978b5e7ba7983f8387c129a38bc324a4c30d4f

SHA256
935def0a8b172acf5edd7c9881a3df320180560bd7f2c83da8eb38b297aa9588

SHA512
a1d9123723523dbae9561344c004b635c50a9af65d3ad87c01c71f208a3547d135499a2152ddbd0c6518df887f55c4d8ac1b3ce7b5a8524b651f3373a385408a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
8919f8c0ca1315cabf4ae22f015d5ef7

SHA1
3a60400ca86fb40e9cde2cdb4d16318296e8a406

SHA256
5b9f7b1dfaba8c5fd16e409e50c3647e081494eb9432dab7757bf92abff7e83c

SHA512
a3a6b7d55537c73f9af25b98ff12a55bbf04c01a2e22f7b895310b588259d0b34a1251ffc942cb3d2be72e3c80d5d9f9adbaf22b1fcf887e393d0c743e7fc0e8

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
3b297a3d2fdbc881ce2c388b6becba27

SHA1
21e52023095404dd7a8b405469dd3598b3b9ccae

SHA256
75f132306fcf9437d62715d6b4cbf92e4cfeca79c245c09f7e49a4885a886d61

SHA512
f2c3d36d9f6fa3b18bb6167c1ca2d29dea1e3cda3ce7d5f73b566035c51b2ebd9781255781f8ae17bb7d3c534c69d5a87a0eb902e1c55d491b429a6f884a9edb

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
ff095ca8fcf9afc946abcf038f53a56b

SHA1
3db0add41d4f69a1340945c6d3805913425a6b6a

SHA256
934feddaa745b67af2c9f5cd353b6a6ae29a7360827be809425692bb0b09e79f

SHA512
9338058d789666784abdfa1d1e17a4eb9fed61ac9b6cffe2b691dbc6c5ea45b99a535e218acfbe3fccd3a5a550bdb227202ad1dfe9e3d8f0eecada7d06155d7f

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
96KB

MD5
8387c921c767bd1ca80bf6b37083f9be

SHA1
beac79fb04e2395c067a9cb1f3d6afc26014c5bb

SHA256
333adfa8ba85047b34a02f09678892dbced3db8a73494e50fe637d82da31f2ae

SHA512
b05f24dcf1e8f697d0db2632fd2d591f65d9adc4f7b21fefb3ca5d21aa9156d7116e99078eaefa16444d3d860226a0a25defc7f3e786bc26da8b0c8ffef47cfa

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
061ce6a830098bc45a0cb675d633457e

SHA1
ea1c65c6e74a4496c5face2ff153488857c72ef5

SHA256
ef59141c5f7b7373ef2174279eff8c6e7fc3fa84997a7e499a03c482aa828e81

SHA512
1d28704580ec951476c36ce1b5ee8f66c610283138accab6ba67d8bda8eb1c0d3da9655d7054ae9a07c0d4beef5310a9c3e09edeeef4ad473c7bf9f5163784b8

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
c97e08c8bd892cf79277411d8d96ab6e

SHA1
91a84ba0281f4c94bb0ddf5d31bdbe1649352d4a

SHA256
8028c8e1f5efb73794c15f10740bf0bbcb57e00a65cc226bb87a51a85c019974

SHA512
82a002a37e5571b59d8dcc26d53717da8a58315fda4f3f79454b9b10b6999750d4a9abb1c663489cfca8dae8a9a61f1a7dea9fe7eb81f78df6f0566998cd8b58

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
419a56603a0041b9b34428418bdb88d7

SHA1
dcaa215c8409dcbe6fa3f48adf495d060c181428

SHA256
1fa38b46519e2ef71c53d499bc4e7e4c4044f058f36bbd92876f2b5bf1690f61

SHA512
ceb4a742cf5fc233c9b9365fd7132bb5f03460a111d778a1fe65f822b77f4c8911f4b731556735052965179f2b29ebe4273ff5051a2be0abfca39370a787b4a4

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
6487b871c8a95ba29ba1bd8df6695d50

SHA1
6c0efa95b8a970701b474a99802cbffa31c3b117

SHA256
f9fa60ab5cbc5d1aec66e21ea409d6f1b2cbf39294daa12bc80801f0d42cd655

SHA512
31ba3d6e956cd4702c4ff121271afd9e1c2634d065528d9ab1f7c77f40a014b1f73fdbb79d37431e6b1927a3ce71d42cd861624a4435a837ef2234b7a5a94f42

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
5ef04270243bc28ff472a32e24def1bc

SHA1
7e391a05ebe020a0c19d8c349f330b7b03d3e74e

SHA256
ff692c5a532842b3103f1b9ecce979001339a76671740002d8ef92706032ca1e

SHA512
a9839edbbf4f9a9e71ef3cfd8a658ab104bb04ed209291991b178184a6a397fcef59e986f3957613c075edd84998a34f849e66d85eaf8ac05552e5136ad7bef8

Download Submit
C:\Windows\SysWOW64\Eikdngcl.dll

Filesize
7KB

MD5
6a1f380c067e67401de96380725589e0

SHA1
d8b736af4604caaf45ae1644794339783d0b4a36

SHA256
39cd51403df7f635d114dd352cb92506435f86d10573e5dd2c526c1c28ec3915

SHA512
ac5bdcd66eb3bd447c844be306a77d4f3d16dc735e8459c545feb2cd913a7b14f26edcdb1216f3d9f8a40d9d1b2755e105d032702e244ce0254eacb935a0c922

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
96KB

MD5
e8c5ddf06add6cd5227719b13993718e

SHA1
ac374faa067e68ace63001e941a2208fbb4416fc

SHA256
3ff660a9a2581981d5bf34ef52af99f87635a2409f230f73e424931269da46a5

SHA512
d65137620ae19ebe7b430fe140b1dcf88050e7b623a884501f36fb2ae549200732829c1359df56108693a56bfc9b5a2514518df4f4155714c7949f907d464c1f

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
96KB

MD5
95bb5c172e81ff6e916c0ae2a1a6add2

SHA1
76c652f23634bff361231f11bd99f940cfa875d6

SHA256
781b46ac54cac0d5db369039adf61af56ab091fdd2a27f3a33f7e1f02cf32043

SHA512
b04a17a8c4cfcaf04c1da7bf592c144eb3553663215aaf9b28d9ecb1653af1fe0648ff4e134b42c598e9b53f38490817b0190c55a1849635b46447d43172f2d9

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
df6e713df447d13fe63eb054eeeade23

SHA1
b8404e76f297bfab159c377f144212f3f8cf33ff

SHA256
7acb9ffbb6a87b85b33baea2a846d7be00849555ca4d8ebb5960b455e126f80c

SHA512
fc289c99857cc83fa7a569960b6d5459be741c115c24c61b49175d76c0d2e699b1126996fa27c8ca1ac13c946ebc964c8dc87321d7c3f42d0f007918c29c8b39

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
96KB

MD5
6384e4433f43f123dbad0ff6dbaa8061

SHA1
6cab1a50fd38494cc3d930bafd9daeeef29c414a

SHA256
72564143177c4405185eecffa5b2d720f81dac850113ec29ec2868a3f71c75dc

SHA512
cac8c98c55dbffd8ae2895c7c381e4d5e803b0b890dd75e401bd46a42ec701640d96b9961ab712593ebbcf32aa3de6a57b5ad45a0c9037186516d0b48c353b04

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
45891ed6b9d10e3ca0fa98745c842a05

SHA1
758af19328d5b00f97e66fecfef9e147acc35cb1

SHA256
b8c7f4d8489b630fcc7d652382c0e785d2aac69a1fcfcba4e41d2035056df6a5

SHA512
a2ec2aea53f79b5dc804f5b31b9a30f4d2264298febc754d65919465c400da93563266a07f90484cfe99f05b48cbb0fa42dce5c0cc13a9fb071733d941fd80c2

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
96KB

MD5
8372e01f0280e2625f034f102b458bd5

SHA1
f34063100fa5da21f1ab7baceed33d3aa9ce52ca

SHA256
8ac61bb60e5747bf681a09f3396ca5864a4c35d765d36fded93e4326439ac537

SHA512
f6d7a469bf36bfad1e54e4b422eb78b595afc0fb9bb3b889eb2eef55b80fc744035e7b68a808bdc69dcad33391b16d9f718406f3795985a52afd31e9f3e81432

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
96cf138b5ad7068366adc26c05ad931c

SHA1
7d134a80d8058d1088cd24ca721dbdcc0782c665

SHA256
f64940d585a38acf9d88e6a5895f00af20822bf2d182fb5f5037f091d7bede3b

SHA512
f7868432e8ac6f582748a0bffaf8292abc6d349e464c748f0fe2209f0df9e2d9178551cbb9c77ee1b0b36e8f1297641915872d5c2818e413e165c4c5d5bd53c1

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
ee62c285be1fdd55b524c1da4ad6a95b

SHA1
209b1d3ae652576980bc0da19e8845f6f3c2c0ae

SHA256
727adf6dd251f17675e441911c6080752f2235ec5ed1630bd44055f19ac146a7

SHA512
b3815dfaf0c1d59e7b7ef0216ad74b8cefb6f3954b0f565a9d9baca8f9b3651a29c0693f7a4d6059d7b0f79f929a9d5d4f90f05a6d4106fc53eecfa3abb48b5e

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
96KB

MD5
4fa8f95cd97fff1514ad0e1fe9f9947e

SHA1
a4a87bbaf5046918ed56bd86d5e03b11adaadc4a

SHA256
4fd458dc77f4d966c166679e6b089c8fe4d6c835c60029b8fa5314dbe3789a8b

SHA512
c7d51bcb81867369fce290175f95de083bce40c440c1c3fe4b343f0392a6b456cfee210cf3eaed2f8eb903ef98122d9404a9e143b4addbac418d55460b3cf75d

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
1cf93f86e45f8a4c1be0e65610eda325

SHA1
7104ac281d55db6369c0a0cf1718913251030d7a

SHA256
4e33397bf1bce3e9c6c4e007383dfbc83fe17ad210666b4a2bfc98b981b0a825

SHA512
234f98c16a4af8f2a7b85feb75972454da3e0a3bce5361e9c85ddc439689adfdb44e2584bef8506764ad4e5e6c7f682d2f70295a71d80a3cb5e3236c6c3cb8bf

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
4181d9e62a2727385705695f7764f205

SHA1
f781adfd5f65e49e8c48ce570f08c8c1638d5541

SHA256
31691356dcf5db779e94542d392363ea6bef00b2fe90e6ceba94e9709d6241d8

SHA512
f209ffb91a7a6b1ca27902e275c6fd549493258ce284be400bd81ff2d8cdcdafd24f2c4f7432eed33c4b3ed7ab6eb079281dcc7de08f60a1664416e6fec949c5

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
96KB

MD5
9b41ca76ea8bca7ae48b97d1a4293b70

SHA1
836466ebdddc5348e1e09ca41b7beb8dbc7cdf38

SHA256
a1ac8082f0d175a16204e49766d546d217a45001c59f075f436fed1a10a5890b

SHA512
850c80e287b160dc210e877b696100f5e858c2199e140f4e4d1360b59d03b7910cecd737868969abe605d449c5cb773a4cb4d62c9fbbff36df8b5884b2646840

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
82ab936d1cadf0eca6bea671c8ab031c

SHA1
f28b4431b78c4ee106d86d6143cab2c9a78585db

SHA256
0ac0d54bb354c5075c2704870325939bd87adea403cbc3867f57e8a072514cc6

SHA512
b89a367de1d74f8a98b0a4fea969cd8ef0d4517eb909a71644e087267018221a6e32d1a2314b501388d422da54b8f1c0260d72a9edab91c454afed67285b0cd0

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
78144f813b19203f8c2869077808997b

SHA1
e03bb958abcb2a73d403b6f26b0331e80f87bca1

SHA256
0e719ef19149277e277279c6edfec4d02ae5aab5f46613c049cf1e8898323db6

SHA512
b053637495ce7afdca4369215b920744c53ba4bcbedf20b02f05b6f4108e8427f56d639f61c4b3a751c1218d4711155fea55a5a5cc22eb9efee952512ad5c149

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
f56f2fac3bf320c157e35eb4f1c85d8a

SHA1
cb3c1735f3c5cb4aa83369225f98afa204c2bb8f

SHA256
e9ef2914c25a7762766021830e82a15998831db40d4f8de748f302cad865b196

SHA512
93c89847291adfb16a905955d94c31c369432c5248647f6c464154069dad78acaf3b6e6932ada20a157830ccfcff7441fbd9b772d9f27e626f4d6cd8a16f16ca

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
96KB

MD5
efc5f4275c49506f9f9b7bd581dac86a

SHA1
6ff1ddd7152c3bfa3c399e456427d8dc01348451

SHA256
cd3dc7fa0a89fcae494a2ca3d053ee5b85aacae2fea223cc78e7cfee44739ad4

SHA512
2610ee9fa259b473d0374f391c6c92cde72f8ba6c870797ed00c50e83ebf6ae44fe920c9e543a64b0f875227db53296fdb5bf6f62db24a4e41a821f66b11040a

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
44c649de2c5665c9becc59096a488052

SHA1
d2817c5426d702a6ede2c8d31149dcd77c22ba35

SHA256
942e10afc3662e9ccecd23f28931cf17680eb1f3e490a930d5e6a01bc3e62e6e

SHA512
b9c78d0b2b03dca6839a3d6434d9761aa4f6a35fb6ee578823a06c7fc58eaef74fa399d56e3b777f88911c4338ed0ad3d7d5f7a534f93baafe36da9474db07ee

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
b25dc7d27732da979cf3939e69231b49

SHA1
541c8cd23e2dad2d9a85517a4f3695105872f5c7

SHA256
3a13b67532e6e7aa950f3a893e65bc477a6deaa0219cb61c31dfd7d7cab9d393

SHA512
1bf4b7bc5cd58615134e78b9e49dd6b1a1d7ebf94b56ac2d0b08ef244132fb78ade4e2144460affd31cf9447f8496de947af49968f1585d35dda650d585dead6

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
c71af91bcf8fe96efae9852ff7cfaa30

SHA1
2d0e4042c82255b0a6d2a34f939f12ae0453d9d0

SHA256
6565544e354d5f65f350ebea30e123d05c47e449ed55cdc45acd3c49f32e70c7

SHA512
fe0befaeca924d5959792d072c03db4ca2d38d3514f78a8b29a8a84185d767bc3286e8c90de938e730bdd08530adc91da16bba777877c5bb849e5e6117b195dd

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
9aed6b38a898b8f4761949d6977ccf1d

SHA1
85b137fe67a2ebe589eee21d6e27b1c8d8dce79f

SHA256
0a23838f0a0c10b7ed01390db1dbc3acf3f312a6c7bd286cfff41ad8ec8ba5cf

SHA512
8e7fbd6803307d840892745dd3de215b18ff3a424626fde836f891b845711d2002ea3db0ac24ceebfe49b7b36a1c5a0e353934f25de78e7f072700dd31303701

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
9c5efef68a193fe984e892bb5982bcea

SHA1
35862c2499f5ac66e2d63248b620333e796c7962

SHA256
fb1755094f0db418a4e7df2ee79517534238733b20106a295816a1681013d1c4

SHA512
3cb209d0b43c36e91ebed542568493f8390c87a1f43ff01c16acc54bfddf89bf1ec0785eb72b869083ade5042d13a4eb87600405d048eee49cb62d823412a5f0

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
17a66501f0f652c1618e0561649a06b7

SHA1
c797c464f17ea615e73eacc10730e73533164d30

SHA256
bc1139fa83275e2327482910d3cdf824c6fd57a4784413853688e9259e878032

SHA512
64bf35c2206fcb2589b410c98106655cd54c79eb8613589bee1032f1b2ed3b7775cdaf7783a506c88be24e13bb3e73c53b4b8153efd58431ff314f1cca0171fc

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
96KB

MD5
9f178ea2494f60a759d9d234ff441cea

SHA1
8d02b304b0dc79873e60fc29f55025c07acf9890

SHA256
eee736e5f900d0406bbdf0ddb1aeb1c8a742017ae8f583cc59b448914ec30564

SHA512
93262998ed34e42bd3ed299f0ee13a348ddbc7e011c80edc1e4df2ae5861f606e3e3eb7b9797964f5734f69fad9aafc68fe6373643dc7b4395e395e8c286e724

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
b571668c22ab499161b96d487d37931c

SHA1
cb78623e1412745aaa462ab4615ae829c9083a2d

SHA256
1e926a208d46cdc80d1a91e902fb049ee80067385a6df2208e4bf7379b75b9fd

SHA512
7697672f35f121e0b3dfcb7137113f630e1dd7b9eb00f8bcf390ca7ed747c5fd7e63a913794d5635d75ba59d20c284349f9d057187a01dfe206314cf539cd72d

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
0e7fbfc2df39f6a1a8bb777de1e2edb6

SHA1
df73813832878fda023fd7a2cfe8028851787d68

SHA256
a194a179a69d32d2394de2b6fb6e6ebf62ed85f79b97fc72f5c80590ca35025c

SHA512
380c4d9b8b0c8cc72065ce4f6b39ecf36832b3782ef5992cacbf5d248b159db624f1640c9ab366602584fd5bf1aa62383390f6e08302db99c679982043764243

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
0476e7d72f1cb9c137e243ac13184343

SHA1
e493488e5a80cfbfe07c3fed8db8938da5f91e53

SHA256
89fc1268317c4630730a5eca9bda8d0f68c3f7fbbb577212f329ae16a12a5b89

SHA512
ab60e16d0c609753faebc859819b52947f78afb0d2d21245369b852255bf1eb69784bf7dd415a44547e20c93ca078a18909ad4cdfe0b67e39c19717b4e089b8f

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
9cee35d0394aaf36d1383eb971882c3e

SHA1
c068691e61ef3675c6378f3c3560c915927a355f

SHA256
cf930c54d6776b4cc807087ad5d7209852d1ea5c363112f90bd704e8e1a21589

SHA512
feeced2f50a6ed3bdd72ca466d4f201cdb7d202728395f80a21bb98ea81e5ad6cafbf4b8370ab834956cd976f0262b165bf4aacc5b3dbe0a382ea466d57656ac

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
a9eebb434835da47c8880b2fbe781bca

SHA1
de8f67db9f97b1e87f60b2fd740dde1e4d16c2da

SHA256
508f5bcf1410250731ba343a08b46312c6ee57a65069719cb09ce50f54f4aa4a

SHA512
5f1fdb5ca4832f9feec9286b22054d90206249eed323ac577e6a16456b18b4911ba5eb6cb211183bd006b808064e83711889ea69d14ad50172313446d9733f5e

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
96KB

MD5
e22c9042308b8a4baaae4c02a8599cc4

SHA1
d9b5880121ab9cf06dcf24783447e7588e4d0a96

SHA256
807344e6bb3aaf5b5138b25cf18c4d0d4d6abd879ac6661ed64f69a91ae1bf40

SHA512
05fe4918acfe5413d1b3c7122ec4b9c170d398ff25b8fb67c35a3bdbb69749c43c23b6e8831b825e803f6e60f9a712aa0f9a82cffdc296c1069860e35bffbfc7

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
c9cf5d94acc28c4653e910f24f72b994

SHA1
41392e781bcaebddf9e87562e73ec8403697a8dc

SHA256
13e6aedef145b36416df865aee89b33614785651eae21c86185bf039e5cf8766

SHA512
24936b956b825a5382ba4cd22f79828345d72d089d2e74e29498217d768040f854ef4cfb29c5d024c370f477686332120d84d3f3ae12ddf87842ff163e006bbe

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
e2dd6d5f5b58a71d467ec286ce427bf4

SHA1
75ae5f0580a883ec071404b51854fdc90bcb313e

SHA256
43eac8351bcb6de637cb3b4f9691f14637247885658e4c66e12792e87faec072

SHA512
5193b40e6b2f1bff0513c9d0370c8238007e6e03444845e0546e969e96e0d509370775e82d5d2556b2e40b7e92c59f00573a4262425d32f9a0247ae73aa54c5c

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
1dbc1ce0fa58eee317e7720f8784b4c3

SHA1
bcec969b56f0a0bf3490e735ec6d4c2750f5552e

SHA256
bf901c2b57503a238e30029a0afc0639c11320e0b33e6f37628703634649f2a0

SHA512
29178c36c9784f1e6ca843a4622b9d3a19f200010f8bd164dabcc7c66100d02f1dfcccf1217f885fd2654d70244de27636d95645e6c132a39a949e5be88706a9

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
a2d412eecd27229f1c6f8a4f9bb40bde

SHA1
51a75fa4bb0bf7e734680698157a3e8984055873

SHA256
2410adcfde03d89cbbf70fff7409a5f9cd2f70b46318c77f53af2db651170b0a

SHA512
830142afb3689c258076bfeb029bfa0ca5e89c6086b74d01ad51d14d65108257ccf32ef1505208034b035e29badd34b89d15252b7605c513c8e522bcc1122345

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
12f88db9e7f7d8c3783628d75e2e8e02

SHA1
9134339c86c3b06ce0b0750040791448fdfaca75

SHA256
07d09b81a206f0e6dfe9b40b01c3f9acda197ad0624cc7a523a6c6d286eb26fd

SHA512
71cf533bbf52e5eb7850113fce4d34a9d3fc7f107a05e6bf4e658b0b0fbce5aa9aec3e86c5cfb64901f7c487d125ba55da13fd5dc761a6e91f5562da4636c14a

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
76888537afd6a0a4a0890dae89c78fdb

SHA1
61da02139279cc747aed54a1322878b35a19a247

SHA256
dc7887731983df30b355e5745a8f4030462a84b3fedff055038175195cea0611

SHA512
5be2d02e220e64ab4d0df6c6c4538d5f980b475a52bd83a8467adcf293fe8461c48105c7bbeef86785042e07107d6dc895ce459c377f0e192028bf8aadcc58af

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
bf0a61c2b18219a6d59f841b70eb3809

SHA1
ba3cb6f5e3e69d36add1e1cb1fe82ca568c37166

SHA256
528f8ce437ef1e00a56a0efae19bf195dd2972da1ec507da398758a18f5f6737

SHA512
05c76add185ee7c820f44efdcf38e074426c7f84d33d71333553ee1c2fccd2d568a5fd1b73505319f66bb45aa2a5094bcac355b7bd15cb26624c1ff775dadd7c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
7ff53b7af0313c85c5a9500995cdd022

SHA1
557183ab3d7d94394a00dacd1a054a5e0557fc55

SHA256
72a8f64a51f1ba662dba1c49bf997b792287d6a2e00cac9ac7ec64e036bfcf09

SHA512
fc439647885012e728a4f7350f12a2114e9f0fae90a2156ffb12536a935aeaf77b99db062941ac1f0ee99c829c4eb3c781610babf2a46da2c1eef12657a6139b

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
d5e4eabd60e80f04aa8e34cecebeed86

SHA1
981657afb047fba63766e39f58a40e491d7aca9c

SHA256
41870290d43b4f44822a67a1416067e8cdf5a9ae086e2bc48df566af94a6a5e1

SHA512
26fb95b632e053b71944a2f9ff1a779d5f9e28153324d5ac3467ff9932f334f3fe0abf9e6067072b4ea1465a2f08e1b579b8f0bffdc44c1dac8b3a1a8119fab6

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
9f2ad2e777d75cac150b1d666e7e5f55

SHA1
f7be39599c1e916d696638837f348a8ac2ffaee9

SHA256
7e9e2de0e1e3190e02c46408730928d46d35df79a0275eba70716d89d28d20c3

SHA512
2e13ac915a21d369e57a78d27c61e1e7428d1399d6bc183d49dbe41e658844ebe78f1a0f775c85e716f6c29aa1049a26a148675c641b21857116f4c9c1066913

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
1bf84adc0e1e6c71fb77a78cd4eeba4e

SHA1
f6fe8bbde46939f88d83a129366cf5602a66daf5

SHA256
1ba9d1e9fe0dae4c5dcd7cb4f2a7061f98fb0c1f6e09d42f55a7b7955e2ddc27

SHA512
62a5d0b624ec52d9c0672ae14cf755326146963fd0ff7ef9315f38f77eb2f96012dccfb359f1ed0956586879b82290dac1e0ac05a0200df89ab28e913cf610b1

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
867e75002f373236bfd83d30d24c6c7c

SHA1
3b4c77ace1d401459635ae076f0f1c3b7fd79ee9

SHA256
9458f22f0cdfa493f3a51e370ce65f7254807ac4934a1af1a801bc5e504365a9

SHA512
ec3d6baff8864a6929f9773699a2602c5aaefdc302b5499d8c4342add82b689199a9758dd692462ff59bb6ac0546b73a2e4c018d26b7ffface9e26182c8ff680

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
eb541e2ed0d32a7ef75bc806c63a2090

SHA1
d2983f1004cfa658e4ac6059c70ee51b6cce03b4

SHA256
9534115c386420e982da789af4b75ccf42545ffc021d22573b3de2615a5c2023

SHA512
0bfe02f8a75887614f1797012b704517c295f2700151a79c890561461d0164e10f8db97a3dbdfe79fd324a20710744bb2bff4b97cc4d8f36612046b9868d451b

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
c6fa9a185a78fabb885134b927e5fcbc

SHA1
2b199fc0c69fd6b665b63d0692f5233f575d5b77

SHA256
e089cf6faa40eb1f22ff9145b31762fb4559e6cae854b294c16e2db695abbab7

SHA512
051b2537f3711948cd34815b3a942268a1ed072a2f298ff710de10e3b48eed3797d1d681953ea71cc20a0b9f8f9dbd787274c166af09f6aaa459935ddbc17c10

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
4d340ae8b1c77af5e76ac45099c95b29

SHA1
5d91d60ecb76f7da4b0b200958e1911f1f5849c0

SHA256
6112e3f224682ab07d3b959b14ba66c18616b842ae7991c1a3110651b4a9bf85

SHA512
ac67fa5a924e7affdd6cae04ec71b25a50ba4a7abfe4b73782171f146cd10a6e4eab93578642598fc0180bfa97abaace83c64442ac89f69bcce31f13c0a32811

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
db9d0ffc2a210aa52fead4ea8a2af8f9

SHA1
eef8c9b231619f948f7d8749cf18ed92415adb8d

SHA256
3acd715768fbbb24e44db5da3bfe310c3892a3acee1ad6efadbfc54777d7590f

SHA512
afe8df02200f011353b2111f66dcd5a988e59fed04d44b4c877e818b636e4a07bb904b1642e3caab3036fc344ee27b5fb4d9ee3c129d87bdaa4fd2f8c45433ae

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
96KB

MD5
d5c548ce5db26d0bffba4513594411b4

SHA1
22a23dc8c33d501e9888dbd4f8ba0087679b83e0

SHA256
bef541020bf2a93d47ce02238e39120ad6cebeac130dde588aa1161233819773

SHA512
707c0dd3589ad4a7545bacd3052fbc5c0d0870f6041208df7db04882c5e8aa23c01a3fcb62623002a9cbb35a09ba5c0fd7c9aafd9ee2c3c1c843307085b93704

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
96KB

MD5
09fc4b2d21781997ff2133e7994e272c

SHA1
482c4950144a9e03837f4131cfbafb438d4229d7

SHA256
99d1a95caec5df6a4482eaf6c2414d5a9b42086e37fed3fdd11e9d0b04d50f75

SHA512
f25cf338907b9897afff6c3d1f1daadeee99f28de0c3c58a2898f879a531d0a823213297afe5428e897d080f09c5f636eb5927910287ee3ffe7b97ce47b58786

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
dc662dfaeb80e5fa3484431e5c9aec94

SHA1
24bb0b772dc688919dd2532e17287b862f5de3e8

SHA256
5f6daa13a7cb7fe5fe4319f27a270a9716fc62bf1fccaa322176a808450a4637

SHA512
c51def587a9606747c8a3306847e87ea703e6f586ffebdf0ad7df6052bf29d9987d0bf84ce42dbb1b44f06b44b4bbbe379b21a58ff71f280126403a52bdc43cd

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
40d22407960b138c7c5a75f90b8496b4

SHA1
8000ca5d9117edaf12735195224e2a6a1bf3e58d

SHA256
be28bd31ff3b0d7dfdb96a3f780bef9379b7a0bcd6da5412ba92fb4efebb877b

SHA512
a75b2bece442105befe2988c1b62a842e830329b46a2cea111b7dfe1a1b6009db003d78a9ff1695a1edf0bda0e688be8fb9d2983f7066137b5ccf7d6e5c27b6a

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
d7e2b4c03630016d5b79895edcc8f941

SHA1
f860b93c615c18798c7baac8e41a7f766b09da86

SHA256
7843f79eb7676aa22730f138d50dcb9aaba3ddb8ff6cb8d03e0a99ba06d4f6f1

SHA512
a02a4a5f942bdfc77d43d6d0b7339c0269a3475e50bbd05c9652aee55819b59ad0882d8ce3b14c002c3ce13a756d81b1fa8ce68d9e222bd05cd35dbb3ddafca7

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
657ad60492df2728e1981afc97815f95

SHA1
1e7099fe737ae5de60b518cb0bb0ca87021befa9

SHA256
d8bbc6e7d23145d8b187549c03842ad1ffe2ee61b313275c5591117b70e413e8

SHA512
408e8a42641d9c021e8720c2d5c702cfc6fa70d4f76040483ea818be7d2d10eb07725fcca35c635c19df8d0ef33c3aaccd607f6da1724d4779be97dda4cefd36

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
ad80c58f5188271839d687252aa0f856

SHA1
260a5e7401cd07a29e51709f2d9c1b425bb5ff94

SHA256
ac00131fb954f51481e028b5cdd2dca66912fd29ff5cef5531582b4bde905e85

SHA512
886cf944e8c1b0b5d85f2742244561ea90cda4f8cf0f81250f496ebf9bc2d9b6554c90185e4fe5fac2b40ea0b2fdea0b81d5964f3467c151171ab006e665feb6

Download Submit
memory/60-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/412-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/416-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/696-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1680-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2248-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2344-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2400-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2508-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2752-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3164-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3196-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3276-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3560-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-535-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3920-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4680-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4712-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4712-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4812-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads