berbew | 92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4a

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe
Size

176KB
MD5

a362f1a80556a44e048027258e39c600
SHA1

6fca0af742f49834a30520b5b856ed8e87e30240
SHA256

92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4a
SHA512

83df46227bef17ed0a1957e3334c3f7754f06b42050ac565ea838fbd348723025bb92d8ada6fb5bcbbe13450d6ed3d719395c726cb381a3cd206bdd7f9d9f5d2
SSDEEP

3072:z3O56qvTuiyHfx2Lj6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnRePB:Q6qvTooLj6MB8MhjwszeXmr8Sj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpanan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbchdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmkqpkla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmdaljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifcgion.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fligqhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlgepanl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enigke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibccgep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffqhcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfodeohd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimqajgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmkqpkla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3948	Ddnfmqng.exe
3092	Dkhnjk32.exe
2672	Dfnbgc32.exe
3076	Emhkdmlg.exe
2764	Enigke32.exe
4948	Ekmhejao.exe
464	Eeelnp32.exe
524	Eokqkh32.exe
2452	Efeihb32.exe
3576	Epmmqheb.exe
3724	Eejeiocj.exe
4996	Ebnfbcbc.exe
3944	Flfkkhid.exe
3208	Fflohaij.exe
772	Fligqhga.exe
1472	Ffnknafg.exe
4568	Fmhdkknd.exe
3200	Ffqhcq32.exe
4400	Fmkqpkla.exe
3004	Fnlmhc32.exe
440	Fbgihaji.exe
3088	Gfeaopqo.exe
2004	Glbjggof.exe
4072	Gejopl32.exe
2860	Gfjkjo32.exe
432	Gihgfk32.exe
2188	Gmdcfidg.exe
2040	Gnepna32.exe
620	Gbalopbn.exe
4404	Geohklaa.exe
1212	Gikdkj32.exe
4844	Gmfplibd.exe
4536	Glipgf32.exe
4500	Gpelhd32.exe
2620	Goglcahb.exe
2492	Gbchdp32.exe
3980	Gfodeohd.exe
3040	Geaepk32.exe
4952	Gimqajgh.exe
1156	Holfoqcm.exe
3568	Hoobdp32.exe
4104	Hidgai32.exe
4540	Hlbcnd32.exe
1372	Hblkjo32.exe
4604	Hfhgkmpj.exe
3756	Hifcgion.exe
4672	Hoclopne.exe
4176	Hfjdqmng.exe
3000	Hpchib32.exe
4156	Ibaeen32.exe
4112	Ifmqfm32.exe
4108	Imgicgca.exe
4528	Ipeeobbe.exe
456	Ibcaknbi.exe
1572	Iebngial.exe
1200	Ipgbdbqb.exe
4772	Igajal32.exe
3976	Iedjmioj.exe
4444	Ilnbicff.exe
3172	Ibhkfm32.exe
3056	Iibccgep.exe
4336	Iplkpa32.exe
3236	Ioolkncg.exe
4884	Ipoheakj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flhkmbmp.dll	Onkidm32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Ekmhejao.exe	Enigke32.exe
File created	C:\Windows\SysWOW64\Dpaagldf.dll	Fligqhga.exe
File created	C:\Windows\SysWOW64\Ndoell32.dll	Goglcahb.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Pjpbba32.dll	Efeihb32.exe
File created	C:\Windows\SysWOW64\Fnlmhc32.exe	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Mqafhl32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Iebngial.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Iibccgep.exe	Ibhkfm32.exe
File created	C:\Windows\SysWOW64\Mfcjqc32.dll	Knnhjcog.exe
File opened for modification	C:\Windows\SysWOW64\Nnafno32.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Pjbcplpe.exe	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Eokqkh32.exe	Eeelnp32.exe
File created	C:\Windows\SysWOW64\Gikdkj32.exe	Geohklaa.exe
File created	C:\Windows\SysWOW64\Emcnmpcj.dll	Gbchdp32.exe
File created	C:\Windows\SysWOW64\Kigcfhbi.dll	Ibaeen32.exe
File opened for modification	C:\Windows\SysWOW64\Ibhkfm32.exe	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Bhpopokm.dll	Ffnknafg.exe
File created	C:\Windows\SysWOW64\Kjlopc32.exe	Kofkbk32.exe
File opened for modification	C:\Windows\SysWOW64\Mfqlfb32.exe	Mcbpjg32.exe
File created	C:\Windows\SysWOW64\Nqbpojnp.exe	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Gfodeohd.exe	Gbchdp32.exe
File created	C:\Windows\SysWOW64\Ipoheakj.exe	Iidphgcn.exe
File opened for modification	C:\Windows\SysWOW64\Mqfpckhm.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Gabfbmnl.dll	Mgphpe32.exe
File opened for modification	C:\Windows\SysWOW64\Nglhld32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Cggkemhh.dll	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Fmkqpkla.exe	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Gnepna32.exe	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Mnmmboed.exe	Mgbefe32.exe
File created	C:\Windows\SysWOW64\Obqhpfck.dll	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Iedjmioj.exe	Igajal32.exe
File opened for modification	C:\Windows\SysWOW64\Jenmcggo.exe	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Hoobdp32.exe	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Iblhpckf.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Mqfpckhm.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Aogbfi32.exe	Qjiipk32.exe
File opened for modification	C:\Windows\SysWOW64\Igajal32.exe	Ipgbdbqb.exe
File opened for modification	C:\Windows\SysWOW64\Jgmjmjnb.exe	Jlgepanl.exe
File created	C:\Windows\SysWOW64\Hblkjo32.exe	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Cgdgna32.dll	Ipgbdbqb.exe
File created	C:\Windows\SysWOW64\Kgflcifg.exe	Klahfp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbpjg32.exe	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Lejgpb32.dll	Gbalopbn.exe
File opened for modification	C:\Windows\SysWOW64\Ljeafb32.exe	Lfjfecno.exe
File opened for modification	C:\Windows\SysWOW64\Emhkdmlg.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Eeelnp32.exe	Ekmhejao.exe
File created	C:\Windows\SysWOW64\Fmkqpkla.exe	Ffqhcq32.exe
File opened for modification	C:\Windows\SysWOW64\Gmdcfidg.exe	Gihgfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6972	6844	WerFault.exe	267

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnbgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeelnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddnfmqng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffqhcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glipgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgloefco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhgkmpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoclopne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpchib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipoheakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcfggkac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkhnjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmqfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imgicgca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcaknbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcbpjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpelhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfjdqmng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnfohmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnegbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gimqajgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipeeobbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmmboed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epmmqheb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffnknafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebngial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iibccgep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnjgfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmkqpkla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfjkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gikdkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoobdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glbjggof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlbcnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibaeen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgbdbqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gejopl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgflcifg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nagiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfodeohd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlgepanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimqajgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpode32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfeljd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll"	Fbgihaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipoheakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll"	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnikd32.dll"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfodeohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll"	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll"	Fflohaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkccgodj.dll"	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll"	Fmkqpkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmkqpkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll"	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll"	92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3948	4888	92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe	83
PID 4888 wrote to memory of 3948	4888	92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe	83
PID 4888 wrote to memory of 3948	4888	92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe	83
PID 3948 wrote to memory of 3092	3948	Ddnfmqng.exe	85
PID 3948 wrote to memory of 3092	3948	Ddnfmqng.exe	85
PID 3948 wrote to memory of 3092	3948	Ddnfmqng.exe	85
PID 3092 wrote to memory of 2672	3092	Dkhnjk32.exe	86
PID 3092 wrote to memory of 2672	3092	Dkhnjk32.exe	86
PID 3092 wrote to memory of 2672	3092	Dkhnjk32.exe	86
PID 2672 wrote to memory of 3076	2672	Dfnbgc32.exe	88
PID 2672 wrote to memory of 3076	2672	Dfnbgc32.exe	88
PID 2672 wrote to memory of 3076	2672	Dfnbgc32.exe	88
PID 3076 wrote to memory of 2764	3076	Emhkdmlg.exe	89
PID 3076 wrote to memory of 2764	3076	Emhkdmlg.exe	89
PID 3076 wrote to memory of 2764	3076	Emhkdmlg.exe	89
PID 2764 wrote to memory of 4948	2764	Enigke32.exe	90
PID 2764 wrote to memory of 4948	2764	Enigke32.exe	90
PID 2764 wrote to memory of 4948	2764	Enigke32.exe	90
PID 4948 wrote to memory of 464	4948	Ekmhejao.exe	91
PID 4948 wrote to memory of 464	4948	Ekmhejao.exe	91
PID 4948 wrote to memory of 464	4948	Ekmhejao.exe	91
PID 464 wrote to memory of 524	464	Eeelnp32.exe	93
PID 464 wrote to memory of 524	464	Eeelnp32.exe	93
PID 464 wrote to memory of 524	464	Eeelnp32.exe	93
PID 524 wrote to memory of 2452	524	Eokqkh32.exe	94
PID 524 wrote to memory of 2452	524	Eokqkh32.exe	94
PID 524 wrote to memory of 2452	524	Eokqkh32.exe	94
PID 2452 wrote to memory of 3576	2452	Efeihb32.exe	95
PID 2452 wrote to memory of 3576	2452	Efeihb32.exe	95
PID 2452 wrote to memory of 3576	2452	Efeihb32.exe	95
PID 3576 wrote to memory of 3724	3576	Epmmqheb.exe	96
PID 3576 wrote to memory of 3724	3576	Epmmqheb.exe	96
PID 3576 wrote to memory of 3724	3576	Epmmqheb.exe	96
PID 3724 wrote to memory of 4996	3724	Eejeiocj.exe	97
PID 3724 wrote to memory of 4996	3724	Eejeiocj.exe	97
PID 3724 wrote to memory of 4996	3724	Eejeiocj.exe	97
PID 4996 wrote to memory of 3944	4996	Ebnfbcbc.exe	98
PID 4996 wrote to memory of 3944	4996	Ebnfbcbc.exe	98
PID 4996 wrote to memory of 3944	4996	Ebnfbcbc.exe	98
PID 3944 wrote to memory of 3208	3944	Flfkkhid.exe	99
PID 3944 wrote to memory of 3208	3944	Flfkkhid.exe	99
PID 3944 wrote to memory of 3208	3944	Flfkkhid.exe	99
PID 3208 wrote to memory of 772	3208	Fflohaij.exe	100
PID 3208 wrote to memory of 772	3208	Fflohaij.exe	100
PID 3208 wrote to memory of 772	3208	Fflohaij.exe	100
PID 772 wrote to memory of 1472	772	Fligqhga.exe	101
PID 772 wrote to memory of 1472	772	Fligqhga.exe	101
PID 772 wrote to memory of 1472	772	Fligqhga.exe	101
PID 1472 wrote to memory of 4568	1472	Ffnknafg.exe	102
PID 1472 wrote to memory of 4568	1472	Ffnknafg.exe	102
PID 1472 wrote to memory of 4568	1472	Ffnknafg.exe	102
PID 4568 wrote to memory of 3200	4568	Fmhdkknd.exe	103
PID 4568 wrote to memory of 3200	4568	Fmhdkknd.exe	103
PID 4568 wrote to memory of 3200	4568	Fmhdkknd.exe	103
PID 3200 wrote to memory of 4400	3200	Ffqhcq32.exe	104
PID 3200 wrote to memory of 4400	3200	Ffqhcq32.exe	104
PID 3200 wrote to memory of 4400	3200	Ffqhcq32.exe	104
PID 4400 wrote to memory of 3004	4400	Fmkqpkla.exe	105
PID 4400 wrote to memory of 3004	4400	Fmkqpkla.exe	105
PID 4400 wrote to memory of 3004	4400	Fmkqpkla.exe	105
PID 3004 wrote to memory of 440	3004	Fnlmhc32.exe	106
PID 3004 wrote to memory of 440	3004	Fnlmhc32.exe	106
PID 3004 wrote to memory of 440	3004	Fnlmhc32.exe	106
PID 440 wrote to memory of 3088	440	Fbgihaji.exe	107

C:\Users\Admin\AppData\Local\Temp\92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe
"C:\Users\Admin\AppData\Local\Temp\92572887012cd0ec694f148bbc5096299883d8d1f5dab33185022df8a20ebd4aN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\Ddnfmqng.exe
  C:\Windows\system32\Ddnfmqng.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\Dkhnjk32.exe
    C:\Windows\system32\Dkhnjk32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SysWOW64\Dfnbgc32.exe
      C:\Windows\system32\Dfnbgc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        33⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        39⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        43⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        59⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:844
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        68⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        69⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        70⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        71⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        74⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        75⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        76⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        77⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        79⤵
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        80⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        83⤵
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4876
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        86⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        87⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:736
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        89⤵
        
        PID:416
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        90⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        92⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        93⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2152
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        95⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        96⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        103⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        104⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        105⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        106⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        107⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        111⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        118⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        121⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        126⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        127⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        130⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        132⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        136⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        138⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1600
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        144⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        147⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        150⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1960
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        157⤵
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        158⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        159⤵
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        162⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        164⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        165⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        168⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        169⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        173⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        176⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        177⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        179⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        180⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6764
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        182⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        183⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6844 -s 408
        184⤵
        Program crash
        
        PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6844 -ip 6844
1⤵
PID:6912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
176KB

MD5
90e5886e92dba2e461f29c92e7277baf

SHA1
0655eaa6a7af79a670d88b58538f566bf54ac532

SHA256
0809a12ec89492cf0c6bec044e51a2c8ab38af8e46a34fa693be158b1efeb9ac

SHA512
b9b51f114c8c94e2346b541373974993da8fc29a9e77d27bc3be525bacf4199d20d9eb0099ce538027457ee96ba092d63504312dbce9e89dfc9874105390e61b

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
176KB

MD5
90e1606c5f9c450da9763b1916030f8f

SHA1
3d1a00722481856b065390afef840b9a3a9a86aa

SHA256
7a0ad283bac615cd883130c069d51a287534331efed1250af5a407e7fa781653

SHA512
a83f683f8bedb9eadcb65f24ccef86e6064814649210a5e28b490f1a53087da9bc5c9a46ccdf4cb278416eb267961830246da22ee698e19e93a39a89c854858b

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
176KB

MD5
b39da11a6f21d165b1e424eefc4e8227

SHA1
e1f8acb9d385ca53cef436b2112a90ec600ea38a

SHA256
760031b02d14574d450528b4bb2838eacf732bfdd1612438753d51292a42d033

SHA512
a719e3d18599c4931db72e5c5dd6c10529b13b479d26782a93c236ad70e5758ff3153766741f7a6c701fbe9a0123f779639bae11c24c85f85e3498f7bd0aa9ab

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
176KB

MD5
3de8bd21419c1c9ae6b7efd3db6654cc

SHA1
88f505cce0d0c0cf2adaca1f553ef798fed9f206

SHA256
ebab0bed9a7aacd5c53112ca0a48f6b2f17f14090bef514accce6a7b04cd9baf

SHA512
66d6f10d1a74c56df9cbccc0b7e9874189dbaecfbae6245bb14430aa0efd531b157e77eaf117a46fa5cfcffa5f38b0083683a25f76d5a733258940ce2c4d4861

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
176KB

MD5
24e5f63fdf28b06ff667aa85cf47502e

SHA1
403bdc207add6eb98a711ed81e331bd5d4e1ec3d

SHA256
69491ef5426e30ce4384f4e217c896355a61dd9084fcccf1507e69b7e90aab4c

SHA512
b8e4908c186251b9fd47e4e31dd9bfdb66e28b9cbb36b731a9942994496d69aef76b73dde6c9c7b7ac99a00b444c5ffe3e386507ae97de531e4d4b5c7aebb27c

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
176KB

MD5
ef11a3073d45d35315cdd896e63adf46

SHA1
eda23542c4677588be8aed63a85f1f3b7eee0891

SHA256
a96a75562ac7e92a483fecaf92bb00d47001f9cc222c996e01c0969626835984

SHA512
9fcf97e43d14a82c6bcc7b88e3fae266a632288a532d7dc227c9ff27ada0ebd0667983737948889b97c0a2857be2c3c3e0fbeac16751e6b7cfb41c818a3938c9

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
176KB

MD5
293702ed0600a62a9c151758401d826c

SHA1
e036668007f4c6dcbd9ff52cfade136e93bfba50

SHA256
4924fd7d1d921ec71e1d7cc87295e690a13bd188df80dc611aefeb2ee5d6c083

SHA512
a99772dda2a053c0f029e873e9334104a6769ebe242d9a2abe6c38c5d23f464d69abbd978876ed766c6eb5202dfc04f83aa78fc538b751f5d9f289314902c243

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
176KB

MD5
d7a013306f3edfcc7d0450780a86fe6d

SHA1
4845dfc8eca8a32329985a69b6c7be607f8342f3

SHA256
d9ff63e0c4176efd6b46ce8acf414cdb1d1059aa4ef4431965a89266205bfd91

SHA512
4e571e891bd3d179feeb7d6128c2f3a35ae1f3deded83fe4d91b92250bff46a512dc08f85823db45f74a02cd90de2a7f9af73c152364def9b3a48d0da7562c88

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
176KB

MD5
de305995b36132884f7681c5e5bc69c6

SHA1
382880fff0ef12dfdab31fb2891e7ee2349541c6

SHA256
e8f00438f60ebb636d03e3da9903bc10f161bfcf90785da19e251b6ec4eb42a0

SHA512
bf8ee0754ae3321fcc9cbf6dc14383c649461ee69d641b8049231ba348cd56c917617cd89ec89229683ac72d1e706379020fcf033c3a6f5ffc975b49b5cd3893

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
176KB

MD5
7c4dcc392bc79810b1cb262108a8b1fe

SHA1
d241cbd315b835deb858ec9141c79f1f26ee4b3d

SHA256
3d4d6054be299f246351841833d9fcd1f3eab889392d74c55d0ee6a0d772b0ce

SHA512
afa3b80155baaf5af07eaf341d9cc6f4c28d6e2435c0c57792231271dcb28938a8eb8162a0ae2ef9588b59e50d1bd07b3f79a7f4ad364d155d42bfcb33567cb4

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
176KB

MD5
6ecfad6b2aa5816ebffcc51ab2f3b71a

SHA1
cbe21538c86f2ec78ef4625cfb5704dae494bfb4

SHA256
ab5ec843d6f7d1f7ebe815907ce3f160f14de3646ce841edccff8997cd950d05

SHA512
bfd8406a57813be85dc18d4a4e3ec23f54b71ea49507e071a347c6725ff55f3ea93b83e4f48979a2cc2915c3d98ee2d24cd53bd485fb9fb7574915e384fd781f

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
176KB

MD5
ee734865e9ca0123882b0382209829c3

SHA1
f40a4022ab11c6cbc6ebdecc633ead7814fa7c1e

SHA256
485a0ad3986c3304cf9246bedc3d8c2a575fdba29e40b59e40feb80e3eccf01e

SHA512
44fe0e25fdfa8a5bd00f350e487560263cbff9ddd96211de9fd57e72251d7b40132cfeb2601816cb61fecddbfc0af84dbbb01adb584be1ebaa75c02a2c7ceeeb

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
176KB

MD5
eba8cad9f288630aa3ea6d887005bef2

SHA1
7f536f8c0344711efed0e3b5f3f073f03fccee53

SHA256
d82282613001b6af18189f37bf07da6e7ff5a35d9c9f8c745368127c5ff6855f

SHA512
b459523a66c5cab7f792049f7c35fe232fc32235bc85c852483f302473e86b1e4ae8ddeeec70223cb7d64b6c0dee0aba8cefb16624955a54c24c80799a8a134b

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
176KB

MD5
56641f18f0e77f8435578f9d3434bd0b

SHA1
60ef13888f448b580a0c53a6315e830c1ba1d497

SHA256
e6318f8177ac8100be04b0e95f21dfead2586963ec39a30a49dee994d393c635

SHA512
5faa2157ed7205822665b11815854fb9a6d25829436845eda46657f7d1cf95c5a44acf92809e460879bc77dadebf44aad19c3adf8330db3f7e728982b98865a9

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
176KB

MD5
e80eca1d253346ad401ab48466372ae9

SHA1
57da84642b4e26d62009dd8e1bd8ec35683c13b7

SHA256
a29c57362c05ccaacf154c5034112f6bc107ab3afa5c987ea4786861dad01963

SHA512
c45f3fa483120d908853d133b2c06dfec4e3cf28d00d8b8d72b21331ef2a6fd79af9eee550c99bd274d4f9e44e98d32ba78900b2879d0736a44e10016121bff1

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
176KB

MD5
18ec369bc94512ace55718cf4e4c759a

SHA1
344bdc223a0d212a10310c5def00f2b414801600

SHA256
4b57731c2fa7fa08f763546f1f24efcfb1f1991af377b104d57f5e4517f21bcf

SHA512
8824332d6fc133bdd54e4531f4174564388fd792ccdebfcee97322e500b77e38bcd0cf202b5ebc3f934af875786c9e39935c6eee4a4426037114e2219e8e9ad7

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
176KB

MD5
9eea6a0262cd612cf84cae8298b8e8b8

SHA1
2c66ae4d2541cb9c9cb687a520d6d6fd3f65725b

SHA256
2f69ca04b38ff60046ed50abd4439cca32fa75e9f2d3efee56fda8b640be0335

SHA512
80204fecba41f63b19c325bd847b6e1d776dc2378165229d74f39ed45449bfe62fe0a074a9b9bfe3e07fd3d7aee46f3be6da8d0ec1ce31711736b950042af8ce

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
176KB

MD5
1805f28cb015b2cb72a94afdff6fcf5f

SHA1
e53a13a5159f70329a6ade63eac46ba5cca1a312

SHA256
4aa31e4b05ac547f93808512078226e1b525a84f4137263658fcb9f3637c3609

SHA512
435d57b7631865351527dc069211967ac1d687362ffe313467595db8a1bade2e32bdfb2bb58465687e0a0ba4bb07ced2424207f95af40031d64fb4e502971c47

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
176KB

MD5
81223f8b983eb533e768d4f33fe6025f

SHA1
8c93cab684ba6786e5968058c2533294e55198c8

SHA256
d2efb0c8e295c5b1a99ef466544f4835312361d578758f1ff0459439338a3e6d

SHA512
d0c9cbdaf3bb9895e8c3d0c62d78a6127f9ec08eefad2564a718083d6860c81e0aab90623a77c19afc1f57c7fbccf84af04da39e977411812a933749a0c62e0b

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
176KB

MD5
756b79e59c70ef1dc40253da49ecb407

SHA1
7ca5e4ed495b189565b43980f9b86c954442f957

SHA256
0df80992de41c1312d19547352a01e190ff2c3543ea2b4b0d7ff802c9efb79cc

SHA512
a52bb1366cd48066c92e176309c5b10f0ea5e7a2994394735bcf82d2065ee02df38e36c30529a467a8ccc4775cdb10d3403ae6eba435ea0810b1226570973b3b

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
176KB

MD5
fc526f31f3403ee96fbed0d613c339ec

SHA1
e38c747e4d92922209aa598058a10c08845aa30a

SHA256
1915c73e44ed7363131082e95434d5d2c91ca51b7454b1dfac30156de1d3713a

SHA512
6aa671a4fcd2d648025d2c31b937c0dd5d0e5a42f60103a6516a0368811a33ef99fcd20829149548bbd673009d2decea9a4b6ffc5f7954f3508dd685b7e4f901

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
176KB

MD5
18f836a52759e3744219e4e595dbfbf0

SHA1
afff6ef8bf84647664bdf55b99952d4e2cfb220b

SHA256
e3cad3d3b6be6f9e9773e54a19b58a1dd5f6693c3438e4c72fb2bf95d360973d

SHA512
2fa340f46e814e97aa4f4adce013bf3d886eccf26c053559d6762dc98866b31a59ef0c63cae88901bd01745d37700d743ef9c0837e158a0317a526e2349997e0

Download Submit
C:\Windows\SysWOW64\Fligqhga.exe

Filesize
176KB

MD5
dbe6cbc8c253e58049eed9ef86e8db02

SHA1
de9013085cc64ce282036cb98a00c8bc63de6733

SHA256
c35eba13d2d7beb651203fd749a1302a06f5c4516aace19015bdb25f5ec1cf62

SHA512
62d3b5ae886600af521c5d85a38f3706e2d23108bb63bfab1ddf1700e081058363bba368805da22e14fc47b2cd82bf1342e7f23f1a91e4ffdb1b602192c6f9fc

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
176KB

MD5
35868e8554cb4f5e94dc3e01ee61a83b

SHA1
3d75cb3b37bbc624d6180f59342e25edb418bf78

SHA256
6acae1bc1053bfdd608ae6419888b3bc4f7bbf69c7d893ebf189eb40dd4e9311

SHA512
91c56f5614e6e4d93bd8bbac0aed35595e0b8bf78b79b4114d53d49c271835732cea7b0d7821afd5d7726c1c99badb29e2f22e1a36502c05a478e62b09100f02

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
176KB

MD5
5d73459d6c6fb780c2499f6504327f69

SHA1
ba2e16355a95cac5ab3d11f62a98a5f5b9040a60

SHA256
c92d643e690b470a15ad9a514c7d20588bede7d1657bceb0dec2636ab0cecc38

SHA512
9cf2bcdd51c41b874ebc1d58c158098f82772241ca243a4f2bef2e8dbfb5bd7568afc450ff2995b0e412b9255eed0395c0c6664ed39a13261caa6e4b38e0a986

Download Submit
C:\Windows\SysWOW64\Fnlmhc32.exe

Filesize
176KB

MD5
9b934bc6f4fc833cb36120b9abe35c2f

SHA1
afbd20973f5b22ed9a3ce6c43f2f6ce05885daff

SHA256
76ab42a7a77d162a5b8403fd56616d54c0a29b33c9c4354dd41f1e81e7f77ddd

SHA512
b37b62b73635945da8d45b4d3a3ace0df6e55e3063719af87b4a37d8df516d471c8c3d28c28c20f1484895c02d8e4ce859b9f370e33421775aa403b26776e71d

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe

Filesize
176KB

MD5
df019fcedbcd5a1aafe20651b39d5864

SHA1
ae7bbe54372ac6b39ff39a558da99f5da4224162

SHA256
1b6d696fbcbbe2a05e350c8b1dfa9bfc8aa06374df560a89deda9ff603dff630

SHA512
dc6e3010adcb67a18bed655132acba2cc7cc31263cbfba55fa19e5519ff3bab9e621a21cb86dd321396d7de154da5ed91835a99894ca869362ae4c9d4b5f04d8

Download Submit
C:\Windows\SysWOW64\Gejopl32.exe

Filesize
176KB

MD5
b6b5076c2a3555a9a634db002c2d99c4

SHA1
d57cedd5696d00f095c9db0683bb8ba1cfae7f4d

SHA256
48d4d50d4ba0df5042fbd0f56d33c0ce2efcf9e6f00842fd37ea92f283763aad

SHA512
1ed936414631081c67086bb2df065d011f158608468ef221a1166f947055cf074af620056eeb93078cbe909bf7a608d830a6bd09285d2c55ff59aff3e9c6ee7b

Download Submit
C:\Windows\SysWOW64\Geohklaa.exe

Filesize
176KB

MD5
8e1cdc824e3871e6e28120ce4d5b0fdb

SHA1
1975a872a1298a4e675a301309aa14f2a3ab759f

SHA256
8f85912956d768902b96d439d67f6f374a7dfc674cd2545644c5d92ced40c8ae

SHA512
3d77efea154a97bd1c1706c83e707a5a7f5af0102168073fce9fe96a4eecdd171fa0163871505378f50fbb8f2189f974406e8f89f1c6bc96afefd8a640390bf4

Download Submit
C:\Windows\SysWOW64\Gfeaopqo.exe

Filesize
176KB

MD5
62b1a3aee803073bf54c070707c922f0

SHA1
8d1577d99f81088dbd3c87b8998f4d70203d235e

SHA256
6a577f1a16c6fc3a1b6a2252bfaddb22cf1e8c2534921468c114a956ee22551c

SHA512
77734b6266b9fb5b89bd58cddfeecf3c7540e3aafdd7ec4aab2bf195c4a83495e900d741891082abd72338339ef59a1589a18ee0ebd45e5734add2045fa329a8

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
176KB

MD5
bde83fb09e1895e6f93333d4a1bb9f7b

SHA1
b58d8b23363410d7cc39b0dc75a428efe722e135

SHA256
327c35c2a3068b53f06a39e02043c964b70f6682db446bbefe20fdecf147c8ff

SHA512
95d3cad85f460d8bd2fc014b3b74f50adaf40a4a87d4879c10d4e37cc77814c4032aba045dfed2eb970d50b7eb44685689c1aac57c5b770a35dd5313a8d84b10

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
176KB

MD5
243c6f372ca830a64614c97e865e3f53

SHA1
14fb389edabd5a0271000a0b4b92b5c039d82f0b

SHA256
cc35c8ee0ea34cc0b5f43da05a5dafeb6484bb47cfbee1b601e4ee275469f26d

SHA512
b1bd9ec2169e97d0f4ae9289d05ca9bc7e7e92a2d3ec2f5e769c92899e9f3a4334678f6cbb6f5931c1e31a62215bc75900766009723fa81d24f9a39ab54aacd4

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
176KB

MD5
3b747cf0b265d33bce2c956318ed80a3

SHA1
afcf08658405b4eee5f0af18d9ee79d5e3debe1a

SHA256
69c355395653e54580acc4d82f223bc63ab0c609a1ac17ec5cabfa75e217ef62

SHA512
6b109900399dd8b574db24f16240f8ffe444fa846611e4657d2367ce2ac58bf5a9440704187a3099251c695b6e4057a746c32d41aaee4c259d81961e7f376c5b

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
176KB

MD5
a66b8cf59023b60d226069ac846144c2

SHA1
1eaa488857d6e3e8aded8f332dcb65eaff5e4ada

SHA256
2465b0cf913d9c894e7a225d72a3eec5226f1d123889e167d7303c677b48c6ed

SHA512
3d3a0aeca3e87481ada42fd8b240de80d12ea512d2f874620b508f9d3a8ff0464cdbab01f74077655830035189ad8a945c015118cbe088276faf3daaac9cb394

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
176KB

MD5
9102879d042b061c1b9d59cdf020f9b8

SHA1
407e9a8c3be6aa35ab25353575862dbdcfcfc622

SHA256
2354e24baa028860d3d1324cb2785b8b00c2c4f03117994825d183b6da4cc69c

SHA512
b15895212de1e96694ea59a3bb63d0ef797e5f61098c0173981dfb7690a14c75ac64eccd2f1ec6453d15f0e0e47a925e68e960002bcdc719356d2efccfdc71c5

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
176KB

MD5
ee717c69cc97307da1dc56ea686f15c6

SHA1
b79a7bf9253ff7c8584a2b03ee4f44dd8f6c6dcc

SHA256
a06ce7640d3bd88b2460b118f1908bbc865085837ee6ebc6d052dcae724ca151

SHA512
fa25abc55f7d5e7c92fd5a6dfae152e932f197f73e3d716de9e69f3f28971645d5a2caa675f459f2450d75b7fb1795f3d93973b4c35c1fff6f1fd6bb06ee84fb

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
176KB

MD5
340a8317be752fe869f6c68f2aa5e029

SHA1
36f2cab4d5b4b754bf321064ff6742bfca18aa28

SHA256
b6212dd2203113f3c0efd6c7a3e98354cb36c48c084e221f90d3d80759761d71

SHA512
10438290e0f5e30269edc02a66af377d2f3d9e9d5c53c8b04deb39190c53f9fb84b4833079b6e7e4811aeb161aa8c4c190b5fc302bd7a78ecfdc7b968676a454

Download Submit
C:\Windows\SysWOW64\Ibhkfm32.exe

Filesize
176KB

MD5
d2142434d5da83cdd980cebc9f05dd41

SHA1
7c9c5edd5ee765ee17fe843329d9f4b9de10fb2e

SHA256
08fa6da8fecfbdac6ddeadc3928615c8dc2fb5eb0c8a3dcedd9b14de5578b31d

SHA512
acfa38dbb42b60539ce1f0b9a08237826287d223a6a91df8e22bb67eb66c1c9cb507bf07ab7251d0f2403f045a9a67f5244e5944896677013e09cf6bbca924af

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
176KB

MD5
788733a6fb17291df72414df7c7e11a3

SHA1
b93bcb62091d313fc50819a3684b526cef337829

SHA256
5e55acd34db416fcd8597556b7d166f8534a14df698ad2e215c950a6a084a4fd

SHA512
857e4296ca5e5b2167c9958dd9a83ae8d262418cc4b940b6d144cfa38d4dbb8e6a51e8acda0fbd64a45f20efa3e23fe00d2893e08b99754086601b5682d778f9

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
176KB

MD5
cc57fe6fd1ca26f413dd701be6e24246

SHA1
3f4aacb3791d440cfaf4c49b8b09d6c2646f994c

SHA256
ce2c2fc2b5362335fc991074afee7c3765442b7db4682b6c2b255f6c0821e8b4

SHA512
edca73a051187afc4a90ba025d19f66f74b26a605eca27bd5a38c66d5d2937bda0931e2ac0274de31aa58cbd54f5ac7f5172befe9be7e3017cdd1b56cf867350

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
176KB

MD5
bb81f43b1f6832a45e15ae35c3e8d987

SHA1
e88ebebe1bfa412ad5658b2e898fbc328bdc61ed

SHA256
0583439e92e7956bb65ce87ffa37799e0f439d442715e110773f5323457fa41b

SHA512
8d114242d08cdd70ab2222c01349e78ba90caa12e8e927e2c115487e63f07dfb042257bc0cc392bf0f5b5b73d4962a34dd30b6666ba38ad74ed784a295baa96f

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
176KB

MD5
aa619553aa64d53aaf70d9d26ad43fa5

SHA1
3ac66eb4e82cbbf2c6e2c4205f42b3a36cc307bb

SHA256
b2f1b8395ba91c29d4c0f8962e248bd1eee4c4001c56e7f68647c41ef8f5cf0e

SHA512
c7d1c9f7210e37de97a54773cbd9acf9e10e47715a0859051d3199264f45ce8ed5dff1aefd9ad3a18b5315c08a2064adea71dea11d1387d6fa21746fbcecbdbb

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
176KB

MD5
0e7681c22fc3b042025c9465d0f62186

SHA1
d69efc3f9577f7d39b1d4bec3090a111da8d5efd

SHA256
506101aef8c4053e60a9c321beca939f2040c9aa85c6ee5d2523b70873ae5c09

SHA512
19ea84976506fc57424208b600f1ecb72a3635f1b24b3514c1e0f2c430c593592c95d9adf092fa85e135fb73fb5f0fc48194256c266b2543e3c8d5e7675ab82f

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
176KB

MD5
0155ffe51e05464574a332103f0c0f47

SHA1
da9f9d4c6a25b31d9bbfaa725435c5bbfd459ebe

SHA256
f893d871f9548bc3ce016d93c58bc8c913d46e80bf8ac5a6eb4b256cc19a0bf5

SHA512
f4d692ecb116a9cb3543f1275734e0897d198038f7b21a1cfe0d552f2c716219136920a84d8e9c9b8bb1dad520437268a8dbbf2102f8b33e0eacdb6755a01879

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
176KB

MD5
0b0d5ae779b92e1b9226fc21e80dd613

SHA1
45ddf95c1fc6de5070e135b51f0f3aa7c1de6c2b

SHA256
79d4c3509b3892419085e76c8954b206ffaabff0d9906e7b8fef0af88ef1e23e

SHA512
61e0a27356dd9bb1c3136e3e5a1fcf30abf58c3abfcb9eb7d601509f0a7dc66b6654ad57b1c35b544dd6cb16a9d0cc0f258a62b2486d88129c847f15e3a43395

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
176KB

MD5
50e2a5648cb6b2faf16d364882735105

SHA1
609996e65d26702c5729a8e064062aa4db5f7244

SHA256
175952d0b77e500335eff6cef3b7b4c08373fed507145d035c102d922de27675

SHA512
5801fd48dbb3dc138dab937f316888483fc35640dfcdf69dbe9d99947ac8f33e51eeec3d58199d243b16cb769dc459ff829903be455c002c338eeb2e0a8ca275

Download Submit
memory/416-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/524-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/620-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-522-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/844-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1300-528-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1372-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-609-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-540-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-602-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-498-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-510-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2556-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3000-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3004-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3076-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-608-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3208-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3568-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3576-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3820-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-601-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3976-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4052-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4156-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4260-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4672-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4728-595-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-564-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4884-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4912-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads