berbew | b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe
Size

74KB
MD5

539abfc9eb1fcf9ec3b9164321f1f65d
SHA1

c00771de0d618ccb8182310c2c6567422b729b79
SHA256

b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79
SHA512

ec85a2a49c689c9d2217066e3a6e0f11cecd73404c6805665570ed42dc7f4809a451e399effea5fac661def440a6368cabff4a640d531da5eabddcacb63d978b
SSDEEP

1536:+RHqBWrnqOaC7HjS8YEUTG9IOJEx4+KhSeh7oR1MOcefLffTTT4W7t9x:+RHhXaCjjS8z8G9I/KhS6761M0fLffT5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3416	Jlnnmb32.exe
4848	Jfcbjk32.exe
3424	Jianff32.exe
3292	Jplfcpin.exe
1072	Jbjcolha.exe
1512	Jmpgldhg.exe
4208	Jpnchp32.exe
2308	Jcioiood.exe
3300	Jeklag32.exe
2508	Jmbdbd32.exe
3888	Jlednamo.exe
4424	Kboljk32.exe
4300	Kiidgeki.exe
2040	Klgqcqkl.exe
3212	Kdnidn32.exe
2460	Kbaipkbi.exe
5036	Kmfmmcbo.exe
2796	Kpeiioac.exe
1412	Kbceejpf.exe
4320	Kbfbkj32.exe
1568	Kplpjn32.exe
4804	Leihbeib.exe
1392	Lpnlpnih.exe
2728	Lfhdlh32.exe
2512	Lmbmibhb.exe
1640	Ldleel32.exe
3996	Liimncmf.exe
4280	Llgjjnlj.exe
4732	Lbabgh32.exe
4884	Likjcbkc.exe
4052	Lpebpm32.exe
4820	Lgokmgjm.exe
232	Lmiciaaj.exe
1804	Mdckfk32.exe
1588	Medgncoe.exe
1508	Mipcob32.exe
1668	Mmlpoqpg.exe
2636	Mdehlk32.exe
992	Mmnldp32.exe
2136	Mplhql32.exe
1792	Mgfqmfde.exe
1208	Miemjaci.exe
4564	Mlcifmbl.exe
1952	Mcmabg32.exe
1120	Mmbfpp32.exe
2740	Mpablkhc.exe
2656	Mgkjhe32.exe
1448	Miifeq32.exe
1516	Mlhbal32.exe
1612	Ndokbi32.exe
2528	Ngmgne32.exe
1972	Nngokoej.exe
8	Npfkgjdn.exe
2868	Ncdgcf32.exe
3132	Nebdoa32.exe
4336	Nlmllkja.exe
2472	Nphhmj32.exe
4524	Ngbpidjh.exe
1356	Njqmepik.exe
4284	Nnlhfn32.exe
2424	Ndfqbhia.exe
1144	Ngdmod32.exe
3788	Njciko32.exe
1180	Nlaegk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jfcbjk32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Jeklag32.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Bhaomhld.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5964	WerFault.exe	236

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll"	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3416	4676	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe	85
PID 4676 wrote to memory of 3416	4676	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe	85
PID 4676 wrote to memory of 3416	4676	b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe	85
PID 3416 wrote to memory of 4848	3416	Jlnnmb32.exe	86
PID 3416 wrote to memory of 4848	3416	Jlnnmb32.exe	86
PID 3416 wrote to memory of 4848	3416	Jlnnmb32.exe	86
PID 4848 wrote to memory of 3424	4848	Jfcbjk32.exe	87
PID 4848 wrote to memory of 3424	4848	Jfcbjk32.exe	87
PID 4848 wrote to memory of 3424	4848	Jfcbjk32.exe	87
PID 3424 wrote to memory of 3292	3424	Jianff32.exe	88
PID 3424 wrote to memory of 3292	3424	Jianff32.exe	88
PID 3424 wrote to memory of 3292	3424	Jianff32.exe	88
PID 3292 wrote to memory of 1072	3292	Jplfcpin.exe	89
PID 3292 wrote to memory of 1072	3292	Jplfcpin.exe	89
PID 3292 wrote to memory of 1072	3292	Jplfcpin.exe	89
PID 1072 wrote to memory of 1512	1072	Jbjcolha.exe	90
PID 1072 wrote to memory of 1512	1072	Jbjcolha.exe	90
PID 1072 wrote to memory of 1512	1072	Jbjcolha.exe	90
PID 1512 wrote to memory of 4208	1512	Jmpgldhg.exe	92
PID 1512 wrote to memory of 4208	1512	Jmpgldhg.exe	92
PID 1512 wrote to memory of 4208	1512	Jmpgldhg.exe	92
PID 4208 wrote to memory of 2308	4208	Jpnchp32.exe	93
PID 4208 wrote to memory of 2308	4208	Jpnchp32.exe	93
PID 4208 wrote to memory of 2308	4208	Jpnchp32.exe	93
PID 2308 wrote to memory of 3300	2308	Jcioiood.exe	94
PID 2308 wrote to memory of 3300	2308	Jcioiood.exe	94
PID 2308 wrote to memory of 3300	2308	Jcioiood.exe	94
PID 3300 wrote to memory of 2508	3300	Jeklag32.exe	95
PID 3300 wrote to memory of 2508	3300	Jeklag32.exe	95
PID 3300 wrote to memory of 2508	3300	Jeklag32.exe	95
PID 2508 wrote to memory of 3888	2508	Jmbdbd32.exe	96
PID 2508 wrote to memory of 3888	2508	Jmbdbd32.exe	96
PID 2508 wrote to memory of 3888	2508	Jmbdbd32.exe	96
PID 3888 wrote to memory of 4424	3888	Jlednamo.exe	97
PID 3888 wrote to memory of 4424	3888	Jlednamo.exe	97
PID 3888 wrote to memory of 4424	3888	Jlednamo.exe	97
PID 4424 wrote to memory of 4300	4424	Kboljk32.exe	98
PID 4424 wrote to memory of 4300	4424	Kboljk32.exe	98
PID 4424 wrote to memory of 4300	4424	Kboljk32.exe	98
PID 4300 wrote to memory of 2040	4300	Kiidgeki.exe	99
PID 4300 wrote to memory of 2040	4300	Kiidgeki.exe	99
PID 4300 wrote to memory of 2040	4300	Kiidgeki.exe	99
PID 2040 wrote to memory of 3212	2040	Klgqcqkl.exe	100
PID 2040 wrote to memory of 3212	2040	Klgqcqkl.exe	100
PID 2040 wrote to memory of 3212	2040	Klgqcqkl.exe	100
PID 3212 wrote to memory of 2460	3212	Kdnidn32.exe	101
PID 3212 wrote to memory of 2460	3212	Kdnidn32.exe	101
PID 3212 wrote to memory of 2460	3212	Kdnidn32.exe	101
PID 2460 wrote to memory of 5036	2460	Kbaipkbi.exe	102
PID 2460 wrote to memory of 5036	2460	Kbaipkbi.exe	102
PID 2460 wrote to memory of 5036	2460	Kbaipkbi.exe	102
PID 5036 wrote to memory of 2796	5036	Kmfmmcbo.exe	103
PID 5036 wrote to memory of 2796	5036	Kmfmmcbo.exe	103
PID 5036 wrote to memory of 2796	5036	Kmfmmcbo.exe	103
PID 2796 wrote to memory of 1412	2796	Kpeiioac.exe	104
PID 2796 wrote to memory of 1412	2796	Kpeiioac.exe	104
PID 2796 wrote to memory of 1412	2796	Kpeiioac.exe	104
PID 1412 wrote to memory of 4320	1412	Kbceejpf.exe	105
PID 1412 wrote to memory of 4320	1412	Kbceejpf.exe	105
PID 1412 wrote to memory of 4320	1412	Kbceejpf.exe	105
PID 4320 wrote to memory of 1568	4320	Kbfbkj32.exe	106
PID 4320 wrote to memory of 1568	4320	Kbfbkj32.exe	106
PID 4320 wrote to memory of 1568	4320	Kbfbkj32.exe	106
PID 1568 wrote to memory of 4804	1568	Kplpjn32.exe	107

C:\Users\Admin\AppData\Local\Temp\b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe
"C:\Users\Admin\AppData\Local\Temp\b99249f1ee20f0baa74ddece7e8db0f54c40dfb2825dc848980593716f826b79.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\Jlnnmb32.exe
  C:\Windows\system32\Jlnnmb32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\Jfcbjk32.exe
    C:\Windows\system32\Jfcbjk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\Jianff32.exe
      C:\Windows\system32\Jianff32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        26⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        44⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        48⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        52⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        54⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        62⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        63⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        68⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        70⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        73⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        76⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        84⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        90⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        92⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        95⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        100⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        107⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        112⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        113⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        116⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        122⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        124⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2832
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        136⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        137⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        141⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        143⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        144⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        150⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        152⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 416
        153⤵
        Program crash
        
        PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5964 -ip 5964
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
74KB

MD5
20e03d96eeb3f39ec57ae1804d3f4175

SHA1
c8e3e6733731cf9b3fc3ac4284f187645ad3c371

SHA256
080ba65c2726d4605d1f1e9fbe7db70463b8fb20bd946d5c03eb3494ec1698c7

SHA512
399c8792f9227c46c3cc13aaaa2466b3cac692ea9a32c2b64cf2d2c1c4d5909b1383f877a91ba318ec5bf2a4a32b793ea951f996acb02505bb6d539b58cb840e

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
74KB

MD5
05beb9ff530ec7483cb3fc61a27d061b

SHA1
aee8a7706b96f9a40cf9c65fcadabcb6f6748e7e

SHA256
f08f06ea3ad70b407506ff940673bccd85e8c12da903ccff68bb812edb4b2d4d

SHA512
25333f613186eb9633ebaf0a1d00b167698e47afe8d0d67720a7b2f80f842c87095aef4358cc4cf666407f1eefaa3d6a23a02118cf1b1e89e17eacb7d966ec83

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
74KB

MD5
bb4bfce00a1fa7ec58b91844f9aa7942

SHA1
328c928d9de5ffd5c6004aab137fbdf75b259479

SHA256
c22e9b9c279ea2b2a373247875244807181acf5afd32e50c7ef55c8869068c77

SHA512
fe8291d555a532808f555a3feba83c1ef7c090394c649e365deb710cf8918301d515325bf26ee7bd9a941b0a797cc850ce402412fb5f6af515d57b2f12df49c2

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
74KB

MD5
878b0b92b4888959cd04c4de9cc6c88a

SHA1
2bc4747461973994e895ccffd2bcbaf47e92b2f4

SHA256
74cbdac65312704d78ca2c918f49dfb46b40dba3b227d43df46ab609da9edb60

SHA512
9800b0997b0497c9c59092d3f9a0705f8f7b50e252b595a4002fbbe244e63e36a9a30c148f7044cb60bacf5548ffffe39bc4871e30e22a7a756e06c464b72093

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
74KB

MD5
04daf0e2c58bab0d2442392dedb9bfb1

SHA1
0d4bfdfbfb88134beb0b86c357c1c0a674a34915

SHA256
d48bcdd0fe0dadf2a9f35570b21f9af2c9a60712ddc3859f5bbaae2a25fc3344

SHA512
53048dfd0572d89d2c31ba7c6ab38074394922f414d6f3010b26b6e8b6d4008c7aeb7bb60f1f195afdfec667f7ece97117be79e8c9330672ae627d0c605a92b1

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
74KB

MD5
4e88f7f070b505f129e3f306db9ca20a

SHA1
e7a9c9beb254fadd0b0144654c1d846982ce60b6

SHA256
bd8bd2ea286134d599eb9641e9d4e6eff852ea8ca08ad397f622478f020b781d

SHA512
2b295dccceb4cb57dc754233718388b4e47923206da169ba4b99c54173a03b4c8130c60e4931c6e5200711e20a61d417103b627b31d11ea5f88ddc3af16e2d96

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
74KB

MD5
7785cb0b5ba884cfc0e2f0a80c8b1151

SHA1
68e413cf19174e22700992645cb0d3eef54d7431

SHA256
42815f1847937befd2d31e709440fed3550e4b6f839ce81f83f291bda3b2d702

SHA512
baf9edd094bc69aa5fae70ad2b06bdce4d32a5aecd1f55cb7595ec7fbea9e9937402f88674322dd1bcb85d7f4b2e3b00edefd4d10ff11c6bc0e8386c10da9fb3

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
74KB

MD5
04028ebcb3db82d46be6ae1c56e1b01d

SHA1
758367bc6267ca54d69217036c1cb6c567f1877d

SHA256
eaa4eb7bb8ea4bce188845b906656f679266e147d1dfac1537216e1b49c9477d

SHA512
e003b435830a6704bc6ee32df847c469cd364d85d0b51314c337e91751e00cc8573de0d8b4a719d913433893079d5a4cc3ed14827c23c7f4b355e966045b51c8

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
74KB

MD5
948e08a76fa00820abb18930a9427187

SHA1
884ad32993d428f065f123c1acb852f5e8035184

SHA256
d89b111a296bb60d51ee15e4256ab37e82f751b7436366359636d64ff1bc6401

SHA512
79a4ae7372cb1fe8d1601859eebf405629c140c6d68f0f510626fbd5a444795f82bb886d48c3e531da2280df3280b1bdeb1c8438742d31281ca09ea712ca41c3

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
74KB

MD5
e8316cc39d267366cea6dd1f6bab8363

SHA1
abd869f2c40f6648ad204a695ab72c346585c3c8

SHA256
e0d3ee226d726b0fecb5dc2e30c1d6bd71b6f3b85b473670f1fd431cd0da2ab3

SHA512
3368e302f50acf0ecee7879f6935ddec8bb25d0aef6d60bc8b482c901309508d603d6ccc619dd79e34fed37f4e75c0f96bf2625d985e086461de6a0a8169439c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
74KB

MD5
f6a7a9ace1857861307aeb65d4615bc8

SHA1
4a22d1699a332d90687d761ab8b3d6104c3f8d39

SHA256
4914d873b4459ddd1168f87c88988e0544aa2c733b7d9b368849b7e7bdd549eb

SHA512
9bdb79cddf2ed416c87e34d84316007a04bfd3765bb925f19123d594266d06b4fdcf7058b97ba7d6eb0c64e98a013c78148f11a375c492890aaaba1167a49b16

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
74KB

MD5
f13057b2423eb553a45de09466fede86

SHA1
66a54ecf5ffdb999caa62a77d24659d0017e37bc

SHA256
d8fb36934ad5a146dc4388ea305869a25dce5c26277227339aa49dc5ff9a0a04

SHA512
63040cccd94631bcc3fa137b72d4b4fab57d6e861d20474f93fa2ff95941cbb15311aeebb06e8dcd821966f72c06f74ba57713071bb0ebabf8382f9a4562712f

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
74KB

MD5
ecbc5ba242ab4e0ce7e8332a8dc3c1b6

SHA1
91b7799bc20229144e750ae9f4fc76d6ff0f01ff

SHA256
aae37fe8337d2eced102da201dc0ee53420fcc2bdad99a556dfe75b50624e4ff

SHA512
8f16d9c772d17aa55bec0d23471fbf8dd636fabe22e4aa5cfe7a92d0ef6da1c81a786cd5a32f3f540aae56fabb336bebb0ef5b473bb20b465e401edf5ab0b756

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
74KB

MD5
a5e14edb24bbdf80737e59e0e3c4f1af

SHA1
ccf7dc53f768d448cf6acef1dd0980c7c8030a95

SHA256
ed5a815cd5db2eb1d661c0257c57291cee2eb92826eaff666b388ab5ab61724e

SHA512
5badc43820555d88d0cc7fc467f5a93795f36519c5bb1c0f708f88fc09b24818ae9801f7b1346a0e8494800f127a4a70f9c39969fd1c51255c6120f2ba68be6f

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
74KB

MD5
9a47452574c841ec5f6e527331e5125d

SHA1
ffe37487e9e01ebf17cd32e33682a670ff50bada

SHA256
8ee6186be0a6f95f34a4ca9b6e02e001a17ad9228cc40a17289548b323864b0f

SHA512
42fc8ec6fc94a041eca67b2a45fe2f92c66723a2a3edb64f5fdb73b9a70a1cc37141a4acf56edece2de58e66eb51f143bea5e897dcdf35cf74d1d5233f1d16e7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
74KB

MD5
80a10ea6e7936a8470308089c88b6fe3

SHA1
6de05d1d433a815341dd2f3463c1383721d95fb5

SHA256
781995947c8676812c05295ac30378beb55a27732b5703e76cbda5475aa53b7d

SHA512
d9ee6ea164463a20f7a4b5d799e53c8394223630d50d84c2a760f934d791afbf9776c1c668cc8731058c044fe52ba428091264a95b3dfce0ad81eb9a1e6f9305

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
04d43d389407c1f82c44f874ef30e79e

SHA1
28847ac1b41cc14bea9ae240245e71235097c330

SHA256
6974a4c31b4870d15e93adf6d7c69fa661b13c53e0aafe94800a0f5acb3d1a2d

SHA512
1e645fdabf33b78df33185a5503e0ed90cc20b576f1bc80305df4139b71a71222242492e2da7b1ff7a2fb0df74c919070932913a2b2de969d5226f1d2d11980c

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
74KB

MD5
60891270d48df86949be431d63766656

SHA1
8c52b3c44a1c94d5f9e8f3bbff1253b91d6de7f0

SHA256
1043d4fe559f57966e5ab3b669fe20e646c55af58d5c1d5fc74ddeaa1647f22e

SHA512
48bd352f68105796b6d01b23dca67cbc74eaced4120ee97d4331b3f96559b0ad0288890142e570103a1c9c449cddea623a6af25a4d551cdeee28237edd3b9c3e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
ab8b5c6a97e983738167ea3b9615e44b

SHA1
9a2de0e5eeda3f2d7416a9232fa7adafed148473

SHA256
7febe816987edd18bf457378187105257bdcb746e2f32880dfa1fd000910442a

SHA512
df88fad2deb14858d2b10ff5c93ce9e8bdaa1e544ca30611757a740c811ef1bc8e5bfb821afcfaef7261426e484911d614d4b865c5c2f844d7007b17463a2ca0

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
74KB

MD5
3526adbd75eca8f4fd1b6a79a5972f18

SHA1
3849b387eea404f1a68ccf62a089c999d83371e7

SHA256
5dc0119c18af6dbf0b6b83e7f7603f97d048aab9b721ffd33a19491c149df41f

SHA512
6316f30c4c73c714c48c4584e8b2eb2d3dc403c6b233df97125c5b18bb12e679466ff1b5239212800d67919571f5963292d9970bcf79d498aa78cf7fc6d826f8

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
74KB

MD5
51f56b43fdce1ad075c3f1b41e1fe06a

SHA1
7607d35f589a60b280ed1b95df782bda33138ded

SHA256
d5a6c23d5c3d9c449cf381d1257287fd9c9a0e582a26246b87f0cd782af51e8c

SHA512
c443c016bd78d1bcb93f9183fb910519d295e551a1459ff087bf158f38eb510bec0bf57af11fc4b87d0e8b4819aad7d1185426c4376d5c27a066f051cf949cec

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
74KB

MD5
ed7aee5ad1b794ac4c1efddb1d685cc8

SHA1
b47c0b75b61ccf56029ac3d82c3fe67b1d16e249

SHA256
2591f882a0b33768269f2f2a64fc56713081dda26a194718f3720ecc3b252fe5

SHA512
a2f9c262d425407045c56343cb725b814d95bbd867bf0942b9597cabc597b70f3f2ed90ab705969c3397cc0c3f2b3afc4d31d7160864fa343133db984cd41b72

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
74KB

MD5
5f25f2c31294019a5cd29175bffbf48e

SHA1
38454e08400cf3c5e15bd0b9a9b41d84c2d4e19f

SHA256
bfcadb157eda5f546d43c9c56fa78e4fd2269aadf4ed5593385d3927f09ae306

SHA512
03e052c47731fb99d5d45f2394b5a19b46b9e89507c70c37a4027a175280ae36d4089f08c11cb5b37a377f0eaea09a0e2b196ce538efd40ea9743959887a9d5f

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
74KB

MD5
95d0efd8ccd73cbee8300f42001358c0

SHA1
879273da78e9d5237bcdb61aeb1a90b7c81bfce3

SHA256
246c3fb2c5bbfa7c7101e037cb21094a2935dbdf71011a4e0aa1a11f8766dd46

SHA512
d94e8cae841c0f3e1a704de3be905fbafdf82befd34ca5edff8bfa782bb862d533db3dc31d3e4e49bc9c7577cf2cb6674f9dfbd817b7ee7ac807ae770059d1dc

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
74KB

MD5
e6f5a30a2bd91790d59e169b49c0d570

SHA1
99cb038938cebdb9dca5db4344778e44cd1b6d36

SHA256
15cdaa0587fede04ed2b9d3f68f544e3f2dab5eeb0ad8a0455dff57c1a0a5831

SHA512
cd9c30339cf594aee4eacb5463963d87a2d936cc85aa11c8596174f11475d04032b82c749a622dc4062baa3705d5b0c2732ab332a9da80f0063529351c21f399

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
74KB

MD5
a5b0547230f9337c6dd5d29abc4eecc7

SHA1
134f3bf5a538bb9f2d72590b9ae3361c141f2a59

SHA256
403002096e943b277675fd97a29d4e32f6fd467c60ace0d6149f9888bb4887e9

SHA512
14c1022fbdfd20bc2d2e8efd7fb695a1d6ecfe3a1c98c63cc149ed3a836a7bd25d631669588692b725f140345f716facacecbdf436a68f5029870a816e6b795c

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
74KB

MD5
4608f4103f2a0168a0b9de346747871a

SHA1
1389dc47673bf03ea3ac63f7af01405ba7a1bf57

SHA256
d604ecc08e6859b419ccf4a780de6d7728a4ac8c73fc443f5a25ee62b78d1fd3

SHA512
6e99dd9d3486fa4d29dbb7075678568a306856883c826b9f84632ab893a3f7ef7cc2dad60ab35eb00e6c2a81a035585d45d4734412c605b467d78142a5c12c43

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
74KB

MD5
6a9fbdd47cc58777e957a2447fb8f856

SHA1
9db3d369973b9db20ed155f6cb06af27a30a0037

SHA256
cd309dfae30a9fe5c1da6cb3f73599c4454ce797801201be012df66fa416c4c0

SHA512
deb4d3fd59d49cb31e578390fbf5c334eff77735c7bca763a356e52368391152612d5f25b9b4d690dffaeb701366669c2f4aea9ec27e5df3855982a641b60075

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
74KB

MD5
dbe1408d79960b4c4901190573a4bc48

SHA1
8a9c6044612206d871cc338bbfc4205e967911b3

SHA256
21703dfdbdc8a3fa36962d4984f1a7727e41c3224563028549f81008e9aded0c

SHA512
cd1805d30694bd0a097a26e7dbc120eb0624d98795d0c70df4df965a8e9dbebcb044ad0782b4e1d682da54efb3d993faf268d48717e7caada2c10a6459a5e66d

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
74KB

MD5
d620eca6b519a8e0fc5b724254d5c124

SHA1
5c6bdc9be89e4c80c1d0af42f84177fc0c00b76d

SHA256
65bfa2a3558fab6151196ca43cd98be1b845cc66c41e6a13d40f105ed849ea46

SHA512
bcd13277904dec706ad2fabe9d710c70da677b5bf8d041e255850609034b725e37362c317f82f2eb67497da277bbf21cc666e53af38cd989487d97834c442cc5

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
74KB

MD5
a877dff4c58f1c89f3c2f0e0ee7e03a5

SHA1
b371dbbf9b76b198b1dfc49ac7fce56c54ce20e8

SHA256
3e4de7d8931dfefb3edcef1d96833f6f06dd9f9e409d1327ac345a77dd0168e4

SHA512
997ad55568c01f7ea8f1dd3bca1f3614ff8586b4fc34dd9f8430aac1a84c8357ddc1cff7a9ae289f3b735588a09f15f8b3553dc47c5e88decf246dca5f78c0d9

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
74KB

MD5
23caa43bc4cd822472d1f126ed629b14

SHA1
4b6d49dc9891018aa49a44b0e6a26720ee29efe5

SHA256
6395da312e7c3f089506dbc73623e5bde285fe62a7991bbf5ec90c6c2c4edfe5

SHA512
e79ae0fbcd106d9226d6bfda3691d1952fd1d91386e7bddec8e30194aa4a9546c8797e343e9c05571f43a880cb279aca2c297c7f5688e1c980fd3708b3e923ed

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
74KB

MD5
7a26a926363ca780b7f143d6fa7e8ce9

SHA1
917d8c292eb64bd8e38d4faa21c4b9ab92ccd84b

SHA256
78411cc16dba5f2e1900ba84c6df732685474451cd115f4f5099dbd7657b2ee1

SHA512
d88cfe2abb014e34320d394dbb178d9ed8178f8b9d6ba568538c99bd648e28dd3e284ebd4bfce0bd7d55387a4a352b99e394ca4ff22421b715ae2e05346dd4f3

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
74KB

MD5
c27865a8e688bd9f20cfc798a5c5775c

SHA1
8379a8412cabb954402b4872d8c87737d1b8c447

SHA256
5133f7ef35ce03ccfa8cc83ea157d183e37164dbec2158cffd3a41c4836191fd

SHA512
e4af528e1d07bc1f3e14405e1236ce4e738869d1ee45606e01d9a45e54d11bbe0041a1a971baeba200bd14dfdd6a2f9126e86e0ff88ba38e5101099d910a572b

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
74KB

MD5
72881de95560b01f91d2a0e3a99a2e45

SHA1
183ed9f0f51d5de1f93e46f313669cf463ed0d67

SHA256
7b61d487fec5340bb87deaaa5bc4479583f6686cd68e29606698f496c65b82eb

SHA512
fdfb65c78ecf87cbb2315fc2293566bbc119f3cef4a21713367869c6ee1d45d787ca20f8b6fd010bfd86aca0a6ad86dae17e220ac5c973488d9ff67a075e90b0

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
74KB

MD5
3156793da50d582d73ec0b3849dac698

SHA1
74b1bd3cced9330f0fb3b54ba04072fd13a26848

SHA256
ea9c1d53c2978d20ffd437407f7d94ba88ec5bbff0489393fddcf3a7a2578304

SHA512
15676bc7aa98add8078c95104a36ad067e899c995827cf5016c2ed79d4b49cca1229edb8e64c48048731cc96e00174d05c3a1213fb0ed94cf4bd1407580f3543

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
74KB

MD5
98a8dd51608b2b97b617d5bf28b1b847

SHA1
1ff62e7d0b3ad73d2a47522a38ee344e31209e57

SHA256
ff49c7ec3bdc0c90866b5d255366f94a241040e6c38bffd4ce89557291c633d7

SHA512
f2cf7c14f0c00ecc355c128607f7f2ea8e7839cbd0af53798ea072b0763d4ccc93b6f6596677473123a107d11b6de82dc8603490c4a776f9ed12f9264b9416ce

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
74KB

MD5
990bee4cdf2fa456905af9d5c4d016e3

SHA1
4f94db0f9abd798e425db039aecf3bd1abe0d2c9

SHA256
d0ca5287cb7c497c5ac12d6e2db26ef06dfc123b79f084a83e38dca11e69000f

SHA512
0567101538d7a4cfcb02133abe371645794b482a133383b817263c35155f95d2ecb6a2f9647bdb0ccab38049b268e1051e8cc95b5e66d8292da89499087132d1

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
74KB

MD5
bef4e4a9f9728e5a352c720d72a38b84

SHA1
31589c8aeae991a5b0d97ea39521825b66d598dd

SHA256
f442f88df3713e663e9db1c96e637ef15ec12aca844e202cfb49fd4f8c304df4

SHA512
14e49865a00515cc620dfc3db3e8c6bfb751569ffac906549b7947f33d9d895c535680d347627a83ebc14e8157500641a25a2dbf21c0a4aca5099c8515e0da6e

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
74KB

MD5
111f0a0235702904dbe3d1abed939603

SHA1
9a908cf0d6434de53bb004286190313dd224d28f

SHA256
77bef881dc1d64468692bfbc088305c3e2e865cc4496bcd04ce996726b810135

SHA512
712f199d6fc2307f30d8f7bbc73f9ef1ae941bc5c655fcd2c610d07bf49e644a67eb4a82c73458c88ef31ca83039ec843e6cdad47878390e58626fd7cc0b7d22

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
74KB

MD5
d1573e5d4e8721031980d8e212c4f994

SHA1
1f7c4749354f448bdf4fdb71c6a2c3888253b7d0

SHA256
fd6fa9b270c9dbdcaa43262f3ec5a9a365f2b79e542ce4d2aa3fc979312f9ae1

SHA512
7f6db0bf5382d1ff389bd2129c571bbd640456498eb28e1802cf26b8e55e3fac9ec0f64ca9ac7bc11ecf31fa8075387c061bb80d70195bbb0f289ad07ec7d0a0

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
74KB

MD5
fc32b697509f8b6f2a8ff2a1dbf09645

SHA1
44d3d4bc5057c57addf45276c9f6c7d651346629

SHA256
7a4bccd1e77f700bfd12636d790ab6562acb296d61782ad9436bd3a7e0a17600

SHA512
c7805bd95dcdd752c82fa45ef0860d9277f01f952b1e9b9c0c736b0277e8cb730c419a7b0ba0580535457386a86a2e45c263a2e68cef6756379e239ae96a715c

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
74KB

MD5
7fdee33e28aee7dfa1b2c672b629afcb

SHA1
eedca425f29a435dfa49e44eadcf148658b06fb5

SHA256
2c1a0a0d64fcb5aa23a41ba10fc032c6216b56cbd8b0728f2f089fd1d8e5a7f8

SHA512
05dc5cb8b9c6ceea981927bffaa4053bb94732c4a02b6aa1e3a00f836cec9733b42cc528fea8f4107d878f7f5e52c83c93b171c044ce295ae98648077c2ee37e

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
74KB

MD5
32acc3ea0642ef876df137ce0825451d

SHA1
5112dca03c49dcaca35ac2001608d004f6c8cb76

SHA256
bdbb5bd48f39eb17bc751a4fb25b6d975e61f3d439d1429263b7bcb9d7539bfe

SHA512
e1f66ff7c5d2dc739de23284b02d5581985b10981464938e134ab997cb8c238c970c65c957938f30acff1b4cc4fd3078330a1331108a1eee9d32acd67793e9dc

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
74KB

MD5
5cfafa93c373e77e867609b12e831df7

SHA1
05817f046502e5303c249b5dc3b6b489326d15fa

SHA256
0b074820e968dc464cddf1c2be7d49d39907af9660d1a2062907b0f41a3dc1b7

SHA512
fd064e55e8b19fb8f13cada83e7c8e212e2c812cab57d2463a8e14c773b90882d078793f854dc2b50e121401feae940eeed7b12e0ec44d396d372e1d9192e057

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
74KB

MD5
cfba59e07ea872dfddd83d42ead02e58

SHA1
b597a00c2e842d928f0b1f51520d54c9f9a2a164

SHA256
10c5f06ef54f244339af3c5fcca4479ae0bb2ec3854d8db4b8d87cb5a496c888

SHA512
83991a663f0542720933e11173fcc75624bf0a066fc6fb6164696b1216c3fc39ff72a530bab465d68193a136bc399f3ebf3e1abdfdcae9e669bd0bc1ae5b773b

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
74KB

MD5
7bb027430980d8ece64338d07651cfb7

SHA1
8a28973428d7ba18f62af00b1a4c2b61c72c6ecc

SHA256
f0ac147be68ee4bdf0a93bba085d16e057969a7a6cc9a84d408b2a87b43a0872

SHA512
ad699b6279dc35ca3360c162cac9e08517f2bd70d8b9be14ae095815434695cb181e45d0f9a53cbab755cce66d3275e70537644adb259ddc9b844aa834962f9f

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
74KB

MD5
950c634ff4b197a716e645841ca7517b

SHA1
3d10ae2fd514e571a00111fb8b2cdb8c4663a189

SHA256
7577b9e5f5743744ff728a41d074534c532432949d56518683614b547f6fe1b0

SHA512
d05f0cd5f04c4088d3bd25299968b2eedb6c6842e87e1fdfa3c84c856547a1cc0cbca8def8a9cf7494a4509d57560dc51580def82d5c42710f1505b5df1cc978

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
74KB

MD5
85692d9644c64195e2bd7319dc6f4273

SHA1
dfa667159f34181dff2fe9882f588b3c26e9219f

SHA256
07a2146fc7a61f46b1b0587207de187e2203d06fc566242f3f795358893bcc57

SHA512
4f5b97e72d5761d3c421eb8cc4e0a6874868ce9a8e0b5ffb59328afe21fdee9e8ee66a5be5585759de56896052a572ee5fd19bdc6d37d574ea9faaa5c2e16aee

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
74KB

MD5
8be4f9ec4cea2317bba73ce3b870abb1

SHA1
7b6e6059257a6500a5f82078a8ef672a003f1d73

SHA256
63852dddc7df9297095e20a28fb926d7a449c6ecccf0a4de62eb9b7839514915

SHA512
4174d4cb3d1d2b94ea61a649332334faf4326226b27ec44c3f3fd6063105810209f3bab17f8753abed91314373ca87867676801c53a7528debd5bb7da312574d

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
74KB

MD5
659473421790672b372b77fcb261824e

SHA1
9796c333e4d4bd7ed66c42b0ee46363170ab0b74

SHA256
f4da7c3884bb904beb55cc0010d7d7f338b2a720098d0903d7f1c1e65bc28a69

SHA512
e91c7d0bbea2cd4da74bbb1bfdb2c939c5d5fec3c068af35f40ee2906dbe41b36f0c4b7bf2d821de64f3c0969bacef172eff535056c4a86434917876e175130d

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
74KB

MD5
fd96a9878d65c2ee204168b70d3828ff

SHA1
2f2d6b204e9a59314acd7a59ea67da1fe090f42e

SHA256
131b88cbf73e42b68182b1212eb30d5c33ff068674f5c878ee43acaf0eab30a2

SHA512
36b76c73d510ac216a8f1cb70a795fd9254f99d4b34ece603b97db02e6ff8ee1335cae97bf2f95c1ef38ac18c5303cd089a8f6cbac28b7a5bb1e534242cdae3f

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
74KB

MD5
2e751581caf2ce569fefc628d520caf4

SHA1
c08941e16073fcdab2e9f56539b979b4453227e5

SHA256
ca81e5b91078c62e492e99a37c533083b73da2199c4b67759365ce290f0bb2f1

SHA512
8ab3fac03aac0084f9b7b5755560c064849f784a419337b566cfaa039e6b27f8fc0ba0045af79c93fb60487cdf4781baa1573d7e11ec2639a1f412ad3d23a939

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
74KB

MD5
150e02996cbb8b7fa75cb0e717c9b1e6

SHA1
4bfeb5d85ff5cb733bc338632622c6a37f5619f1

SHA256
aec169e23b2674c8efce146b35bd41b65da61a61332508d96f6a56917d82bf5d

SHA512
0fc7a4420f3f69edf54416e11c4f5c89814e3ea3a5c07d4ff3ae005409261d790d2d72c90213b8f1c5eddc701d6c4959b8b59868500f1354d0424de04a7fb1b6

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
74KB

MD5
05d5a8a78e73d9f0b60466bff199ac50

SHA1
95d424dbbb654a20c4e459c982b7350b3dbf5bfa

SHA256
329360333cb6d84ff5985d4cc1426e5470e0fe1320ea233c56c7384077e33a48

SHA512
761825fc6c8211991945f4628e1e33706178300c9e72825734089b30d2e989564346960599c6c6759ee989124a26ab559b56129be51c847074f093d1ca26933c

Download Submit
C:\Windows\SysWOW64\Ncnaabfm.dll

Filesize
7KB

MD5
6d428b3b2d6c852311e87a985d10d783

SHA1
3dd6ddc73a07680a81dd2a9ff39d56efd9075e9c

SHA256
84edcef27ab4d145ba3d49d730ad0e3b20de87cdd4608cb83edba5f83f606d86

SHA512
c03d1269ff3dac8d160a7e06984bed99e867e926b662be73b464cecb6536c595f76a3d15de2d41bfcebc8082ff94a49c5108af8de38e7157098485f5b7e39156

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
74KB

MD5
5d297d247bf8f8cdc362a0d5c07b9894

SHA1
de0765067b39b6a767ec38a15f952b72c06fff55

SHA256
c9f38a500fbf741dd1c3f7ef0b20854c31ebc95094c78bc9e5eef070b203408c

SHA512
a74930abaa8132b4d237e664bcdf96b128814a0a36bc698b727237a112b24a57e99cb530562e34aa3b2c649dcad001f8035034f6cc2da5ebc459577432357e25

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
74KB

MD5
bd814c07d80d464b64ed12c1c4b8c083

SHA1
1e55e6268f82e3695df01de2d7c0ee1afe3a636d

SHA256
539811e5957e3f0ec58003c6c6776291d6e676a30ecf9ec0c5b7dd382573a0ca

SHA512
b9f4039a47448e321228f7a2a903cfd70e4782ae2efb5703cf4f0452efb1059e0cc2acd54880c0206fff7d7417c7036ae2e79b01211f1b2ac1fe724b8015a83d

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
74KB

MD5
ab47003b02745ca894841bf85c353d25

SHA1
521b7b85b46291e5d446ea925fa8e7a0cdae88dc

SHA256
7caf64a049c3a6a3d0f4fd370fd0aad225516b41585434fb5a2da2b8ac6aff74

SHA512
1bb52d4f74ab9c41d0fa3279925132f58d730df8e951c2b1352eb9ded25a2cef77719f85a497f34fb304e1c946fdca9d5aaa6380e0a0a8a779c33dabb72d7160

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
74KB

MD5
2bc090a3aa248cf97ccadd4614fc4c04

SHA1
c535ab5e429c669cc9740ff45ed6fc1da47df7d2

SHA256
0d0f320af8f529fdfb610483aba6cf35134ee31d444b5dba0a1d9df2d9b1ebc3

SHA512
1f20968dbbb4e583c501bf2177499fd6544e48e406ea5c212e0dd2e9327b9b702bd7ff9a4c27232f07794eabb4544071f1820537682e4e942f31ab92a20cdcc2

Download Submit
memory/8-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/232-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/524-577-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1072-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1072-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1120-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1180-452-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1208-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1244-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1356-422-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1392-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1412-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1484-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1508-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1512-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1512-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1532-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1568-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1588-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1640-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1668-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1792-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1804-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1904-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1952-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1972-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2040-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2232-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2308-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-434-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2460-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2472-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2512-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2528-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2636-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2656-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2728-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-542-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2868-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2888-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3132-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3212-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3300-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3384-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3416-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3416-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3424-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3424-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3460-584-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3480-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3488-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3788-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3888-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3944-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3996-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4052-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4088-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4208-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4208-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4280-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4284-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4300-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4320-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4336-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4352-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4424-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4524-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4564-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4676-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4676-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4732-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4820-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4832-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4856-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4884-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4960-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5036-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5100-570-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads