berbew | 966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe
Size

96KB
MD5

95d5c0889884bdebe8d628e0ba826290
SHA1

d9a91508367a8acfeb4d5d347c79d49197cdbed8
SHA256

966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0
SHA512

3142368c1bb8ed7cab78c4fe68f9c7f581ee7b51a38f45507ee7375b4dd7d4baebcb11eb2c64d9ef70f60f28719b3474c3b9b8d6f037e35200999d55204429ca
SSDEEP

1536:dUpq8Qn2XknRvEQPbHK1+xDVDvsDvmHG4XVcdZ2JVQBKoC/CKniTCvVAva61hLDF:6y2XknRvEQTqUxDqzmm4XVqZ2fQkbn1+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1920	Kmncnb32.exe
4564	Kdgljmcd.exe
1788	Lffhfh32.exe
4212	Lmppcbjd.exe
1692	Lpnlpnih.exe
2688	Ldjhpl32.exe
1740	Lfhdlh32.exe
2360	Lmbmibhb.exe
3492	Ldleel32.exe
4632	Liimncmf.exe
3700	Llgjjnlj.exe
2340	Lbabgh32.exe
3960	Likjcbkc.exe
1960	Lmgfda32.exe
3376	Lebkhc32.exe
4896	Lmiciaaj.exe
3092	Lphoelqn.exe
3824	Mgagbf32.exe
4952	Mpjlklok.exe
4480	Megdccmb.exe
4964	Mlampmdo.exe
2204	Meiaib32.exe
4088	Mdjagjco.exe
1252	Mmbfpp32.exe
4176	Mdmnlj32.exe
2932	Mgkjhe32.exe
2332	Mlhbal32.exe
4420	Ngmgne32.exe
2796	Nngokoej.exe
1068	Ndaggimg.exe
2580	Nebdoa32.exe
3288	Nlmllkja.exe
1792	Ncfdie32.exe
1012	Nnlhfn32.exe
2252	Ncianepl.exe
3312	Njciko32.exe
4720	Npmagine.exe
4688	Nggjdc32.exe
3416	Njefqo32.exe
4884	Oponmilc.exe
1064	Ocnjidkf.exe
5012	Oflgep32.exe
3356	Olfobjbg.exe
4532	Ofnckp32.exe
2336	Opdghh32.exe
3860	Ognpebpj.exe
4284	Onhhamgg.exe
4584	Ogpmjb32.exe
5104	Oddmdf32.exe
4204	Pnlaml32.exe
2492	Pcijeb32.exe
1816	Pjcbbmif.exe
744	Pqmjog32.exe
3484	Pfjcgn32.exe
1912	Pmdkch32.exe
1632	Pcncpbmd.exe
2280	Pflplnlg.exe
1932	Pmfhig32.exe
2760	Pdmpje32.exe
1536	Pgllfp32.exe
4876	Pjjhbl32.exe
920	Pnfdcjkg.exe
4668	Pdpmpdbd.exe
3732	Pcbmka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5540	6132	WerFault.exe	232

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1920	1408	966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe	84
PID 1408 wrote to memory of 1920	1408	966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe	84
PID 1408 wrote to memory of 1920	1408	966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe	84
PID 1920 wrote to memory of 4564	1920	Kmncnb32.exe	85
PID 1920 wrote to memory of 4564	1920	Kmncnb32.exe	85
PID 1920 wrote to memory of 4564	1920	Kmncnb32.exe	85
PID 4564 wrote to memory of 1788	4564	Kdgljmcd.exe	86
PID 4564 wrote to memory of 1788	4564	Kdgljmcd.exe	86
PID 4564 wrote to memory of 1788	4564	Kdgljmcd.exe	86
PID 1788 wrote to memory of 4212	1788	Lffhfh32.exe	87
PID 1788 wrote to memory of 4212	1788	Lffhfh32.exe	87
PID 1788 wrote to memory of 4212	1788	Lffhfh32.exe	87
PID 4212 wrote to memory of 1692	4212	Lmppcbjd.exe	89
PID 4212 wrote to memory of 1692	4212	Lmppcbjd.exe	89
PID 4212 wrote to memory of 1692	4212	Lmppcbjd.exe	89
PID 1692 wrote to memory of 2688	1692	Lpnlpnih.exe	90
PID 1692 wrote to memory of 2688	1692	Lpnlpnih.exe	90
PID 1692 wrote to memory of 2688	1692	Lpnlpnih.exe	90
PID 2688 wrote to memory of 1740	2688	Ldjhpl32.exe	91
PID 2688 wrote to memory of 1740	2688	Ldjhpl32.exe	91
PID 2688 wrote to memory of 1740	2688	Ldjhpl32.exe	91
PID 1740 wrote to memory of 2360	1740	Lfhdlh32.exe	92
PID 1740 wrote to memory of 2360	1740	Lfhdlh32.exe	92
PID 1740 wrote to memory of 2360	1740	Lfhdlh32.exe	92
PID 2360 wrote to memory of 3492	2360	Lmbmibhb.exe	93
PID 2360 wrote to memory of 3492	2360	Lmbmibhb.exe	93
PID 2360 wrote to memory of 3492	2360	Lmbmibhb.exe	93
PID 3492 wrote to memory of 4632	3492	Ldleel32.exe	94
PID 3492 wrote to memory of 4632	3492	Ldleel32.exe	94
PID 3492 wrote to memory of 4632	3492	Ldleel32.exe	94
PID 4632 wrote to memory of 3700	4632	Liimncmf.exe	96
PID 4632 wrote to memory of 3700	4632	Liimncmf.exe	96
PID 4632 wrote to memory of 3700	4632	Liimncmf.exe	96
PID 3700 wrote to memory of 2340	3700	Llgjjnlj.exe	97
PID 3700 wrote to memory of 2340	3700	Llgjjnlj.exe	97
PID 3700 wrote to memory of 2340	3700	Llgjjnlj.exe	97
PID 2340 wrote to memory of 3960	2340	Lbabgh32.exe	98
PID 2340 wrote to memory of 3960	2340	Lbabgh32.exe	98
PID 2340 wrote to memory of 3960	2340	Lbabgh32.exe	98
PID 3960 wrote to memory of 1960	3960	Likjcbkc.exe	99
PID 3960 wrote to memory of 1960	3960	Likjcbkc.exe	99
PID 3960 wrote to memory of 1960	3960	Likjcbkc.exe	99
PID 1960 wrote to memory of 3376	1960	Lmgfda32.exe	100
PID 1960 wrote to memory of 3376	1960	Lmgfda32.exe	100
PID 1960 wrote to memory of 3376	1960	Lmgfda32.exe	100
PID 3376 wrote to memory of 4896	3376	Lebkhc32.exe	101
PID 3376 wrote to memory of 4896	3376	Lebkhc32.exe	101
PID 3376 wrote to memory of 4896	3376	Lebkhc32.exe	101
PID 4896 wrote to memory of 3092	4896	Lmiciaaj.exe	102
PID 4896 wrote to memory of 3092	4896	Lmiciaaj.exe	102
PID 4896 wrote to memory of 3092	4896	Lmiciaaj.exe	102
PID 3092 wrote to memory of 3824	3092	Lphoelqn.exe	103
PID 3092 wrote to memory of 3824	3092	Lphoelqn.exe	103
PID 3092 wrote to memory of 3824	3092	Lphoelqn.exe	103
PID 3824 wrote to memory of 4952	3824	Mgagbf32.exe	104
PID 3824 wrote to memory of 4952	3824	Mgagbf32.exe	104
PID 3824 wrote to memory of 4952	3824	Mgagbf32.exe	104
PID 4952 wrote to memory of 4480	4952	Mpjlklok.exe	105
PID 4952 wrote to memory of 4480	4952	Mpjlklok.exe	105
PID 4952 wrote to memory of 4480	4952	Mpjlklok.exe	105
PID 4480 wrote to memory of 4964	4480	Megdccmb.exe	106
PID 4480 wrote to memory of 4964	4480	Megdccmb.exe	106
PID 4480 wrote to memory of 4964	4480	Megdccmb.exe	106
PID 4964 wrote to memory of 2204	4964	Mlampmdo.exe	107

C:\Users\Admin\AppData\Local\Temp\966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe
"C:\Users\Admin\AppData\Local\Temp\966af360f6828f71eadd5c5a51d833a2d63019327cce462fdea3c865938168b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\Kmncnb32.exe
  C:\Windows\system32\Kmncnb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\Kdgljmcd.exe
    C:\Windows\system32\Kdgljmcd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\Lffhfh32.exe
      C:\Windows\system32\Lffhfh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        26⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        34⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        37⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        42⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        45⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        50⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        56⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        61⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        62⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        75⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        86⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1800
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        91⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        92⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        93⤵
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:224
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        98⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        99⤵
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        106⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        112⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        119⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        122⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        127⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        129⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        136⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        146⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        148⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 412
        149⤵
        Program crash
        
        PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6132 -ip 6132
1⤵
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
a29b45bc5a193098e9d15132f3a30456

SHA1
0b0837999d167620d1b7621e2c96bad76e654d94

SHA256
f9f5913f89621aa47c3a6d338aba42b980d83cf76434fef952880fc2fedad805

SHA512
018de19f3381d50258b34d8ad91e25dcb2f8eca1fdeb8100e143a86c2f8823f850eb1f99a9f87227aed77267f9eb6a84e295271cc35ab41ecbc92663b4fd2a08

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
d60f0f6b486cac103bb818c3b75aa59b

SHA1
3f6b0b204139c99996c2b86d895f98b2089a6e66

SHA256
4b82870af02aeb0be451b5010de4e7dba0c00b70f5b88d6ed366d1a65993285d

SHA512
db7b17333745fe29fd0a3f11234f109bf445127e577d9b539bf40a405c3a92c6f44e8c6e7412d448ba03e8abb13fb05eded113b3b71db74720047524520bdc81

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
2c8d211277f40ec2b8d64c4c8843f21e

SHA1
edae1a7902df3bb4223831f4c3b39ad7f5baa00c

SHA256
f906719e6a93eaba9194b87c6dc28d94330f142ca6fdbf7fc6c382473270d1fe

SHA512
225bb204face3052c4b02308fc9204d9b6c9d73aadd215e1d3eec1865c7c3073629035cad294acba7e81d7b1bc638aeb912caa411d0caa8a043383844298199c

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
18c918014c503bf4289befd6847be8a6

SHA1
f5cc295318cae71a817ee9e2652532be2a0171b0

SHA256
09e3d8fc8472a21097e664529a7bd1c279d873b0ee2421a5fc2333969e84c115

SHA512
aff1923041a282a9271426d267ac0f46e8dc7a235fe980fe1888b1552c152bc599e41e07fff43db5d2f8f0307a4ae3571631cb179b40c7947ddd4206335d7b9c

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
45d6d9e402966063d6531aa5c85928a3

SHA1
9de688ddfb182645512daa64e815f2258fdbcd55

SHA256
6b86296fb541d64c11f373ff70649035f608a1e11271081b870087ecde1fc0af

SHA512
f79001500629d517f1c70468f32d716a4418f5835b8814feb0a65cf1cd23300652f9457fec3674d68387e229c3f934bd06dd127f2281816084aa02136b599424

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
4e2deddacf2a3abf6dcd4af96882276b

SHA1
0b2cf57f2807c461007abfd91a0b59fd7bf7c26c

SHA256
ae91302f530783c48f7657d36772cdd21350e5c187dec12db01ac89729df2a88

SHA512
eef6d610f37a96af5ec21794e685bf7c6eac431d6b157ffcc248eac1fe772f3feaeda3a5e00fdabedbd4001fbbecccdc64355b2e9e469b421ef1a42447ffe490

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
231c12674eeb682772fb02665ba05ba2

SHA1
615a35fb4d8a22eab731f72bd94c77bfe51fbd31

SHA256
2b7d930d1a1eba4c8cbc50d1495d18455811146eedc2878386a714a023eaf651

SHA512
bcbfad0feadbe550d770d567a52bde06722a5d95239f163e436740a2969a91b3f4b5f4d3ea5743335568547643a5fb297e1d16ff82aa959085c44aac72b8e839

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
0d3a34a7106c13eb5aee22fedcedc2d5

SHA1
7606a7d3c380d4b18b6092e100e3a5c13993f99c

SHA256
4e97ed8a4ac24343db63050cc21bff5d880d4dd3dbbda1336cebb06d690fe230

SHA512
c0ad494bfaaab94ffd04337d2b28be42b60c1620bf6d1650c86e5d8a5c253297b4170671bd1affb6e29a842e060abfac17d73c2f2687382db74aa9f5c55dc630

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
c3489b3b0c5f37ea2a574ab0d7a5276e

SHA1
4641d5b291377871015adbe730cb86567fe431ec

SHA256
bfe42c5a466f5925b255d24b866a8c220a863904ea995dadd3595c982e8eead6

SHA512
382831d1050739024140b4f38bafafebd5c14c043aa64ceb445d71da3106389c0517ddf2001bac204193c423c77d4cf3656e37ea045a9816cd41c929ef55f5fc

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
fd047eef53634acb78516ffd0eefd1a8

SHA1
7aaf898f6643c0535aab873fe30204d4d8a185bb

SHA256
b335d3e7e8e3a5350183a9d12ca22101f10aeafe7677c7ff45874884f56db5fa

SHA512
9d00b0daa3e62b382acd01155220be786b6e3f6f8d354ff3162bfda780b8aeca7e981131b1c3ed56edf52ea6f01f25829441afc4becaf2223e89242d2cf9b201

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
6393537d32f3b4fedc5b31d8a4c769a0

SHA1
bd0502c3a32023db742e0e8814e2d5ec117cb9d4

SHA256
63df88ffb0739f201f86837a66af563bf8a4dc5780b7007bf8b24cb0c9031fc2

SHA512
3db96a83c53062655401ec04c565d3820fae7d2508e71335d952d52c21ee47778f35cf6294d0205ecc40052b16e9e198661bb22b287746d9364e0115361f5aa5

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
76fae52a01262cf705194492886e6bf1

SHA1
fe8356c73dfb5592435edf552fe4ca0454139d77

SHA256
5bbada72c9f345689223835126ae2936877924a95c398c38e7ffbe7621adfd3d

SHA512
530901ede1250dfac6d827a1f9e5347a3277547ad4d3def98cc853d07cedb85c70e641a9ee09f48a469b72735e18321b95af333c996830de3f734646b5e98621

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
455d2559b54138eede8cf480740833ef

SHA1
2c5a56d067770db4ade8df61268f295f98f1196d

SHA256
0d73ed351324b5dfd04c31e0d303fb2e174f3d6f53dea41b85be63cd61b1a03d

SHA512
3e9820702484731138d92aa056470e20628ac98d1d969db04d648307de83df2f574339b7b7f588daa655c948bb0bf37ae86d5ca9468b5790179f40f2f9522e4e

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
ce89319aef05deada22bb38be7061095

SHA1
222d5e3a5990f36831d584057536a109da28b4c0

SHA256
f66aa67fd1d799e471dac26757a136b16fcd9e72bf0f27f7390ec9eecb9785b9

SHA512
c34c78a7f70a29791004e8ebfab074007df00925526f6fcc53778c22223018f2e9d2459fa0b61ea0ff9ed02333cd6b95284356baed30185f7b71c28fd808110c

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
fe494625dd3a615ab05968ab190ab72a

SHA1
27737ae29c1080effaa01c55c6ba37bd5b4df622

SHA256
5bdad5affa9e0ce5a77eb105cbc85f0d3756bc21bbb46f47ad10aa98fc4d8399

SHA512
e272b015b635c291f3c334467a8131c7d1621092471c8e5528be9fd9db2cbe9da0bba8ef16655e6baccb62e1cc1dadeea992117ab2cb61689c4e29853deabb1b

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
0144a9cd20d74ab9f7ef716e8e55d96c

SHA1
21c5e9a274c1c4b1b9255b980d2094509f3d946d

SHA256
0626316eaaa1dfe62251cc6c40ed64ab13e3c300f13801bf3736bb789fc000f8

SHA512
b53a43ecd0d8a0a642b00cd20341ea4f662b2b94c231a5202ae445c7739312f948fc1dc0deaeac8e88f34b33be4619f948b92fdb1418bcc5b7cfd02f6f1ee9f8

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
9aef6474132c4829ca3ec301578e4379

SHA1
349dd181fa3fa615bd1ff40d50668c4d65a04e0f

SHA256
58531ff1e56ff806f7855fcc8202f8bc4a07becdadb5ac8668b869b52d1c53fb

SHA512
a418723f0fef8d08bf742e41b5102a4158acc91c635a5428734249f411c8c4d9baf5d099f18cfc695d4a00650f03e8d10adc87d9e9101ac9fbbb917e5fab28bf

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
76924f29a3cc2f9a042c90364461308c

SHA1
94c88f6740c28d56144556231c6bf0bc6f38c335

SHA256
138e616f86c3c958c8e84bf03dca35cf54e3da92edabe1d5f921edda0ce1b99e

SHA512
7ba04373fd3be473e35220257b601ba97f532e5726132a33d51b0237945fa7390e33b1e5a8c561e567ead2f3b045c232a360243fa607f8df3fd6c05911680d8a

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
96KB

MD5
9521c28bcdf718ca832317e4545758d5

SHA1
e649a39db73ea909219416aa00f3f3d1a2468ba4

SHA256
4b769a03018d1e1f40f103ee207ae94cc2ef831a589d0158e395d19ac53e5d7b

SHA512
e6e757aae35ccaec3e50a661a502087dabea3ad51b6623a39e0b4d42893d97dcc93fb4b25349ae8ca9e82e5eccbaf9a6b352d34e024cf0649b752b62bebfc303

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
96KB

MD5
a5ed4b4767885236b6d498a1d65a9264

SHA1
24db593fba710fdeb0b0f7916a0470c317b0af58

SHA256
c7bb6973fd5b52c8fd92fc5de36f3ae066c5974ecbf638a284397591eec51ad4

SHA512
9e04742b886686b037706c077b4dd8d810df32e7fc863881256d1f340bfcc28fd675037bb9f304cc90de79ae733d569c0d6c18a575bdcfe90a1a20b158c3ed37

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
ec9362818da87b0b8f9bed29079d7e03

SHA1
8ca1511618f228fc5c67b61910af44704581280c

SHA256
777ded33912d55298c1f2e72983e117ddfbf47288c8963cd45abfa78798ad150

SHA512
081a3396115e3f8afd0133530653dccf2d19fb25bd979646920eeea5d46267523e2b20636bd61fdfb931b66b645d2984660b78224225367e7d6a63909f71d3f8

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
96KB

MD5
e7f1f13d84c78cbbf297ef3627ca6213

SHA1
23a9d08f5bee750c15b08f8fe698e01804c0cfb1

SHA256
3e50b85312aa7c7be6c95ffe7646a0292840309350fcc5d4a3e5401a85163fd0

SHA512
768f77e621e229b8810c33792d5f3ecd2e303d1c4adce7ca06d6c3c9a4693c855ab5604bcbecc63feba70a17fba06332f1a2b15d85461750031c66d217d7f5f6

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
883aa9052962a4619fcbe0463d398833

SHA1
da3643cbc801e4f39177ad1c6dc0af2f8f1f8173

SHA256
47892c276e1f5e08cd42c61c5b628e04d6f16ea8d89fd9c55686e4c96c214892

SHA512
2cea57d7f76068fc93009135c8ce292184c37ea1441d07969217eb9c19ea0b2756ef75e68f007ea625d48df5c44f68dfd7f1e4f23562e989abd2c6bd19e1082a

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
2b486ad753a63325f62bb52a1c70c5cf

SHA1
2262da61c19d6569c0150d9ec74c66ebb07e23d4

SHA256
e2cabdab23499bc9ef298da3e0ed55eb64ca32f6effcf031f4c23d4cb74424a7

SHA512
243e472c6083026ea5ff3322c3b8b4df47e9cc3f77516a4ab174ebeb156943527fd31231d636f073a488f196e519b9c9368ea8f661277d078d8a350d2a67a1fb

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
a169c74223ffd9d416c5fbd68955d9a2

SHA1
ac800b20793bb405a0423a9c53821ee1446163fe

SHA256
f905b6657f6b6ad3f61334b12a4e5e8da641d0437a374689c5f3a1042545f278

SHA512
dce6d11f0f46c0e9a27b98057d9bdec3cbfd3ba8b8bebf6d14e2bdffd03d718fdd94d14b0eb9c65f0cebfcbb678ef62a16ab800c574f7d38fbb25921dbe00ba8

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
3dd5d189c41f2d75ce5ec7a6c71aeca2

SHA1
35bb38762e047c0de3d2f3aac0ff3fc60bd5283a

SHA256
f0c9e62a63f99bbaa2dc1ca3c287a54dc0b7e03ab3d6b864e3c968fe12d956ef

SHA512
69cf094ba2d166f3f455243e82bb87125d939f358d0c618d1b782f74d2dcd3392c1bde96837e1f8286c2bd870314819eda2a985f085441c5dc15e72cd8c3311d

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
1794db25525cb9141de2a4df74642105

SHA1
defac805ec65cd64644e92ffb0097f80293a0baf

SHA256
8da8fefd7c3ca1efbd2744da46da282907ec713b6c49f190a00e6c4fdfa43bb6

SHA512
d22e55f389fcaeddc1e088497802f28198c65415afb4be2131b09b1079a5158947a8b6523de8154866fb6de87855970b58765a49acc536bd4fd0110ee614289a

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
ece0b4365dbd0c44f3b53a08f81ae0bb

SHA1
53bfeb121dd8f95f1fd288833bada48f3a263fb5

SHA256
6d3a3b45bde7f41997b61c91f0621e8c439cc45b254557327468472ccbdc8c32

SHA512
8ba0a82d961f39ba8ebc76aef6a77e1a71a927b250a53a8631d90e5bc05798127fcb7674b579b28fe724d9ad8cc3fc9326cfae9daaf26a94f4b191563e085533

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
050ff959e47220d357df03ec063846fc

SHA1
101c6e18b21497d7081ba87e477916f4b95cdce0

SHA256
ef2bc0347f8318f14d15c8b77fb13e6f6fe265f5335cf71e606ce514306876b6

SHA512
fa68f0d44857be05d02f54013c9a084d933b6fbceca228e65a837823712e5aa482a0a37144b71762c6c64734a2161dae254a323cf746b346471ff91b130ce507

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
68598f710af1bd46354d0e514130443c

SHA1
4722813d6dafcf87cc00c9ec2158e6c99bfeb125

SHA256
8e1c057e63d1e24c2b6d33ee04cfc5bddfc011c388d839bbd26ab98f684a00d4

SHA512
461215e90cf159a385f555c3c08a7df2de1a2fc5d7ca8c77e8c4c8031319d73c824ed57617846b53a177e4b65c953f15653929cfa0ba979412282f9e3d42da4c

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
a72a0525673563f3634309370f2a3dd4

SHA1
f178b0ece03aec0d132dfb97dc2d652ab41fab90

SHA256
ac6b370a09b6d7d80b0a3f2bebe431eb9905f9920eb96c2c476b2990812168d6

SHA512
e60c6271f3ed36172c228d82aa3ce965cd4767c07000a92bfa261f65c1be00af3294ff6e6b33e996600dcca9dad05f481ca6030335a454be84adbdc8114e6810

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
d2295c9983667ad531f84162f5b46358

SHA1
bd74aa96ab37f4b85313a0b66d84cd0127b03a7f

SHA256
7df04dc781eb6ff0234c0bff3861e224921e7bbbbca86a5ccc0507a020ae9427

SHA512
b885e9c2f719bbbc06d54ba1002fc3f22a4b354a80e88ea54856520c7571ac7cd46f38f4b25163ff45f0b868af290dcdfd940fd71213b95faefab2535a37f2ed

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
15523b7098d93945e076ca837abc8c2e

SHA1
6f51adc3264c6adc8a773780f0de94bbf775d938

SHA256
55a0769fd0149af812d1fcbab2c4fb16a1640b79e82e7580af3dc1bc08c64213

SHA512
931dca6f522e8549a20679f9fa8b1da73f2464433e46de66b17ecbfb86b30227ef69efce57c1e3d18108b15eda35b9c1b338f8fd8c9fb5534ce47d5ad92d5f74

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
fa164d668d0e132dfc5aa94e6422585a

SHA1
a32157ee548d40e73244929105a2f8626ffc22c0

SHA256
bb1e3da10b19974cbe64551310ecac0bbb130b39d189c8d2e0bcd4e0f72712e8

SHA512
c2cfe0391e0691daf1a3283fd4c9e48045e9c369abfe9df23060d28e7a8891b28b1dcc500e7f52e8ef8e90b920bb389c5157bed199ba80014f9832217a81e029

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
96KB

MD5
8105a80973c1f2a8f0ee27dbb3028a5e

SHA1
2bb2a7a94aa60f0c21b3bd206410d64a25406bd5

SHA256
e3fff713715edf4c0274b445722793975f60434ffcbac893e8e3772896ee7856

SHA512
a3232ca42234a58229a020c4dc018d7e048c39d77a2699ccfb02323ad67b6155097948cebd3783377a79f6987d3a98b84f13f9ebf8d9457e544b86d634e372de

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
ec4b0e752869eb16aafd75aeaf6a768d

SHA1
f8b30dbca73d68dd2cf9386da63a2b00ce8b81a6

SHA256
4e205d917e7b76db54c22afab3d8d750efda3e7cbde9e095d018ed04c3e2507f

SHA512
51097327681304ac42252275022b4f1ae53234d957598131b3855db467d21d8836cb429220c5a16c03411fbd5773ab4189a122674b32ceefbcb9b3cb55668894

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
5ee0c069a645a48d53601aed6f969595

SHA1
ae819c2fc52084e4e07f9949c04974720493dc05

SHA256
7333f1a88e775c20b940b8ee09d5a560299327445b44235c3df85f3c2b7bf8ec

SHA512
a78c9f32dde83a9fb0d73bf16c306becd3847edddd79a47bdd7cfebafa42f754d0461a038933b67722b9977bc51e0a6aea6b2d7c07d51ca83b117ab65da985ac

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
96KB

MD5
22ebfca6949aa42cbb60551942d0dc00

SHA1
6c87e7e54051f6fca800a67fadd27e0d9f6a52fd

SHA256
7e6f37887c6a0d5ec9f2f302bfd8b05c59aad5c60dc2ed345cb152f56a91140a

SHA512
ea4d42b3c293ff88c5f6728d4f8cd9be5277274e99267da11792c871f2f1819fcec2fa06e28960b3b592be910cf694fc0c26a7450f7ee5500d7f6a0ee3f9235f

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
c190996154b9b698c6937a4a43cd0d46

SHA1
6fc75dadcb4cc7c17723905af1a43c16e5eaf032

SHA256
b96301dc60bc9c835e384248eee25c24af00c8e921b639bdbd8fd6dfdfc10dde

SHA512
373725191e7f12c751c28f9d1aec6a6f7ea7f4fd776870aecc3cb08c7a91910946ad288582e784b2db46d4523be64c9de799732168d6a23033354e23826baad0

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
145a3d70aa47167fd7bcd115e26f58d4

SHA1
12a33968d2e7e608d3136c56df9592ca301ff749

SHA256
5f3f1c4abe4d48e01e90b0a641b9e8991c424e6a221fdbb75b4df3d158060768

SHA512
47aef0c3505c6c3fb4bb315ea962e526f9820db4d0c3be5346f373a3fa30edd54890a530ae90b7beb184070f8e0277048788a7de13dbc0eb5d5e549825f66ebe

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
7010e55b38b3e4f83095bb9152d949a9

SHA1
78fe57710332ceb84845059e4a27ce346efa8322

SHA256
ab9706d754fd0cd9fd5b78064618d242a3f33fd5f6ef7fe6160cda95ca1e9a05

SHA512
ffe9e70b2ea1c732116bbb05f2964f19c54c3e91d0c71d03520256931d4e628c096476fbe20e17b0372ee717f6890af7e38a5a544cbfdc68bd77f3d5129f767a

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
184ac3f7ef159dd2f90c4842bd6a83fb

SHA1
b371ed34384ea53bd71d5d120c6f2cc3c6eccce3

SHA256
3cdcca5940be73ed76f59c4a1701f3ec5ba71678f75d2f1efd9639b5d5a3a93b

SHA512
e5b26eb0ca481f9d9a3a493b076631427dcb6c251e6c77cf362831b1b5d8ad3f90e3bb19fd3a71ec656afebef2d60eb4d25743dec14fffc13f53cd1c1de0781d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
992c7faf0f2d4d76331b068bb1d67318

SHA1
901501aa91fdf0f9d77648e03f5f875dda750794

SHA256
2655a2a6254e28abaaaa0a855dcbe8ad71503557394b0635577afaff97637304

SHA512
ab6181cc688882ab6b09ac5169481979a91d3692fbee58500a16f88c7c48a7d41920efd6d6d8637a30fff18bc53d8059b9c72e250be9023f2ad15f3828672ace

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
f89582e40a88220abf8c1bcc9caa8826

SHA1
d7730bcba75e128437897957158fd98e51fd5a6a

SHA256
7824ce31de6ecfa701246920559cc0a16306cbb8acf62e754133d2b434f32fc3

SHA512
f698c7fb00ba63128c605caae1b20993d039c491e4eaecfa0588566b41f0e41362fcd961846cc626217da5e665afc1c3c27f1441c34f232daf63a50ac19f1c28

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
4fc2e7334ffbea4b1a494d37fbd64322

SHA1
87edbc0ddf5bab119ea115e352baf55708511db9

SHA256
21b9e78dbdbaf91193ee1de8a7f4a3672ca454a884b553bc60ae51167c3e6f93

SHA512
668276a5a5231ce461328b2de56979e8cb76e1f508354fff1a3969598e4996f98bc761fe58fef3bdf6f3e732dc802ba0ccdf5de272fe81153eba6ecf2b65dfe6

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
75e2709b2037e64ff66f607579774cac

SHA1
7495cfeb4b0df7159a839854181b1704240328e1

SHA256
f3567bba318146682001986134e8e0e5898f1018151ea8cabe9da00b1303c39f

SHA512
80a5f87213fe2f57cdaedbc6fae7426ca34a45fc70b69fa6f80eb6f6b914ced231ff80899a38aac8b827e6ccd57c8a3e3e3914a50a435ba539e2a110ab1fb9d2

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
26eadaf09ede2409911aca9fe925ea27

SHA1
5762398637c681dcd448f36463cb2cc04ee48de4

SHA256
3fe6fed0c17d9be1483c2e548b2283863895a2a3d97fc825293a54e025427baa

SHA512
a50df99e1ea8aa1009d3a821727b9b2d8b5e45bab1517a263018dfb8a09fb2f0d919bb47e9ac772c9e16d3f641d4db4be483ead883efcd45fbe91d4366fb2e21

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
64KB

MD5
d3618eb0b78540b8a515d95fd01833a7

SHA1
572ce537cbdd4f700c3d4cd3815b5e4fa6583d46

SHA256
c768d73fe23e52c8bad6708502477d0c5de18b61eeebc0f95c0b3d314708bcbb

SHA512
840be25bfb9f9e5a7c6913491b8e930e8210c4ee10ab915de778466e997c33ce3de1c2cf011739fdb23fc271e049af5be857a4dc16922fffb91106ad4908bf3b

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
1bf886b33befc0461449d3db468a112e

SHA1
ef088dabb87b577b08646967ba5e4e0415aef415

SHA256
1f0d25ffb539425360d19a2b8aedbbe24bcd9ee8502ed1151c5535772a0eed42

SHA512
d86a7b0fbc24e3d5da5f2105c427ec510eaae5a03779ae7bbe8c594be189013140188183354e99ed7fea40362b4e0c48dca6ecacb0a7f7912a097882cc4a59f7

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
303b72b6b85dcef7f29e1a89b74b4e4a

SHA1
a55dadb8573c14db3ac2daef8d82c2e3b7dc9e51

SHA256
f13c9667c80871c50af26acd49cf1ebc9241d8dad15d61d3c97945f6b0e5770f

SHA512
bde68938a8413c31ce36b5115c7d3152039fb6cd8a1b0a18148aaa366bc5047b9e66a05471a2f5d0d7155e3f46df1337bf9b785e714ab34472b5a6ecd46699a6

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
80ba36adeb3b5a652ac262c141e871a2

SHA1
bbe2afa88868669a51689f626f85d30731a2e2f7

SHA256
d2abff7b0eea54a9335f6456bcbc242e5c93dec0e424137d228dca300d3767c6

SHA512
1b917c0a9c0a872dd2d1ca7558d2a2618871ed4f6158e7ded4ca3c76e0a2acc8d097bad12daa9d92d0663e8ccb5d29aa5afe94721e0b689e2b392d5886354614

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
5fceb9ee489f2ba9e2504c809cd2cff3

SHA1
bed90673803d4194057764f2151483ee2c2b4120

SHA256
0c773bee09196ff1fba995592bf6d1f42bfee3686faf877230b489a9401ad4f4

SHA512
70ce7d9b876c724e4175edf54c654e8a37bd0d51b62623487133a4ebe3903c56f02f1c7775dd8bb41bb35e4b4c10317b55eed1cce1515dfc7cef3ef0acac7109

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
1ba05c82d2d318ffe6305ebd49b3c308

SHA1
8d340675026a1f74a99d62e1a711e5c0b6b0652c

SHA256
6beaccd8face1f02a8e3abc0ceea1169e3746e9a5136ed2753d5e426d280ffe8

SHA512
d0b2edab0245069cfc34969eed9d5d49652134b708a189f2743d6d6ca536e2e0db4b0e4bd820fe88dbca3f706094b08b56827b75e0c60d73e3757c639bcd4d6a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
26fbb823deeda4a46e70ef6fc1c26f42

SHA1
688f020f84b623a77d5c31f7706078220fa36410

SHA256
b919753e36090ab51c77de655abc909289fa75afa0fef3fe57238263bc19900d

SHA512
64f16fc47823d4bc387abfa5c679baacd7dca61aa7e52717c0025c3d02698950eeca23d901ffa681db14c89d9efbcdabb1128a74cd216f1dbe150cd925d121f8

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
03428d0bbcc3b3a457f2e8591dc0154d

SHA1
d4cc387f408d34b297ae815c18aaadb2f2a10626

SHA256
9c9eb797877a537f8e60b9f135b16f81bbe6672fe7fe34ac1d5ca3e91faa7dd2

SHA512
b9988727d41e82668d57807070354e4f07b32604f4f95f4d79abaae71e9250f1f1e4d50547d9b12a39e5be5a994139112227e272015b6747883ae93d2c33f1e0

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
dd4bf265ae95d2027f77bf89b20731fb

SHA1
7b74798ba64fd53dd106cdfb98e3ffe9a44a5921

SHA256
fd521e132b5465e7062296158ea5ade91c464babb850006c2858d5bdcd4aa48f

SHA512
f75a05fe50263a5ad813fd79fb3dd04fb9dcd70bacfd033c0e4617442b958beb3f3f94cfc64629bfed19c4a614f2488b74c9040a724eec03e2e5a35d401b6d40

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
78f189daea34ac08291e0e0cb1b0881d

SHA1
5f3ddc5ca72add9a191f601a9547eb135bea329e

SHA256
6c1660ec714022ebf14f82a6c961dcdbb55eed04c62512ec38e571237d2bb00d

SHA512
7ebf4b4b68834c7130ba6f3e35cb31c54745e6315fef51b9cc1be9295d32fcc7896f715f675e02e5350d1b34fe064c4b577156ab6b4549489e45cf03e64dd9d4

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
96KB

MD5
88177270173663395741ae1d3d88f0e6

SHA1
420c31d9f9a318e5b9dc4c30dbd50f5c4e180884

SHA256
309fb134492b0788b98f2a514250338988dbc8245b3553421fdf7eae915d7db4

SHA512
8490b84bff4f98b374886bcf37f0a063e83d349130b190bde9f2145a682f0a30d79cd1f130fa4524319edf8bca01e32c4974cd22941fd377fc993476589c29b0

Download Submit
memory/1012-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1012-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1408-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1692-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1740-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1740-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1788-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1788-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1960-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1960-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2340-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2340-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-250-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3092-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3092-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3288-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3312-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3312-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3416-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3416-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3492-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3492-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3700-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3700-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3824-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3824-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3960-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4088-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4088-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4204-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4212-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4284-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4532-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4564-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4688-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4964-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5012-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads