berbew | 81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe
Size

80KB
MD5

f73a294f6df709c227fc8d990517b800
SHA1

2d84daa285376e1e59bd9756b92624a11f19a4a8
SHA256

81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58
SHA512

5160d18aa3da44542e6f25def9701cbe3c98481726480b6a6e1a23db3bc4a2cf01a41ccdce3e3ae8068e899a76835e6fbb25d894e5d37b50f2cb276c41a0f644
SSDEEP

1536:CRJ1SIjEkq2avZBVXW3OzTkXgN1cgCe8uvQGYQzlVZgs:iJEYWVpzTlNugCe8uvQa7gs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2076	Kemhff32.exe
2104	Kpbmco32.exe
4824	Kbaipkbi.exe
4908	Kepelfam.exe
2140	Kpeiioac.exe
2684	Kbceejpf.exe
940	Kebbafoj.exe
4936	Klljnp32.exe
3448	Kbfbkj32.exe
5068	Kedoge32.exe
3348	Kmkfhc32.exe
4976	Kpjcdn32.exe
2124	Kfckahdj.exe
4508	Kplpjn32.exe
3856	Leihbeib.exe
2192	Ldjhpl32.exe
2996	Lekehdgp.exe
4340	Llemdo32.exe
4504	Ldleel32.exe
1668	Lenamdem.exe
1588	Llgjjnlj.exe
1948	Ldoaklml.exe
3268	Likjcbkc.exe
1204	Lpebpm32.exe
4776	Lgokmgjm.exe
1996	Lmiciaaj.exe
1604	Lphoelqn.exe
2528	Medgncoe.exe
4648	Mmlpoqpg.exe
4628	Mpjlklok.exe
2728	Mgddhf32.exe
4828	Mmnldp32.exe
2356	Mplhql32.exe
2280	Meiaib32.exe
3224	Mlcifmbl.exe
412	Melnob32.exe
3176	Mlefklpj.exe
1080	Mdmnlj32.exe
3840	Mgkjhe32.exe
1300	Mnebeogl.exe
2868	Mlhbal32.exe
2960	Ndokbi32.exe
2540	Nepgjaeg.exe
1352	Nngokoej.exe
1976	Npfkgjdn.exe
2516	Ngpccdlj.exe
3144	Nnjlpo32.exe
2348	Nphhmj32.exe
2316	Ncfdie32.exe
1056	Neeqea32.exe
2572	Nnlhfn32.exe
4220	Npjebj32.exe
3104	Ngdmod32.exe
3484	Nfgmjqop.exe
5020	Nlaegk32.exe
3844	Ndhmhh32.exe
4348	Njefqo32.exe
2436	Oponmilc.exe
4188	Ocnjidkf.exe
4312	Ojgbfocc.exe
1920	Oncofm32.exe
4868	Odmgcgbi.exe
1484	Ofnckp32.exe
4500	Oneklm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kbceejpf.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6404	6320	WerFault.exe	256

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2076	4224	81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe	82
PID 4224 wrote to memory of 2076	4224	81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe	82
PID 4224 wrote to memory of 2076	4224	81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe	82
PID 2076 wrote to memory of 2104	2076	Kemhff32.exe	83
PID 2076 wrote to memory of 2104	2076	Kemhff32.exe	83
PID 2076 wrote to memory of 2104	2076	Kemhff32.exe	83
PID 2104 wrote to memory of 4824	2104	Kpbmco32.exe	84
PID 2104 wrote to memory of 4824	2104	Kpbmco32.exe	84
PID 2104 wrote to memory of 4824	2104	Kpbmco32.exe	84
PID 4824 wrote to memory of 4908	4824	Kbaipkbi.exe	85
PID 4824 wrote to memory of 4908	4824	Kbaipkbi.exe	85
PID 4824 wrote to memory of 4908	4824	Kbaipkbi.exe	85
PID 4908 wrote to memory of 2140	4908	Kepelfam.exe	86
PID 4908 wrote to memory of 2140	4908	Kepelfam.exe	86
PID 4908 wrote to memory of 2140	4908	Kepelfam.exe	86
PID 2140 wrote to memory of 2684	2140	Kpeiioac.exe	87
PID 2140 wrote to memory of 2684	2140	Kpeiioac.exe	87
PID 2140 wrote to memory of 2684	2140	Kpeiioac.exe	87
PID 2684 wrote to memory of 940	2684	Kbceejpf.exe	88
PID 2684 wrote to memory of 940	2684	Kbceejpf.exe	88
PID 2684 wrote to memory of 940	2684	Kbceejpf.exe	88
PID 940 wrote to memory of 4936	940	Kebbafoj.exe	89
PID 940 wrote to memory of 4936	940	Kebbafoj.exe	89
PID 940 wrote to memory of 4936	940	Kebbafoj.exe	89
PID 4936 wrote to memory of 3448	4936	Klljnp32.exe	90
PID 4936 wrote to memory of 3448	4936	Klljnp32.exe	90
PID 4936 wrote to memory of 3448	4936	Klljnp32.exe	90
PID 3448 wrote to memory of 5068	3448	Kbfbkj32.exe	91
PID 3448 wrote to memory of 5068	3448	Kbfbkj32.exe	91
PID 3448 wrote to memory of 5068	3448	Kbfbkj32.exe	91
PID 5068 wrote to memory of 3348	5068	Kedoge32.exe	92
PID 5068 wrote to memory of 3348	5068	Kedoge32.exe	92
PID 5068 wrote to memory of 3348	5068	Kedoge32.exe	92
PID 3348 wrote to memory of 4976	3348	Kmkfhc32.exe	93
PID 3348 wrote to memory of 4976	3348	Kmkfhc32.exe	93
PID 3348 wrote to memory of 4976	3348	Kmkfhc32.exe	93
PID 4976 wrote to memory of 2124	4976	Kpjcdn32.exe	94
PID 4976 wrote to memory of 2124	4976	Kpjcdn32.exe	94
PID 4976 wrote to memory of 2124	4976	Kpjcdn32.exe	94
PID 2124 wrote to memory of 4508	2124	Kfckahdj.exe	95
PID 2124 wrote to memory of 4508	2124	Kfckahdj.exe	95
PID 2124 wrote to memory of 4508	2124	Kfckahdj.exe	95
PID 4508 wrote to memory of 3856	4508	Kplpjn32.exe	96
PID 4508 wrote to memory of 3856	4508	Kplpjn32.exe	96
PID 4508 wrote to memory of 3856	4508	Kplpjn32.exe	96
PID 3856 wrote to memory of 2192	3856	Leihbeib.exe	97
PID 3856 wrote to memory of 2192	3856	Leihbeib.exe	97
PID 3856 wrote to memory of 2192	3856	Leihbeib.exe	97
PID 2192 wrote to memory of 2996	2192	Ldjhpl32.exe	98
PID 2192 wrote to memory of 2996	2192	Ldjhpl32.exe	98
PID 2192 wrote to memory of 2996	2192	Ldjhpl32.exe	98
PID 2996 wrote to memory of 4340	2996	Lekehdgp.exe	99
PID 2996 wrote to memory of 4340	2996	Lekehdgp.exe	99
PID 2996 wrote to memory of 4340	2996	Lekehdgp.exe	99
PID 4340 wrote to memory of 4504	4340	Llemdo32.exe	100
PID 4340 wrote to memory of 4504	4340	Llemdo32.exe	100
PID 4340 wrote to memory of 4504	4340	Llemdo32.exe	100
PID 4504 wrote to memory of 1668	4504	Ldleel32.exe	101
PID 4504 wrote to memory of 1668	4504	Ldleel32.exe	101
PID 4504 wrote to memory of 1668	4504	Ldleel32.exe	101
PID 1668 wrote to memory of 1588	1668	Lenamdem.exe	102
PID 1668 wrote to memory of 1588	1668	Lenamdem.exe	102
PID 1668 wrote to memory of 1588	1668	Lenamdem.exe	102
PID 1588 wrote to memory of 1948	1588	Llgjjnlj.exe	103

C:\Users\Admin\AppData\Local\Temp\81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe
"C:\Users\Admin\AppData\Local\Temp\81aa24ca05b4b285416fb01b64f5cdf3ce3419f0c0a4d0e98da24fb21f28af58N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\Kpbmco32.exe
    C:\Windows\system32\Kpbmco32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\Kbaipkbi.exe
      C:\Windows\system32\Kbaipkbi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        23⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        39⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        42⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        43⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        45⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        58⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        66⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3788
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        70⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        71⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        72⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        74⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        75⤵
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        76⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        77⤵
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        78⤵
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        83⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        84⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        85⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        93⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        94⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        96⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1048
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        102⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        104⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        105⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        111⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        112⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        113⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        114⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        115⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        125⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        127⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        129⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        130⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        135⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        142⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        144⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        147⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        152⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        156⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        158⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        163⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        164⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        168⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        169⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        172⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        174⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        175⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        176⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 396
        177⤵
        Program crash
        
        PID:6404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6320 -ip 6320
1⤵
PID:6380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
80KB

MD5
671159bf9a7d3da21ed97783a2b2b0fa

SHA1
0f796d9a5ac67df0b09472bd6f3461d43e36bd5c

SHA256
63c6883fb2bcb0a455805889515cb6b7618333658f97816949d4e68e1ffde9b9

SHA512
8db15fc0036f647abde8efdfd4b936662fda312bb309a87e94c9cdf2ccf617d78319ece596fd5a24f58648dd0a263cfe984119b06e6abee86c8b560085a68582

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
80KB

MD5
4707476e725416486300d7fb4869ca38

SHA1
37b0f2926dc6806e221e0998f26fd833ac1db477

SHA256
544b461ae39fac9d60b263c23366cef92d25136dfb471fd5472ef5022ad93c68

SHA512
4120903c370d4343d104c5a611582437b25ed679c1f451e2ebd9fcacc337c00785e3aba91cc71af9011b9d4f9e275e8471a30fedff771c81bf03b9d6b0669105

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
80KB

MD5
b41b7856e89224e60e0540692d72caae

SHA1
30f9a483dbd5bbe2e7677263962124213cb9720f

SHA256
708df6e7b0badd6b7f28f7a0879f48453bcb35e94b575e848209a1874892edef

SHA512
d5c02e70127b43192095323e1b68636c9046f957ebec5a8de22adac0dacb36566966db1678b9f5d70b6848c51e8be183ef0647caa897ce65bd4cec84af1fe173

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
c286c370b19d72d6b5d0712130063954

SHA1
d869cb8a97fca647c1cf555c4c5388a748ffe051

SHA256
b895839c9d8d18c5da733a30add34c7b898a2258c97168d7e15a0ff3477adc5d

SHA512
c7964601c2d58074782d673946fd3ee49d7bd13defb710b428d6a2c5aae2cdaf41c734b9aeeb16e23cc26a965fcc3cf3f0919c084b2a1499ce5bd48a4d34aec1

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
70c81448e2387d0d607950f944294940

SHA1
294d50e8a9f3d5cdb16925f150df60e95a5d6ba1

SHA256
4c6666306d46a6d9171089877af24eb6bfff13e071b77eb12ff1911fb6e18092

SHA512
6ac96f8290111da8f67c866899aface918bd22b8a2f9d977e235f02218135beb6e3f6fc0fb7870c68a430d0e495da6ab3684feb3e31251406e61c228b806e3a2

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
80KB

MD5
9ae655f62d42eb99359179cd19bbf7f7

SHA1
ea49972ab604f1754b2a13a30509101c596cccad

SHA256
5d1f54c58aba669d7fc685cb0d99d18c402a6072ebdcf0d16b9b6dcae7c8fda6

SHA512
2a9f8cd2582a2d50616701111716fbd3e08dc5ad0816653b5ba30a8808dde8ce01d5e7880e0c44ee91c8bdff1c5c90358d46e8543851cad899c8c6b6a57817dd

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
9e2782c27155dc20f9864244a34bda46

SHA1
37240645e7b1b17af34ccd9351647c1d376e05cf

SHA256
ab6e626c715a425b4049ec9ee043593f1d89b62c4a368c3ac961432e506ae488

SHA512
18028555b2ac7e9597fb1a035d07748adba1343dd63bc0cc5695f0d0ca337d2493f4d1520050b253a97df3466eadb16b9c52367733aab9ace01f9158c6a81c04

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
f365cc2459a4f313b6037bfaf60ab183

SHA1
6665f07f89e56f4cebee86cf852a6737f31de5e5

SHA256
03a02a96ab41a0fe5eea386851e9463d6bc7f122bc5e77d6447c0f0c75520be4

SHA512
fe53a9278762e046635baef556dad6441c4afba471d9c858b7700b6055b8c2b30ec382d69760f3cde55b2036c48935e49641275d1b957d40a67681b4a75b579a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
80KB

MD5
b77c2d7757404fdcc1f5d008dbfb02ef

SHA1
644450343e45ba1da7144bcbc7b025e4ccb8ce74

SHA256
14293a0ab374ec289b538dc8ac46aa65395a93942b472e273e64130cb26aa369

SHA512
8ff751f1d6f92768e73f6c9d5768db9db609baac94746882ade80b160995f4b267e70063242b92773972d3c4316e99ffef80624978a01135b196fccafa28f4dd

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
80KB

MD5
576a51f4016c474b21d17e35cf98dfbb

SHA1
dc51ffb4aa509d2d3ae39a1bc4345e53b6acf447

SHA256
7ba04cc3bddb2eba21cde34367f77db76f54f625a87fcb7b66613a5661bcdf11

SHA512
a2286f8a0d036fbe96a25995a771a4d64b599bc56f19cde0416a0534d7f5713b4fd1065bd4864a43da5243c14dd825618ed562c501d9956ac09a41477e08b004

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
80KB

MD5
9f26a7e7ccf2912a6a7428f1a5b86458

SHA1
46c4242df711434a1d3eebed3256142ac6128b04

SHA256
839b4cfb8f51e6c243e3752bf059da79e4d955bb99860a954fccca3cb2321e97

SHA512
2f1549dbf0ee4fc3f7026422d27113e351c569361b618f1a81ffd9a106177b91b96b35f2b3c6186183c19280d519317b3e33cf8f6a871ee5a0e6538213d26373

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
1cb5c04944658dfc9e5496bbe9466571

SHA1
5fa471b765d2eeb6c5f394f5fffb9d538ab64d6d

SHA256
010a541a3590adf9b3e755e88a1bc58302c98e8fbf5ee0af4b4606436162b016

SHA512
893596a3599ee2aab9c875bcec66abd3f1ec70cbad8aaa8cd0cac5b178dd0b7dec91d9a5e29fc7dfca89021732c0d2f7510405d1084f6dab1f01dd351c2f421d

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
80KB

MD5
e24ac7562423501ce2d6f5fe5bbb6d99

SHA1
2c4e8d6e10d338f2bdffddcf2f474b52c3e2a70a

SHA256
be7e92360d9979f256377329f7c87b7dd4aa859153fa3f1dc160e600846b5f2d

SHA512
4430e0eb1565acc6460f667dc73e1ed46ab85daba316924e2366305e338601984f721842780f68caedf8a2db72a066a043f4aeb8ad432000a6af4c224314160b

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
dcabdb396fd6ab5f98cce06abff756be

SHA1
21b8dd7343827b521e2adc84d2440e5606511668

SHA256
c92a0003f4417b88a45101bb674894c5eed06e01d1846c3dd3dce7db58e50bd9

SHA512
54fa73f68eca7c900191848883b4ad62fc027322c681f087a0dfe2ca17c774f53cfc971be4ae72c8dccb80134b13d8c83fb01b3dd7b362ca5639a86a245e8483

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
80KB

MD5
d988bd8332c778ec9060141319fb5e54

SHA1
80b48dd0299cbd7d17a66948d7c2949c2d6cc219

SHA256
5c2e8cc16908cc9adf34f03874b5d0d65484bd6967b5a2f4011f3103920b345a

SHA512
c3ad4afaa9979fe5718408ec4e09dbf53ab669f4a799ca76002011b9d59d2ae45fd5b9aeae3b75e250c1787f3eed3bcac2df1c022ced141ada4cc5bd02a8844b

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
3cefc3d50255f88bbacc495bdc9719ec

SHA1
e71ab93c6a0cdf6b8084e2a40473165b26bf69ed

SHA256
294a4b8280318edf9078723bb07e776ad2d11e5880a7fa9f1b973845eea2b186

SHA512
cecbc020d476b14b148c2b147e7bfc717e31b1ec08c28d0d802fa66b1e7e9b347fda01dd817382731b3f9f19eb035d927851e91ecf39cada6a9943f95361c945

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
80KB

MD5
2fea6b81fb48a27d75f1c6aa1dc2f8d4

SHA1
8ea5d1b96673eb7f68875233fb9dfc2ca38266e0

SHA256
d174f347d58902d8477964d35761f151f99d1c3dc3ae84c38b64547314d1beb7

SHA512
5549765d80c97c4256f8501d5600135c3c464949bffcfa45ea8f3cac80452327ea7ee7057a79e3eef9a5c6ab8d20292feffbed47bf935b57c99246d3b08344e3

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
aa43c409cdf3803b6477590dc4fede74

SHA1
f7f1535db151c408e11dec95671a3612d10ac4d4

SHA256
dc92901fca01bbb83bd8ae873c14dce60c485a7426162f256bae4e164d4085e5

SHA512
a063a57965cccd49e9ead453eba2260ab1d9586a8223b654f829b771e09d7ee02e619c513920edad121dd55b527ced021eb50f95147a91b72eeacf2cb57a2127

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
c3872b0647f8c60cded36dec37971554

SHA1
fdd3ff371f7a2911ee3545f021297cc2c58d91de

SHA256
4cc9fee2dc12cb69ea501c551c1500f0cd41a72fe0bfa768ca7541d67d8e692b

SHA512
3e3d4ee9f84270c8004c2286ceaa6e6c7ef158d660e868c873be8413e275f738594e258ae44da16780c811e0bcfafde5b403700f9f98668bf0644a61b9d10c92

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
80KB

MD5
fa2f2227eafbc2df3fb89d45754dbe14

SHA1
2445dd12686544d0eeed4fa47af71c6fcd04c4c8

SHA256
1605a4923429223796e69510459924e2ced39060f0c770c550db6bc48228935b

SHA512
e513f0cc9d8ecf6339c9f69ac2e8657612abc84f5c0779fd4bf20c679724a8687695f14ecac8857cfde3bacba593ede2e894f70197092d15485c6c84ca7b1080

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
80KB

MD5
79bf47e6920035d5cab44cdcb5d56d33

SHA1
bc0189984e4314f70dc92159cf49e801fcf2bb1c

SHA256
2fff0cce521a441829fb364fb9a2309485eb7c08ae232c9e4071ff4d42a48972

SHA512
aa2140c53537aca5bf2d0fa35d5b8bc9206dea6e5ddbe57b433ffdc75589857630821225cd4379f3816a6532d5442c5e9366d0442776e667072f1631824fc38e

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
80KB

MD5
4df7a15cbab9c1e1b2639264947cbbc4

SHA1
4ee06f99e0ccf55d19adcdaccf299c3d83c62e29

SHA256
d5db97e67f95c36a9784532edb1b8cae507ef4ff5012fa1596897886cbcb84fb

SHA512
050793a3071a9c25c1bc0d7fadc5b5dbe262c0c00686fa9e66ce926fb3f3d1a7a71e4d6f028b4c836b02495fecda896d265313a0e93cfb37494bad32e003704e

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
80KB

MD5
ec5641a3b923d4122819d051cf5586bc

SHA1
a4f0a1619529946aa1e1d2a6b6080b26d6267dc4

SHA256
0b5956cca64b780bcbc13ee6f1b8541255fbe0b6db749645b0375ce28ff090d9

SHA512
3151d6c6c0845ac4e73109c5f4142aba5e5f15d999be371dd5f67026b2c585e281f329ddfc08f2c68d7a0fd2d9b91540079958e64c06b6b07878ac7e1a28bf44

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
80KB

MD5
5555eb63815f0600b7ed25da20fdc879

SHA1
dc484fde1b3de0cf880d45557d73dd8199e8528f

SHA256
cdee8bd434f9b7b046b15fd236beb1629d83454d5537c80af769851ea14a505d

SHA512
3f8b094a0b266f8f4cd6b60866ee3391da85ead9aba7bb3673c2150b00493a94106eed64b65d47642bfcc7eb1bd2f7bab8092be4de4f6882e13be1f92a008f5d

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
80KB

MD5
054041e2e55190d357d0ce7423630395

SHA1
e81ac49480bc4d8b853bdf2fc95409d85da46ff6

SHA256
fe9fe8543806b3ea75fbc54b910968a270808a0e8c8f632ee57864687e3909d3

SHA512
faba101a00b2cccc223a883b47b98be97d46343ee3c001dab713f0de2b3696019021807047dda9ec6b3e7093501dc01361d8053bea921627b51790b1a82e0a86

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
80KB

MD5
df45ee91fa6870c1974e090f7c016a43

SHA1
3c3e5d4566827233be3a601cafa138047d5947d1

SHA256
26b92ddb582f8cadf2850715a81db7098d24af438744ee5467e6ec88723b2ebd

SHA512
7935aa57edef23f147d241f57a03fc5fb7feb0369470fe196b972a6e37df624d39443666127184a27009996689a79f426f512890eb7bad5cf100e94ed0c3f8b3

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
80KB

MD5
8d9455105a2e5e1bba784867b40df6df

SHA1
e69e10eaa1831679c785632c61431c7049acc3a7

SHA256
1fafa420e5829653ed40d54f7ddac41533311e6dc95450897681a972b2a47099

SHA512
232d401cba2627bec3532882670f7700d2baa97fc037a98cbb48bb2dc508b5cb4bd747f4beff48dbf586910a97260f47f4c77ef5469f17fdb2e084cabb59ed89

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
80KB

MD5
12ce530c0de4fd319e12c0c16abb72ed

SHA1
d853fccd1e3bc0af91575b8b3d5ed23fbe042c18

SHA256
0225c95013591e10d8ebc19c1fb5dd2a4ca1516a5d9895c7ad017845a6b13aec

SHA512
402cbc04ad903ca2654393083c14267b6945f8f106983dbbf76a42e19d1b48db2825bf481b7a87e39b2d8bd077c4635a66507331a6590119f53f77565723bacb

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
80KB

MD5
7fa808ea9673c51ccb95f6e88fe4e0f7

SHA1
70aea5a2ba62684f69829ab55e1cdebaa8eb1854

SHA256
eecaeb6c0cdb4df1d83ea41a8fcb2ea0c530ac09e5d1e900c1f797bbb6127a00

SHA512
15510a4ab0076e0f585cf5ef7015cc45f78729dd2025a5f5c035757e0ede06045b53cb51e9add739a2d3e542248b7f1ad21c45a1294cd0014531931969350753

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
80KB

MD5
4aacb85612e7337e961c41ca29d21f70

SHA1
42385c849bb5f2a355630fd5d2dd6e412f400085

SHA256
eef5866d6075c6d6c74576a56801b1c30fb2a0715e08821285c592beee48318e

SHA512
31df420cff503b23b8b9f2c8d5c5215215aa2a5041385fe53e1962452181d126a92a27b7924a693aae1b9f1d788c8514bfb0e2885e8ce84495a63aee4b2b1b7a

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
80KB

MD5
7c788d6b809c1d9dc185281c2bf3a2b4

SHA1
03b4ad48f30dfd15f2d45325e392878f79d48e59

SHA256
f52e3daa0b3bbc6cf0b729c8da9c3159bde460fcf61cd58ad4695a659550466c

SHA512
75da6958a4613e2a680224073324993780bb0b53d8b10054ffaf0d059c832fb053869b7bc065b18ca070899c749b757a8f0f640f0872e78632cfaff9ba030b88

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
80KB

MD5
4fca54b3df0cf46a3959c9c5732ab07c

SHA1
a5e9c136737927b780e55e7bd8adf65c0186068c

SHA256
9f22af3c955d17724b89ca8e070a0df5ed06c0a84ae6fc7ead6c513daf810095

SHA512
e5af33ae794fd4e7a40ffe31875a9cfd258327733ef89fd1deb67d19db1d3f3757b8bda8e9265c3319270789074011f6658d1ead0319f20ec0c2cc932a2fba91

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
80KB

MD5
a9e6b5b9c3e7134c5149626dae0deab0

SHA1
604a76daa06cc22fd70b12f54c6bf41809ff9fa2

SHA256
41a19749408a97eeebb910fd395f002220c6a4b7f337bf2436dd57c75d929544

SHA512
7b296ea5bf8c3db0f522f039bdc1344fbef5b332b76cd0a2ad6bdaba8090c58fa24539adb3d3109456d8922c9b888eec94c60704481673b51b0924e145070797

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
80KB

MD5
903ca11441ae423c93f3ca633034604e

SHA1
36fd2d335836d66495578445839d1fecb886a4c4

SHA256
761c8c6fd117f7993308e7342e96aefc04fbdf4b8cbfb1c4435798b3bb1a3512

SHA512
63fec8a8b5eb7587f0ba3b65967a38f081517297c6263886f3d1286c55a80ca0dcff044ee577fa15cbff4cad283909581f0c25153a1bff1bb9c2bd5a46b41e6c

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
80KB

MD5
e36dd50836a374f5e623a0d80216b9a4

SHA1
d927b4f07ba14d748aa80a743f82c855c9e6c786

SHA256
33c3513f52ca16ea340a18c78ff956caaec73a83a4852053ad7e505d95822408

SHA512
e6749a7e6ba27b43037a4fd92f82184cba95efb924c18fea9f443e6a1e845fda3c45f0559b193550a27de1585b7435da554166b436a33ce803851ce4037627e8

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
80KB

MD5
99b825f03ccb8036529bf3fda5be737b

SHA1
bdaf097d2092e9c76d868d0d006c00d2bb9fa118

SHA256
ab7189f0ce11d946e4154244e5fcfe9a35111ef9ec0aa7b1b2856e9221e3ed89

SHA512
7c09b1e54cf418f31471dee98a1fafea6bc4eb52a980e14f7e4d2169814bbc5f47ff183bb1a177c12963badf1f44aba57cf34cf7f7253e07c9590d85eab1cd83

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
80KB

MD5
756d85f6d86bedc68732e42ca4c13d4a

SHA1
72aa0900df2e045509c6f3da6f58c867d6e284bf

SHA256
bf5b7626a4b89b5f51c05ac1cf97a63279b764964507b054efd2932b2a705fe8

SHA512
fd396e185f638ec0e1c5293e6fcd113984607c1a45c56544e86a299e6ad74407a1776cc5fd905854050e85a0349b9edecfc3a2bbb3b1f70cd784d26a9b893dc3

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
80KB

MD5
db63ef6be46d5344a8b69955deb13453

SHA1
1225659bbc59e70f3dc0b6ea0900455e18ceba9f

SHA256
7fe596e0a12a332b2dc066da2e66e1723cd926835177b83a24b048e454f3d7e0

SHA512
d9a7ef8aad8042a883adbaf11a60e03a952b56e7b062f86a08f5d97131bad73d4b146a17635a2221c92c089769a4f92cc00ce1e9f6c995089996b45b6e6f7ab2

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
80KB

MD5
7a16daaf672e9e3c3825084828319b96

SHA1
b0f3022695e5b5b09b5eae10ac31b9bcb3ccc4f7

SHA256
684cbe95944b3640f0a946a4620b4743546d24bd7fa12582aacafb0721a9dcd9

SHA512
c8d7ced4c54a44ecc67a6dfbfec45b8b32f1b450d26b81d321aa53a04883d0ad6e82f26a555979e67cf1cae483554a7a89d3ac5ab54043144455dfbc83640d79

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
80KB

MD5
d9ad0e787a94ced81dedaadc15590dd5

SHA1
03d0b2734757dce58bb136a653c9c44b8d7a70bf

SHA256
0c2228eaf55b15f2153544d987d666e3846991c93ce6e6dc33d53642c38da08d

SHA512
f18edea21c2d86a16c725b6666aaac5b80eaad56032f8bb713828ff0dc2d75aa59f33bd75382d4c55ce6ef69b913f52dba1d130fef59faba0bda3f9512b183f1

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
80KB

MD5
75c59c8ca6b71de21647a4dcfa4eaa88

SHA1
296409ada039b7f67fdfc407a1a4a94730b1af04

SHA256
953ebb37e86f1f79b8aff2984873cad02ba7acea0eee791791757915fc478f46

SHA512
0ccaa0376b01b797379a6e9f255414918ec62bcaae43df200a9924004d8c85a8aa254fd7e786525670b3c1ef75e61cc76760068408111e462a064dc6ba57a3ad

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
80KB

MD5
78dc1393c018ae580650d4bff8f01375

SHA1
a9429604830ce68a28f33ea8b57389d74a6619e4

SHA256
142d22eb07f7cd7aaba2e50116c2508e89d8d55bbc0b32e424dcc541cb50b180

SHA512
d0ebf0747c4eead03e7a8e18e1a9acda2182b3882fdb68c30fa2869cf43271b1b58e97d4202941788d617cb2ae4af7d3dc13398f035c71121e8a6bd1b9d5e2e4

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
80KB

MD5
cd64521364d1d312b669c10bd1c4e9de

SHA1
e3eaf9590171fb195ad0268d3bd7ec988ef2dfae

SHA256
acd2c7705b68dfc1d0a4aaa3411016db9d168a6ac4314b37b97b4003413dcf7b

SHA512
52f01027e4ca057cc0b6bc7641651d1c4599f4a5fa5a8d1bc4c88ae0519e2692cae870935356c355d9c55272d27f4cceb2e401917d25885d5e795fb01aebdd9f

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
80KB

MD5
43f379eca8c220316d5d269bfc8db051

SHA1
8f1385465f029dec17ac080b2c4bcf473351ea99

SHA256
a84a8c6a1372b0e97e29120465e0172330042053c03a41195d9cc8e73cbe0639

SHA512
6c63426d0aa34a5472c901cc893e5dc983b9f8be8648ffd1a744d273f89d4ee6df675803ecf9b08a3829d89d331e433524d95fce4784fae7b352df8209904473

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
80KB

MD5
b6cd0c81f56f88533841f98ecf7eb842

SHA1
7627f82506d9a0a100c6bfee5ec0e88383de7408

SHA256
89ea99cae0073ab94533961e1276738fe44f3ba30b8aa133486c22b5d21077f7

SHA512
a5dd9dff2f9b61f06d6ebd7d41cf7ead45a8c98557580da31f7d6e83a561801600764ed44a0dc25bf214f12fa3770986f98c126edee614a8eb287609f3429166

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
80KB

MD5
61471a6795a57c1efde007390f47c552

SHA1
5db978f1fd85a2ae38ac2f9c1100c090f6dae966

SHA256
907d664f5ec861b3efce0236d9856b7cd47ee0c7e887bcee1a9b0d651031ded0

SHA512
5bb34a76f1161dae9c33e4bb14342b20c589cf8fcfa381576c2b85b38ba2e91c54b3bc217fbf7909f653d64dcca7183d08de529e3c3626c650177be3acfea9b0

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
80KB

MD5
14919db115d0ee5269557d1fca7f8df3

SHA1
7afc81a99c184d2133ca319f1f2e7cd8bba15df3

SHA256
5e840daeeb7bbbee85f4fd0a1fa4e429c5f7b69e800d3397b7bbc65f4e3ef7d8

SHA512
35692f1f59a21e9c59b941e3d38a47e4b21521847d16a328fa0a77ff1c388bd5589e4ebbfcc74d0b1bd481c24ef894b946e7b97f52a92932e1a676bef08e4849

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
80KB

MD5
9961db174526ae7126c0e1ef66185696

SHA1
04f1c4b455985994026f181711e87e7647c30671

SHA256
31409ff61dedfe273d5c6d54dbed4a56b87787417e5668d252d6d612275dfd10

SHA512
57078470618b030e066349b41b3286ce0da372e0cfadfb6745c9734182ef302651bf075cfa8186b7ac14760d368d6f32552dd26c53a879c09e699f1dc9a098c6

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
80KB

MD5
357750584c51cc13622b04d4d7643bce

SHA1
63a6e0b9cdb9c815737b147c9f277e91c44db4fa

SHA256
d371033c52c41aa552ef42b908129f258aac412d993d3a2130e280483e6be31f

SHA512
95985225d70b2a18136f4a1605a8bde6c65be56163dab8019dd91f0beada10c050af24840af893b02e33de7ad14934712f029ac0cc1a6fef6a687c0860495590

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
80KB

MD5
c2186c0f9a915b30b15aae64b65773b5

SHA1
a74d47dfa503722a1819832547f1008a16a3adb1

SHA256
da4371b31c5e7fe38e6ed6d07304847236af37424f0ad1dc1bc3bbbf3567c434

SHA512
284f7aeecd13f173b4ee98d21a7c380d130cd425983ff6b09feb65647c4c3791ffac68306e925b62252743da50df04213590ea7ec50d57dd0cb7408b107b6aad

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
80KB

MD5
d13d5fe1a47f0975fb1b1e569e559244

SHA1
47cdda4f6d0582f687004596e3bdad449c8c591b

SHA256
a509d2abed608acef2267cd30749ccb21857d108d4c2184e44ea776d7f18f70b

SHA512
8d433f8e2c3736c0e116731f2b2455f5a812dd5e0c193a08adf9464f77fd5e507d2e44b4b90503cc386c2d5f088ae7286b730a56253a6681e39c01e7d32cf27d

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
80KB

MD5
e8a88823aefcdb8ce221327fed7ddf6e

SHA1
e4f3f2f6eb1f4c34f65bf6348811542ba3790a99

SHA256
e3583917cdd0736f3f5559d6f6fee08b525bcf1eea9a0a0bf59f78275a15273f

SHA512
1b1e4f278dd7488341e7613ba9b6c965845f4c13b9a52b3c7fa840701b544fb7a5bdba2c3e00c5a94db69cd2f6ca61c7cc2b00145221c33db3027b97acc2cc83

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
80KB

MD5
f1b7bfcab1ae91083739c2da777fe568

SHA1
9fb8b71b7a35684ddb4cf1d7b7cdcf92b6877aee

SHA256
3e8626be1ff385fe96773e7f087e72fd79089231d11cc1c62068ab387dacd98e

SHA512
462f9e0b035db7ff19a64c1cdd2f631875967abca0406e17f0caeafa690d5e8a6dba5c46bca0e473cf68407746c9fccfe5d163fc966e884b9fa86136e05e8490

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
80KB

MD5
2cd95885882538b1d59efddf51e62195

SHA1
bb6950da452167a1776e1917ae21325649775723

SHA256
303d4b34874331aef2f3b7e0bb47a367e0798fa821e01626a9d5f765043b25a7

SHA512
1a86f9250e060c7a0e1656632bb13f7619392eda1e6a20a04af964588a1d9bbdf2544f3285e0a275a33d36f92404b745eaf4cf52778447c29e4f7dd731bb15c3

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
80KB

MD5
33017d41b17b8c067c20d15f5ba49cc0

SHA1
551e7dd95eeae2b278971f66fb5302680b536316

SHA256
b042b1c32645690b11acc833d058f940bf41738165fb484506cd9074d46ab5af

SHA512
346d8913ed16a26632a5e39462e96650d062c9af646d77c8101319b40d378fa7abfa17218e2cd89fb53d1940a0e9bcea211e85171cbb48ae3ec0d07b207a73d6

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
80KB

MD5
a361e9eb6070524e5445da57733c44ef

SHA1
bd417135175ce30634c8a7e92ba65924b5ac97e2

SHA256
6940952d812719c8de80d3462c4bb259b0331ddfa88b175fcaad2a400e7c0da5

SHA512
4f12d0db641a2f69b663286ce5d06f92dac64943e5bb4fd5afd440b6f9ed9142b88ee261aabb60b842a8f46377d67a4b2ade2f86e94821939684899f7bbbed37

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
80KB

MD5
5229854efeee353e529d75ce65d813c5

SHA1
9a8af14fac05917413c2875e98e0988c6ea24385

SHA256
c6e5a1fd7f0b1fe012436e7188bcca99c2c8d3ff96b46489f96c5a9586d57868

SHA512
b08ebe682e3e33212c4441d9b3bf773611c8acdbd9c7c3ea3e58c0cc50e6090bde6d2168eb78e6b876f180cc6f6d2012d7f3b3ee16e804ad9f9d4c77f1556138

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
80KB

MD5
741546ac37139ab0468b49045d7e4448

SHA1
53532eb5a2461d02476494bee08571cc961d3f94

SHA256
ecb011d84428b0399afc6d444c9fc92609c34a3aaf441e34218c44f835e6f260

SHA512
d7b3685a324d3159790f562ac457072254662134970a7b10dca9b0f5d6348136c726480b6ee0fff98813b5d1805a3094a35889be1168a4c35301a57a72ec2107

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
80KB

MD5
f9f119ff25bf8a8283a177021461c694

SHA1
6e91fb07761bbe702611d96c4fb9b9d2fa021796

SHA256
ce5060aff637e1a032425d2a53ca6bd78a3dccfe41a9377579a53ff035148adb

SHA512
5570d6403761102dfd3a088069e3962cdb6b5afc2fb3a3fb9c879e13f58abda1a92754f49488d561c4bc1d169825ce26bfebe3a40dd63dd804c4b159986e3055

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
80KB

MD5
9c4c2e085d1dd711a3a34b1173eb8e22

SHA1
b4f452eb175ccd7e4ffc1307caa0c8b4d2c78515

SHA256
d5906d6e9410a695e1f0a6d301b297ff4bf6d5a19f5cf6af573eed4fdb96e102

SHA512
36782f39095cb2b6255f91cad089897bc985d0d3d7c02031cd3097562d0d1bc7c42a9324d8bd2c62748ad5c27c3b04e4f834717a47bb2a7a3eed9a2d641ff773

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
80KB

MD5
2dd47e04bb2b6fdfcc48ce3f4b989b71

SHA1
e319e82d229bd5a13ccdce64ff0cc622fd4299f8

SHA256
19cfd522ab68b2d12e69ad37dc710f87f710dc0f4273349ab16b1ff1bb05a03a

SHA512
0d1e044d00f535c49c72cb56620b1513de8e4215b64b352d7d9e5f3e2408c1ca1df441f808998baca85209424f347fa914df70cf30a025f0853149500b96baff

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
80KB

MD5
601094d02a9f3d1bca0330715acaa501

SHA1
fc2ffd75be5d3194bd4246c7c1fd04c3bc20816b

SHA256
b58b0d3250c0c58e4a7583179d4db900e9447d1b271b70ca3dfee40b28df6f7c

SHA512
e2321745c24ca8212e2b36474eb7f7bd4d5e87084de53dca4584aded59ef1117b4a97159f23a7c278bfdd6ec78a263dc06ec0e2a1d54a52c4f434c01f7f8e933

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
e8f38e22d5d9bf7244aa0d8b6c0f0afa

SHA1
e95498f85297c4f48f72d1412531793ba19a0233

SHA256
775ebc239c97bfd284056a2aaf94e4a75cd499995e0f995ed6efe3d41581c64a

SHA512
bf85815a9675ee0976779a66cdf82f9adee1de946e165ebdcf483f88d8a6ad194bc97d45bfcc2cacb0dd9aac58f426d6655378c89f9480a74d9c71d252ff677b

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
80KB

MD5
0bcaa8877ed4342b93fc4c6d2086ef26

SHA1
1a00b15c2fd1fa089d90c95d0edff51b3edcb5f9

SHA256
b753afca4a14b06320382fe6442f84c9c2f12658e9b5d3aabcbc3853ed4f8d2d

SHA512
12ff9b8adfda75433ffa9c19decb2cdf8c8406fb20c1f73856ac437f705a81199817cace081f43995801c91d6bd5217e84cd3a929511054a624178098f63c187

Download Submit
memory/412-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/440-492-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-589-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1056-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1080-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1484-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1604-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-569-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1920-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1948-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2076-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2076-547-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2104-554-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2104-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2124-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-575-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2236-482-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-486-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-498-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-541-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2356-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-468-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2540-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2596-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-582-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2728-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3104-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3108-535-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3176-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3224-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-548-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-474-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3416-504-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-516-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-456-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3840-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3856-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-583-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4188-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-534-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4224-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4224-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4324-576-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4348-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4428-522-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-555-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4500-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4508-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4776-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-528-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4824-561-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-438-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-562-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4908-568-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4908-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-510-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4976-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-463-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads