berbew | 46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
Size

71KB
MD5

4daeca0272366c9d8222f1b13fb13570
SHA1

afed8d0e7c005197f8996582678aee01d93483b6
SHA256

46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0
SHA512

b3e39e760e779e49f6034fe6524fa4ace5c6d8da36a1ecdd71e438387add009a32d3870c6221d0630000bf5fc36225f172963f9f628fbb7cc489149c64870d30
SSDEEP

1536:Xg63PrEByrlZ8BDRn+a6CiL2Ly7RZObZUS:QsrEMr0DR+aioyClUS

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mllaci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfbanm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbacp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aihfhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amdbiahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmedbeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdeimhkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblmcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbkfap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqlofeoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pajkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckdin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbekejqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfqgfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimocbla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmpjlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedlea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nohiacld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piagafda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amaeca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmkaqnde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmkaqnde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcqgnfbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhbbegj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbjmggnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnagl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kldblmmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpepoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkaehdoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpgqgjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpbcii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbppmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbekejqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaehdoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpadpnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laoffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpadpnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjbcebq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keocjbai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laacka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moacqdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfbanm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aihfhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khpllmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lefika32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfplap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlqjoiek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pajkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbofbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcmcddng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klikgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhpeckqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmcgpcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omemqfbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dappgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mojmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcqgnfbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolaogdd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4484	Jpnagl32.exe
2312	Kblmcg32.exe
4564	Kifepang.exe
228	Kldblmmk.exe
964	Kocnhhlo.exe
4824	Kaajdckb.exe
4124	Kihbeald.exe
4464	Klgoalkh.exe
4828	Kcqgnfbe.exe
1824	Keocjbai.exe
5008	Klikgl32.exe
4024	Koggcg32.exe
3988	Keappapf.exe
4440	Khpllmoj.exe
2412	Kcepif32.exe
2260	Kedlea32.exe
2800	Khbibm32.exe
3348	Lolaogdd.exe
3620	Lefika32.exe
2356	Llpahkcm.exe
2004	Lcjide32.exe
4292	Lidbao32.exe
4380	Lpnjniid.exe
2376	Laoffa32.exe
2360	Llekcj32.exe
2952	Laacka32.exe
3408	Lpbcii32.exe
3340	Lcaped32.exe
3012	Lfplap32.exe
5112	Lhnhnk32.exe
4624	Lpepoh32.exe
1796	Mcclkd32.exe
1860	Mfbigo32.exe
736	Mhpeckqg.exe
4652	Mllaci32.exe
4424	Mojmpe32.exe
2348	Mfdemopq.exe
3708	Mlnnii32.exe
2648	Momjed32.exe
556	Mbkfap32.exe
2568	Mjbnbm32.exe
1500	Mlqjoiek.exe
2108	Mbmcgpcb.exe
4964	Mjdkhmcd.exe
1724	Moacqdbl.exe
388	Mbppmoap.exe
836	Mlecjhae.exe
4580	Njidcl32.exe
4272	Nqclpfgl.exe
4436	Ncailbfp.exe
1592	Nfpehmec.exe
4864	Nmjmeg32.exe
4860	Nohiacld.exe
3912	Nfbanm32.exe
400	Nqhfkf32.exe
1604	Nmofpgik.exe
3752	Nchomqph.exe
3932	Niegehno.exe
432	Oqlofeoa.exe
2560	Obnlnm32.exe
2324	Ojecok32.exe
324	Omcpkf32.exe
2680	Oflddl32.exe
4052	Omemqfbc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fgfcmbqp.dll	Momjed32.exe
File created	C:\Windows\SysWOW64\Qddcfahj.dll	Pbpajk32.exe
File opened for modification	C:\Windows\SysWOW64\Bpggpl32.exe	Bimocbla.exe
File created	C:\Windows\SysWOW64\Cdebhm32.dll	Bmmdoppe.exe
File created	C:\Windows\SysWOW64\Kffchbjn.dll	Mojmpe32.exe
File created	C:\Windows\SysWOW64\Abjdqi32.exe	Aahhia32.exe
File created	C:\Windows\SysWOW64\Apndjm32.exe	Aakdnqdo.exe
File created	C:\Windows\SysWOW64\Kifepang.exe	Kblmcg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpemp32.exe	Omemqfbc.exe
File created	C:\Windows\SysWOW64\Fgmhoj32.dll	Omjfle32.exe
File created	C:\Windows\SysWOW64\Piccfe32.exe	Pbikjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pckdin32.exe	Pmalldhe.exe
File created	C:\Windows\SysWOW64\Kedlea32.exe	Kcepif32.exe
File created	C:\Windows\SysWOW64\Pnhflm32.dll	Dpofhiod.exe
File created	C:\Windows\SysWOW64\Keocjbai.exe	Kcqgnfbe.exe
File created	C:\Windows\SysWOW64\Binafnin.dll	Ncailbfp.exe
File created	C:\Windows\SysWOW64\Ppbeno32.exe	Pmcibc32.exe
File created	C:\Windows\SysWOW64\Abajahfg.exe	Amdbiahp.exe
File opened for modification	C:\Windows\SysWOW64\Aikbnb32.exe	Ajhbbegj.exe
File opened for modification	C:\Windows\SysWOW64\Ojecok32.exe	Obnlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmcibc32.exe	Pjemfhgo.exe
File created	C:\Windows\SysWOW64\Llgbnicn.dll	Cmdkpo32.exe
File created	C:\Windows\SysWOW64\Cccpnefb.exe	Cabcfm32.exe
File created	C:\Windows\SysWOW64\Bknkdbpo.dll	Diihfn32.exe
File created	C:\Windows\SysWOW64\Mfdemopq.exe	Mojmpe32.exe
File created	C:\Windows\SysWOW64\Mlecjhae.exe	Mbppmoap.exe
File opened for modification	C:\Windows\SysWOW64\Piccfe32.exe	Pbikjl32.exe
File created	C:\Windows\SysWOW64\Jedbjneh.dll	Caijfljl.exe
File opened for modification	C:\Windows\SysWOW64\Mhpeckqg.exe	Mfbigo32.exe
File created	C:\Windows\SysWOW64\Mlqjoiek.exe	Mjbnbm32.exe
File created	C:\Windows\SysWOW64\Pmmcad32.exe	Piagafda.exe
File created	C:\Windows\SysWOW64\Edkkqf32.dll	Pbikjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pbbnpj32.exe	Pijjgdlg.exe
File opened for modification	C:\Windows\SysWOW64\Jpnagl32.exe	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
File created	C:\Windows\SysWOW64\Pofben32.dll	Llpahkcm.exe
File opened for modification	C:\Windows\SysWOW64\Lidbao32.exe	Lcjide32.exe
File opened for modification	C:\Windows\SysWOW64\Njidcl32.exe	Mlecjhae.exe
File opened for modification	C:\Windows\SysWOW64\Nqclpfgl.exe	Njidcl32.exe
File created	C:\Windows\SysWOW64\Amaeca32.exe	Afhmggcf.exe
File created	C:\Windows\SysWOW64\Cbofbf32.exe	Banjkndi.exe
File opened for modification	C:\Windows\SysWOW64\Cdncliaj.exe	Cmdkpo32.exe
File created	C:\Windows\SysWOW64\Laoffa32.exe	Lpnjniid.exe
File created	C:\Windows\SysWOW64\Achqckch.dll	Mlnnii32.exe
File created	C:\Windows\SysWOW64\Afhmggcf.exe	Apndjm32.exe
File created	C:\Windows\SysWOW64\Gjggaiai.dll	Afhmggcf.exe
File opened for modification	C:\Windows\SysWOW64\Mbppmoap.exe	Moacqdbl.exe
File opened for modification	C:\Windows\SysWOW64\Qfqgfh32.exe	Qbekejqe.exe
File created	C:\Windows\SysWOW64\Cgjbcebq.exe	Cbofbf32.exe
File created	C:\Windows\SysWOW64\Ocepom32.dll	Ccfmcedp.exe
File created	C:\Windows\SysWOW64\Hmfjfp32.dll	Digkqn32.exe
File created	C:\Windows\SysWOW64\Gbddcd32.dll	Mllaci32.exe
File opened for modification	C:\Windows\SysWOW64\Nohiacld.exe	Nmjmeg32.exe
File created	C:\Windows\SysWOW64\Pbikjl32.exe	Pmmcad32.exe
File created	C:\Windows\SysWOW64\Iijjlflc.dll	Pcihco32.exe
File created	C:\Windows\SysWOW64\Idhfiejc.dll	Aamadpbl.exe
File created	C:\Windows\SysWOW64\Kcepif32.exe	Khpllmoj.exe
File created	C:\Windows\SysWOW64\Mllaci32.exe	Mhpeckqg.exe
File opened for modification	C:\Windows\SysWOW64\Lefika32.exe	Lolaogdd.exe
File created	C:\Windows\SysWOW64\Jmfnmc32.dll	Aahhia32.exe
File created	C:\Windows\SysWOW64\Kbjanacc.dll	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
File opened for modification	C:\Windows\SysWOW64\Llpahkcm.exe	Lefika32.exe
File created	C:\Windows\SysWOW64\Mjdkhmcd.exe	Mbmcgpcb.exe
File created	C:\Windows\SysWOW64\Gofhhaoi.dll	Bpidfl32.exe
File created	C:\Windows\SysWOW64\Diihfn32.exe	Dgkljb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5872	5740	WerFault.exe	234

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbnpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpidfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koggcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfplap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjdkhmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omemqfbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piccfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimocbla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifepang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khpllmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcclkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjbcebq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcmcddng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbachf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddlong32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keappapf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajalaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkhip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njidcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nohiacld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmcad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmggeohk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpahkcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnjniid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlecjhae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moacqdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpggpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apndjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpgkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkhocgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgqgjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddolcgch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kldblmmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpbcii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlnnii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahhia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbofbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Digkqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjbnbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqclpfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjmeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhmggcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjkndi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjide32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcpkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmcibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqhfkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmofpgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qadnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aihfhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabcfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcepif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laacka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcaped32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolaogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkanob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbikjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppbeno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amdbiahp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caijfljl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foljjfdj.dll"	Amaeca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bimocbla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dappgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moacqdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aihfhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgmoidqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbekbdoh.dll"	Mfbigo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keocjbai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfcmbqp.dll"	Momjed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcqgnfbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppbeno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgjbcebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlggenhj.dll"	Lolaogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhfiejc.dll"	Aamadpbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abajahfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkaehdoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkkqf32.dll"	Pbikjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcdgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbljmflj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbkfap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqclpfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbacp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhbbegj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caijfljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfpehmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkkcooa.dll"	Apndjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banjkndi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmpjlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfbigo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjdqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmpjlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjapg32.dll"	Bjmlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfplap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogiim32.dll"	Mcclkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbofbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lidbao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koggcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbklhceb.dll"	Khbibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmfbj32.dll"	Ofnajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnagl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmofpgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpggpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpnnakmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdnde32.dll"	Nohiacld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apndjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcajdkd.dll"	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpgqgjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opejfjch.dll"	Bpnnakmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgkljb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fochecqd.dll"	Lfplap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lolaogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niegehno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjdqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koggcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeboehba.dll"	Pckdin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbpajk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhpeckqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadjbb32.dll"	Laacka32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4484	4748	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe	85
PID 4748 wrote to memory of 4484	4748	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe	85
PID 4748 wrote to memory of 4484	4748	46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe	85
PID 4484 wrote to memory of 2312	4484	Jpnagl32.exe	86
PID 4484 wrote to memory of 2312	4484	Jpnagl32.exe	86
PID 4484 wrote to memory of 2312	4484	Jpnagl32.exe	86
PID 2312 wrote to memory of 4564	2312	Kblmcg32.exe	87
PID 2312 wrote to memory of 4564	2312	Kblmcg32.exe	87
PID 2312 wrote to memory of 4564	2312	Kblmcg32.exe	87
PID 4564 wrote to memory of 228	4564	Kifepang.exe	88
PID 4564 wrote to memory of 228	4564	Kifepang.exe	88
PID 4564 wrote to memory of 228	4564	Kifepang.exe	88
PID 228 wrote to memory of 964	228	Kldblmmk.exe	89
PID 228 wrote to memory of 964	228	Kldblmmk.exe	89
PID 228 wrote to memory of 964	228	Kldblmmk.exe	89
PID 964 wrote to memory of 4824	964	Kocnhhlo.exe	90
PID 964 wrote to memory of 4824	964	Kocnhhlo.exe	90
PID 964 wrote to memory of 4824	964	Kocnhhlo.exe	90
PID 4824 wrote to memory of 4124	4824	Kaajdckb.exe	92
PID 4824 wrote to memory of 4124	4824	Kaajdckb.exe	92
PID 4824 wrote to memory of 4124	4824	Kaajdckb.exe	92
PID 4124 wrote to memory of 4464	4124	Kihbeald.exe	93
PID 4124 wrote to memory of 4464	4124	Kihbeald.exe	93
PID 4124 wrote to memory of 4464	4124	Kihbeald.exe	93
PID 4464 wrote to memory of 4828	4464	Klgoalkh.exe	94
PID 4464 wrote to memory of 4828	4464	Klgoalkh.exe	94
PID 4464 wrote to memory of 4828	4464	Klgoalkh.exe	94
PID 4828 wrote to memory of 1824	4828	Kcqgnfbe.exe	95
PID 4828 wrote to memory of 1824	4828	Kcqgnfbe.exe	95
PID 4828 wrote to memory of 1824	4828	Kcqgnfbe.exe	95
PID 1824 wrote to memory of 5008	1824	Keocjbai.exe	96
PID 1824 wrote to memory of 5008	1824	Keocjbai.exe	96
PID 1824 wrote to memory of 5008	1824	Keocjbai.exe	96
PID 5008 wrote to memory of 4024	5008	Klikgl32.exe	97
PID 5008 wrote to memory of 4024	5008	Klikgl32.exe	97
PID 5008 wrote to memory of 4024	5008	Klikgl32.exe	97
PID 4024 wrote to memory of 3988	4024	Koggcg32.exe	98
PID 4024 wrote to memory of 3988	4024	Koggcg32.exe	98
PID 4024 wrote to memory of 3988	4024	Koggcg32.exe	98
PID 3988 wrote to memory of 4440	3988	Keappapf.exe	99
PID 3988 wrote to memory of 4440	3988	Keappapf.exe	99
PID 3988 wrote to memory of 4440	3988	Keappapf.exe	99
PID 4440 wrote to memory of 2412	4440	Khpllmoj.exe	100
PID 4440 wrote to memory of 2412	4440	Khpllmoj.exe	100
PID 4440 wrote to memory of 2412	4440	Khpllmoj.exe	100
PID 2412 wrote to memory of 2260	2412	Kcepif32.exe	101
PID 2412 wrote to memory of 2260	2412	Kcepif32.exe	101
PID 2412 wrote to memory of 2260	2412	Kcepif32.exe	101
PID 2260 wrote to memory of 2800	2260	Kedlea32.exe	102
PID 2260 wrote to memory of 2800	2260	Kedlea32.exe	102
PID 2260 wrote to memory of 2800	2260	Kedlea32.exe	102
PID 2800 wrote to memory of 3348	2800	Khbibm32.exe	103
PID 2800 wrote to memory of 3348	2800	Khbibm32.exe	103
PID 2800 wrote to memory of 3348	2800	Khbibm32.exe	103
PID 3348 wrote to memory of 3620	3348	Lolaogdd.exe	104
PID 3348 wrote to memory of 3620	3348	Lolaogdd.exe	104
PID 3348 wrote to memory of 3620	3348	Lolaogdd.exe	104
PID 3620 wrote to memory of 2356	3620	Lefika32.exe	105
PID 3620 wrote to memory of 2356	3620	Lefika32.exe	105
PID 3620 wrote to memory of 2356	3620	Lefika32.exe	105
PID 2356 wrote to memory of 2004	2356	Llpahkcm.exe	106
PID 2356 wrote to memory of 2004	2356	Llpahkcm.exe	106
PID 2356 wrote to memory of 2004	2356	Llpahkcm.exe	106
PID 2004 wrote to memory of 4292	2004	Lcjide32.exe	107

C:\Users\Admin\AppData\Local\Temp\46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe
"C:\Users\Admin\AppData\Local\Temp\46f78cd25c9177e7db6d9440ed22dce84d27e1a7aa3d91ea992c5d6082daa3f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\Jpnagl32.exe
  C:\Windows\system32\Jpnagl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\Kblmcg32.exe
    C:\Windows\system32\Kblmcg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Kifepang.exe
      C:\Windows\system32\Kifepang.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\SysWOW64\Kldblmmk.exe
        
        C:\Windows\system32\Kldblmmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Windows\SysWOW64\Kocnhhlo.exe
        
        C:\Windows\system32\Kocnhhlo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Kaajdckb.exe
        
        C:\Windows\system32\Kaajdckb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kihbeald.exe
        
        C:\Windows\system32\Kihbeald.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Klgoalkh.exe
        
        C:\Windows\system32\Klgoalkh.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Kcqgnfbe.exe
        
        C:\Windows\system32\Kcqgnfbe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Keocjbai.exe
        
        C:\Windows\system32\Keocjbai.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Klikgl32.exe
        
        C:\Windows\system32\Klikgl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Koggcg32.exe
        
        C:\Windows\system32\Koggcg32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Keappapf.exe
        
        C:\Windows\system32\Keappapf.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Khpllmoj.exe
        
        C:\Windows\system32\Khpllmoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Kcepif32.exe
        
        C:\Windows\system32\Kcepif32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Kedlea32.exe
        
        C:\Windows\system32\Kedlea32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Khbibm32.exe
        
        C:\Windows\system32\Khbibm32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Lolaogdd.exe
        
        C:\Windows\system32\Lolaogdd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Llpahkcm.exe
        
        C:\Windows\system32\Llpahkcm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lcjide32.exe
        
        C:\Windows\system32\Lcjide32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Lidbao32.exe
        
        C:\Windows\system32\Lidbao32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Lpnjniid.exe
        
        C:\Windows\system32\Lpnjniid.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Laoffa32.exe
        
        C:\Windows\system32\Laoffa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Llekcj32.exe
        
        C:\Windows\system32\Llekcj32.exe
        26⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Laacka32.exe
        
        C:\Windows\system32\Laacka32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Lpbcii32.exe
        
        C:\Windows\system32\Lpbcii32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Lcaped32.exe
        
        C:\Windows\system32\Lcaped32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Lfplap32.exe
        
        C:\Windows\system32\Lfplap32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Lhnhnk32.exe
        
        C:\Windows\system32\Lhnhnk32.exe
        31⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Lpepoh32.exe
        
        C:\Windows\system32\Lpepoh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Mcclkd32.exe
        
        C:\Windows\system32\Mcclkd32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Mfbigo32.exe
        
        C:\Windows\system32\Mfbigo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Mhpeckqg.exe
        
        C:\Windows\system32\Mhpeckqg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Mllaci32.exe
        
        C:\Windows\system32\Mllaci32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Mojmpe32.exe
        
        C:\Windows\system32\Mojmpe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Mfdemopq.exe
        
        C:\Windows\system32\Mfdemopq.exe
        38⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Mlnnii32.exe
        
        C:\Windows\system32\Mlnnii32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Momjed32.exe
        
        C:\Windows\system32\Momjed32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mbkfap32.exe
        
        C:\Windows\system32\Mbkfap32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Mjbnbm32.exe
        
        C:\Windows\system32\Mjbnbm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Mlqjoiek.exe
        
        C:\Windows\system32\Mlqjoiek.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Mbmcgpcb.exe
        
        C:\Windows\system32\Mbmcgpcb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Mjdkhmcd.exe
        
        C:\Windows\system32\Mjdkhmcd.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Moacqdbl.exe
        
        C:\Windows\system32\Moacqdbl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Mbppmoap.exe
        
        C:\Windows\system32\Mbppmoap.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Mlecjhae.exe
        
        C:\Windows\system32\Mlecjhae.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Njidcl32.exe
        
        C:\Windows\system32\Njidcl32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Nqclpfgl.exe
        
        C:\Windows\system32\Nqclpfgl.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Ncailbfp.exe
        
        C:\Windows\system32\Ncailbfp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Nmjmeg32.exe
        
        C:\Windows\system32\Nmjmeg32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Nohiacld.exe
        
        C:\Windows\system32\Nohiacld.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Nfbanm32.exe
        
        C:\Windows\system32\Nfbanm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Nqhfkf32.exe
        
        C:\Windows\system32\Nqhfkf32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Nmofpgik.exe
        
        C:\Windows\system32\Nmofpgik.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Nchomqph.exe
        
        C:\Windows\system32\Nchomqph.exe
        58⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Niegehno.exe
        
        C:\Windows\system32\Niegehno.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Oqlofeoa.exe
        
        C:\Windows\system32\Oqlofeoa.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Obnlnm32.exe
        
        C:\Windows\system32\Obnlnm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        62⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Omcpkf32.exe
        
        C:\Windows\system32\Omcpkf32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\Oflddl32.exe
        
        C:\Windows\system32\Oflddl32.exe
        64⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Omemqfbc.exe
        
        C:\Windows\system32\Omemqfbc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Ocpemp32.exe
        
        C:\Windows\system32\Ocpemp32.exe
        66⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        67⤵
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Ocbacp32.exe
        
        C:\Windows\system32\Ocbacp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Omjfle32.exe
        
        C:\Windows\system32\Omjfle32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Opibhq32.exe
        
        C:\Windows\system32\Opibhq32.exe
        70⤵
        
        PID:912
        
        C:\Windows\SysWOW64\Piagafda.exe
        
        C:\Windows\system32\Piagafda.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Pbikjl32.exe
        
        C:\Windows\system32\Pbikjl32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Piccfe32.exe
        
        C:\Windows\system32\Piccfe32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Pajkgc32.exe
        
        C:\Windows\system32\Pajkgc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3588
        
        C:\Windows\SysWOW64\Pcihco32.exe
        
        C:\Windows\system32\Pcihco32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Pmalldhe.exe
        
        C:\Windows\system32\Pmalldhe.exe
        77⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Pckdin32.exe
        
        C:\Windows\system32\Pckdin32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        79⤵
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Pmcibc32.exe
        
        C:\Windows\system32\Pmcibc32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Pbpajk32.exe
        
        C:\Windows\system32\Pbpajk32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Pijjgdlg.exe
        
        C:\Windows\system32\Pijjgdlg.exe
        83⤵
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Pbbnpj32.exe
        
        C:\Windows\system32\Pbbnpj32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Qadnna32.exe
        
        C:\Windows\system32\Qadnna32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Qfqgfh32.exe
        
        C:\Windows\system32\Qfqgfh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3996
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        88⤵
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Ammlhbnh.exe
        
        C:\Windows\system32\Ammlhbnh.exe
        89⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Aahhia32.exe
        
        C:\Windows\system32\Aahhia32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Abjdqi32.exe
        
        C:\Windows\system32\Abjdqi32.exe
        91⤵
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Ajalaf32.exe
        
        C:\Windows\system32\Ajalaf32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Aakdnqdo.exe
        
        C:\Windows\system32\Aakdnqdo.exe
        93⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Apndjm32.exe
        
        C:\Windows\system32\Apndjm32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Aamadpbl.exe
        
        C:\Windows\system32\Aamadpbl.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Adlmpl32.exe
        
        C:\Windows\system32\Adlmpl32.exe
        98⤵
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Amdbiahp.exe
        
        C:\Windows\system32\Amdbiahp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Abajahfg.exe
        
        C:\Windows\system32\Abajahfg.exe
        101⤵
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aikbnb32.exe
        
        C:\Windows\system32\Aikbnb32.exe
        103⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Adpgkk32.exe
        
        C:\Windows\system32\Adpgkk32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        105⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Bimocbla.exe
        
        C:\Windows\system32\Bimocbla.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Bpggpl32.exe
        
        C:\Windows\system32\Bpggpl32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Bbedlg32.exe
        
        C:\Windows\system32\Bbedlg32.exe
        108⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Bjmlme32.exe
        
        C:\Windows\system32\Bjmlme32.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Bmkhip32.exe
        
        C:\Windows\system32\Bmkhip32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Bpidfl32.exe
        
        C:\Windows\system32\Bpidfl32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bfclbfii.exe
        
        C:\Windows\system32\Bfclbfii.exe
        112⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Bmmdoppe.exe
        
        C:\Windows\system32\Bmmdoppe.exe
        113⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        114⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2008
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Bmpadpnc.exe
        
        C:\Windows\system32\Bmpadpnc.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Bpnnakmf.exe
        
        C:\Windows\system32\Bpnnakmf.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bbljmflj.exe
        
        C:\Windows\system32\Bbljmflj.exe
        119⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Bifbjqcg.exe
        
        C:\Windows\system32\Bifbjqcg.exe
        120⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cgjbcebq.exe
        
        C:\Windows\system32\Cgjbcebq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cmdkpo32.exe
        
        C:\Windows\system32\Cmdkpo32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        125⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Cbachf32.exe
        
        C:\Windows\system32\Cbachf32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cgmoidqn.exe
        
        C:\Windows\system32\Cgmoidqn.exe
        127⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Cmggeohk.exe
        
        C:\Windows\system32\Cmggeohk.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Cabcfm32.exe
        
        C:\Windows\system32\Cabcfm32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Cccpnefb.exe
        
        C:\Windows\system32\Cccpnefb.exe
        130⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Cpgqgjel.exe
        
        C:\Windows\system32\Cpgqgjel.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ccfmcedp.exe
        
        C:\Windows\system32\Ccfmcedp.exe
        133⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Cmkaqnde.exe
        
        C:\Windows\system32\Cmkaqnde.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Cdeimhkb.exe
        
        C:\Windows\system32\Cdeimhkb.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Cibaeoij.exe
        
        C:\Windows\system32\Cibaeoij.exe
        137⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Caijfljl.exe
        
        C:\Windows\system32\Caijfljl.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Dckfnd32.exe
        
        C:\Windows\system32\Dckfnd32.exe
        139⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Dkanob32.exe
        
        C:\Windows\system32\Dkanob32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Dcmcddng.exe
        
        C:\Windows\system32\Dcmcddng.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Dkdkeaoj.exe
        
        C:\Windows\system32\Dkdkeaoj.exe
        144⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Digkqn32.exe
        
        C:\Windows\system32\Digkqn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Ddlong32.exe
        
        C:\Windows\system32\Ddlong32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Dgkljb32.exe
        
        C:\Windows\system32\Dgkljb32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Diihfn32.exe
        
        C:\Windows\system32\Diihfn32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Dappgk32.exe
        
        C:\Windows\system32\Dappgk32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Ddolcgch.exe
        
        C:\Windows\system32\Ddolcgch.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 400
        151⤵
        Program crash
        
        PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakdnqdo.exe

Filesize
71KB

MD5
12d013fb33bccf74160572690a010025

SHA1
327854a8b69d507ae6910dd5414a810b71706496

SHA256
bba35b6b2781e00cda0895a421b572c0fbf1f1f6faf3d51be43bad0c0f1cd19a

SHA512
a7e11cd5b2430499079db06a841a732e724ed43df2ff843b61e5fb2fd8a893d1ded50e5e707da7adf61526b9767430d38e2c7b8014a0435bee2b0ba5d8bbd6fc

Download Submit
C:\Windows\SysWOW64\Abajahfg.exe

Filesize
71KB

MD5
1c0a225807565113118232d5814e36fc

SHA1
e40fa961099277388d3b7575a95f936ad396ded3

SHA256
1503f427bf0d7834dfffbfcf5252d639123a1c82d3790619b1ace42a0084da40

SHA512
7961ad08343b643f506ba21991659ace46811da94c69742d04bef2b991c5a8a581bf63c65387e433f13e958b98cf7e8d7cf05c2f48d2adc9bc2b3f7ae613caef

Download Submit
C:\Windows\SysWOW64\Abjdqi32.exe

Filesize
71KB

MD5
a93721ecfcb75bb35388d780040d15da

SHA1
7da4c382c807f1a54f9249cd4f522bf020a21c20

SHA256
87730e183775de336223ee543a48239ef53c1bca12a80f13c76ddcd867f6bfaf

SHA512
7dc379e1f0b7e8655e611f6b0d3faae6d511c3203587708d2b986273823c82e886e22df2749b11f190b1d401779526406beab5aea80c01869c66caad27e73af8

Download Submit
C:\Windows\SysWOW64\Adpgkk32.exe

Filesize
71KB

MD5
da55ee931d61c57e9b48f8e9456f429e

SHA1
6fbd493095637eb6913eeb2ea24c9e7bc35f3e52

SHA256
6b435133751a6c48642f50f9f14b9d798510ed11289d15cd23f2bc6c5b0d5d0f

SHA512
edbe0d06f7780e6dfd93caaa80dc011aed41c694bbf72026ccc0e8a7946bc7b6a4b13441e394c6b38aaf4da4281c03b28e9db9dc365bce689d6c9a1f5d984e76

Download Submit
C:\Windows\SysWOW64\Afhmggcf.exe

Filesize
71KB

MD5
34e0d35afd52567684e115b83effa4f1

SHA1
20ef3349c21d6e4e70db34dbf150a6ed28ebf09a

SHA256
ea8ef7aadd3549c9b9d690dd0c172fb6a4a86aebb108e73134898337fa0148af

SHA512
914c6059e4170f5fc5e127cc40c5d61b3f81939163ca22da5d5988e00c64a1de0d61b67846f3e709cb29189317c4ae0d555345b43095570c97da4481636ef2f1

Download Submit
C:\Windows\SysWOW64\Bbedlg32.exe

Filesize
71KB

MD5
7ebf354a87988da2def723d9eaa0e21f

SHA1
ae20cec7c183bee2ca2777ca927cd6c1be7575c8

SHA256
82d371c91d12ec2661e38250ba992e134b81889393c58a01ef6ceeae297857ea

SHA512
4b3a2256e9c2ebbd023c5f4b0e4659c86ec805421499dfe5e22dccd37d041c834f588cd50ddb752049e89b1a07b72ed826a283e426cfc1bd011b2160b0e233c5

Download Submit
C:\Windows\SysWOW64\Bfclbfii.exe

Filesize
71KB

MD5
13b500b1744402b13a1bfd511b1ace61

SHA1
e4490c51887b8f642adc76d89a084e120ffc7701

SHA256
2619ac49aaf45dcf15ca05eef240e9ae2558e5daf3274711c5e1fbaa21d39b89

SHA512
5e884324c7d57e79b72f0b399280f6757290a8cbac2c6cbd4ecebbede74fec8d8816dd74d11ed41c4aa2b436465d5e061d36e463f6d2206841ef97be409a3e9b

Download Submit
C:\Windows\SysWOW64\Bifbjqcg.exe

Filesize
71KB

MD5
e50514015745d5dc5625fa3cef4799c5

SHA1
9264e35e6eb3136f4957d4a904c351196314b140

SHA256
9a52d87880097e17a7d9d25d5a443fc6f4642f4a6bdc612764fd0fce54078aff

SHA512
57e3eee64dea37b0e1806a192f5c435ccf6493eb7830a821e546bbd80082dac4e05bda2f33e8bb6395ff7920d2d7605cf949ec90132a2d4e92cec25fd8894b51

Download Submit
C:\Windows\SysWOW64\Bkaehdoo.exe

Filesize
71KB

MD5
d99012eb36be2a79069fce4552886227

SHA1
9184007838618f9173a051ad2f5a9bf5a2cbcd2e

SHA256
cadbbec87726b7079f521afdc7b5bc4a9b6af30e577ddb6ec656093dff1d60ad

SHA512
5f7b3234c775af9de596717dcab0851913384e2b33b9e4c1116be8b167db0d12d598ee8bbd307b436a0d4334204eb567420d26614e7e13c94cee562b6ae8d785

Download Submit
C:\Windows\SysWOW64\Cccpnefb.exe

Filesize
71KB

MD5
0900a445f65da849a64bbe3615fde08a

SHA1
e8513a4f63bdd2a08d5ddaf965e4e1258968bac4

SHA256
3aa0ca3148b76ded3610c768d6f9f58f939e0797f8f251991256a73210cb74a0

SHA512
b6453b1bbdee767acf3f15dc81fbbb94c686520ee5514bf0d34eafe88b411477a403c3bc79069e270bade9e5356bb393ca511ea43bbdfd6959f0b398ab03c238

Download Submit
C:\Windows\SysWOW64\Cgmoidqn.exe

Filesize
71KB

MD5
8662c6522bfdae742d91bc773af4f843

SHA1
696ed4508df3c4326d0938adfdb5a3f52a3f439e

SHA256
51b2f3a1e9d4c0108c56ce4332a0e033c1cd18b00457fbd7897497f94e365278

SHA512
7f7f3c13d084eec20a61434be047b2b74df11b32904b103d8723a3fe61b2cba66ddeaeb9393186994533b2551d4fe2d688cfc8b20de16b239eb5c235c6dfc0bc

Download Submit
C:\Windows\SysWOW64\Cibaeoij.exe

Filesize
71KB

MD5
2f24585e986322e8e83a859406810dcc

SHA1
d86befd85790895b899a1ea33011ea9eade065b8

SHA256
6179db6a6c48273ed1f7ab5fe7f386758e95974f6862122f4772d6cceba918ad

SHA512
529db9485e66d6373d693afc33111dda905d22645af2fe094fb6a0f5918c8d9efac6f4c9c31cd854cb0e480412e6b2d6b1947e49d49bcf12ef82dada8612a3bb

Download Submit
C:\Windows\SysWOW64\Ckmedbeb.exe

Filesize
71KB

MD5
d692d6e857dd0c4989d30e34959a97da

SHA1
fea56ad48fd2984e044a84a3aa3b37688d08ceb1

SHA256
f22d380372309fca893e031bd4f8a142ad3e8e2e159bb17ef84b706cea5ffd38

SHA512
411d477e58c959f4dc8abc0d8f70f177a6c3bc6f307eb5152c23ebabbcbcd6116e455bd57ae004d980b60d1b699c6212b08794fb448f200bf3668686588df839

Download Submit
C:\Windows\SysWOW64\Cmdkpo32.exe

Filesize
71KB

MD5
982bfe9ebe2c51e83c6e8e806b99a060

SHA1
1243a91a03c118d8b8dde41032f8a268c04f4cb6

SHA256
17d477b31c3dc17c44f8f88bed768298683715beee648323010d31b5de1ab282

SHA512
40d9918fc63f6604077a36d8230aa8264fa06656412059934ff57c25299cb90d923cd0fa6f4914ee4c0626ed29cb94f96c2abb176258c63c9d1e14e78cc41d88

Download Submit
C:\Windows\SysWOW64\Cpgqgjel.exe

Filesize
71KB

MD5
e0481295f2e17b0619def2ba2f432402

SHA1
12dbc46f7d263e78262f493a2fe8907e229f6ab4

SHA256
fc92a37758f54bea25af9d741b2cebb640b7ca00e133ac95e1a525718e44af5c

SHA512
ae1058552727b176a3ff62034ad9e51e1bcaf2d118ac8b6ba250c81dd038125750590d5a4e156cb33d30e54353e1f9f379109cc422b3bdaecc42100618d2282a

Download Submit
C:\Windows\SysWOW64\Digkqn32.exe

Filesize
71KB

MD5
a7b3d6b280b256daa20e6493179680b5

SHA1
2a6cb7202feb5491a732fa1732e10ec9ca526e7e

SHA256
10b8fbe703689b5689d88e6b98e92e205c6ac50223a28731a0a1569c0d793154

SHA512
fc2f97cf488a62a50b31ec65a27bfc9601f80f2b92d871bedd60b25c0dd2bfcdac854fecfd4d88f0373752e293fc2c573e839bfe6bd5f2c97c3fcb51032e0b87

Download Submit
C:\Windows\SysWOW64\Dpofhiod.exe

Filesize
71KB

MD5
3ca4d671f4361806bdc146c923afb6df

SHA1
b74aec42f6e4ef86a7d10a82f0194834523d17ea

SHA256
56d65ef1c4ff9d2ef4b5c1f20b355f8bf0722678f10f839ed2710f9c1781d0d3

SHA512
e6975f7c239e5c98f718a6bf6c28b6ec27deefeb17538240281902c02e35bb60cd828dda92f2f7b241c4e604973b27f4bb61b7f2c520b79ab4694784c9059109

Download Submit
C:\Windows\SysWOW64\Jpnagl32.exe

Filesize
71KB

MD5
6114c928723c10b24960f9116d078d56

SHA1
77b7498e667410b4756a1014f88692a0cc3daef1

SHA256
4980a294eb552d56211e1dec00d73af0f3ca4a1eb8c18349526071be76dced1d

SHA512
9e7db352e48400a7c8810ee7c07c057a95b5dd5d2aa319913bd1de8d90b3773ca1376cbcadc0f5e9f9174f9c20fc99a4e449bd941f090980dc5dd90b6a0e120c

Download Submit
C:\Windows\SysWOW64\Kaajdckb.exe

Filesize
71KB

MD5
08a8353c9af7898098102d5663b0c695

SHA1
60cdb8ba5f76177602601989aa1589b1842c4a48

SHA256
e8028170f4661c07df4cebb80ec2b83132efd9ae047ce387f43f7abfbfea015c

SHA512
0a298b617c0c2b32f216b377c09069c58c7059fceeeb49212db63f0ce8d8d1b6aac2bc33a28062179579ed089afbe690b237a595cb0bf1ee370dd1aaf3ee4ad9

Download Submit
C:\Windows\SysWOW64\Kblmcg32.exe

Filesize
71KB

MD5
5c38869f9c47437e006fce01674e3818

SHA1
cc34d75f6a048e1125935bcf64965df2044c5191

SHA256
b113b5754d99e4ef6ed51b6157919e1ff6641b7a6db5eeb747dba384acfccaae

SHA512
b7fe0e47e4beb437f0c07feb0d09384c3901fab617e1ae44a03dcbb2d17dc4e481f70eb3dd56c61ba57a3e9cf7323270cf80b2e4b5234d4627686a4a66f1656d

Download Submit
C:\Windows\SysWOW64\Kcepif32.exe

Filesize
71KB

MD5
286be9ba4045587f35604f3b2ce902d7

SHA1
c489596d88e642a247c705e8feeb3af2b558efa7

SHA256
2b704ab89057048b9f94d908285f8c27e36e16561ebdb238747bb7fddbacc12a

SHA512
60fb461fef73811a9261fd7c238ed6acea48d3667b63ffc1037ccc83510948843507407188547b56b6a95d195bd40c38a889858b7a89d3944104991fe5b400d9

Download Submit
C:\Windows\SysWOW64\Kcqgnfbe.exe

Filesize
71KB

MD5
d225b4befb06e0b4e970b53d2e9b2e97

SHA1
64922e8002698136f51a26ab9ab9200c9ebc09a7

SHA256
2ad2501450106f0fdadf6fe1e86876c1b0dffc8d1959875946ca8a217cedef4a

SHA512
311cf727c2868862fb3633e705ad6870309f6e6de4f81f5421c9cb53c4cbf21fe5b5927450d60b619c0d1240e3124293ba57d539abb0d2be035347a6a9670a03

Download Submit
C:\Windows\SysWOW64\Keappapf.exe

Filesize
71KB

MD5
ea5ae83e4815eb23659b507985792a3a

SHA1
d98e3514e50e7b63f63e2b7bd151069737b78614

SHA256
6263aeeb9919a04e5c4933e3cc4f20f553d5e3f0f1d228c53f1503945854e201

SHA512
4ca8a1c2ba765889d904fcc0f0c1ab9bbff5d843f619baccaf36bccf6f62899c77b8700effdad0623f04d5d1f59dd32272a7adee2e57b26e14f15550189feda0

Download Submit
C:\Windows\SysWOW64\Kedlea32.exe

Filesize
71KB

MD5
c11d9a1a8c7eb6c2d1968ec7325c6e15

SHA1
aa93edc83a20eddb7513072f0370ffec55119fa8

SHA256
224b0e2328f6645ddfe7695c9af64f803372358065d314435fa74eb7c9e27aa4

SHA512
82780b62470d2414091ffa3fece87582cf12901681c58b9b1ba754355c273a7640ded68c3b03c77791a0f23a26ba426f1f943e458a85330782e7fcbb17d5a097

Download Submit
C:\Windows\SysWOW64\Keocjbai.exe

Filesize
71KB

MD5
536b47ac8ceb58bf0e5a7b4032f6d07d

SHA1
89fdc274880ce45b5d71d7f8e8c11f09d4d6ec73

SHA256
e34fcb2f76cc461af30e7c2ddc4c2f6b23ccd576d8084d3ede7d32f89cdfb6cf

SHA512
d55923b55d65248677816a93d7e800f03f54541026e3fb7fc707cfca68cd6b3abc4ca4b3baf7de2bd051c066407e0b7b96083739d6c29d6fcff8f9cabec15dde

Download Submit
C:\Windows\SysWOW64\Khbibm32.exe

Filesize
71KB

MD5
08a37893929406b4bd8da50682f5359b

SHA1
966bd30fd124810f68421bed275794523893a17a

SHA256
a3b8d78a9654551e2e3d9c2a81198755de27bf2bee5b45042ef182c93f9eb8c6

SHA512
58b20b6a71f2576a540f70eb744fdd14fd47c38140ce573a87f038d6fe31c56cfa68c0927f0e54c622b0fc34369eaefa396714b3d6f22787aaa4368c20b277b0

Download Submit
C:\Windows\SysWOW64\Khpllmoj.exe

Filesize
71KB

MD5
c55736285a61516cdbbe262f8cb89b3a

SHA1
51cc88ec0058d9be8701d7d344623b52ae165eb0

SHA256
aae87e43b2585055e0931d3f6919e40e4acf094ec7d733988cc8b3fb48f168b6

SHA512
4b232e46feba108b824a5aa7f3634a79d1358a47e069b9960aecb21bf99be9447a3c18b894ba94be1a1c3519dd3ad676370e1f05d80fdc81bbaad374b555462f

Download Submit
C:\Windows\SysWOW64\Kifepang.exe

Filesize
71KB

MD5
b0828afb8857f37022a533e2bf522e58

SHA1
f3134a53f1d344e5151f4e42b171b72ebca8e501

SHA256
935306a059939ef99107bc752a36e3289cda1c4096c1ccac615990759aeb9fc4

SHA512
f2201e2acf5611f464986a25c82dd841ea555ecb6d52e3e388f1404760622e3c63156037c2f4104c0efed06a4ead10d6783f3cdbd26546bf0e4cb876f73547e6

Download Submit
C:\Windows\SysWOW64\Kihbeald.exe

Filesize
71KB

MD5
c8ab9f5de71ba8b82fb64caca62e0c67

SHA1
58cdbddc67d25a1a46e87c754d567b1ace8f5942

SHA256
be9ebd285a20367ab7ccc6cb707be2c0782b7ec65f8a7fca109a49caf86db789

SHA512
cdb469bd44fd04650915e5a1368dfa258add6bb887ed9a7a97ae321edfc0864b32e80cf3ceec8ad138ae7cdcbf33b87425f2be6e9aa265370dca27ef9d2097dc

Download Submit
C:\Windows\SysWOW64\Kldblmmk.exe

Filesize
71KB

MD5
b83bcc23f2b41d611761353c5e852d8b

SHA1
96220e552264f942685c11033ba56736abd38163

SHA256
1ef230ef5f2ba8821e6e7bbc57ce5c3a5cec0e3737415a83d9bd67d33c76fac6

SHA512
24146b44f89a4bf36a31d645bb9b2d906209e5131cd11ef38a64c01d82e04f414173cc9218899bcc6efb632a95aa9a2540f7267e216e2c27fd973dd29e621d4f

Download Submit
C:\Windows\SysWOW64\Klgoalkh.exe

Filesize
71KB

MD5
e5429afd6736c11c73dc3f50fdbdb6e0

SHA1
231607ceb7582916aaa984a07af277f76e29b390

SHA256
6acaaa3700401acd9d39664a606c642df62f8c205cb22b6f0362f3fba697d63d

SHA512
9d005ba991f7c9a95251c269922c7750c9b594adbcd43c4b56a6035c383cf827f44234ecfbddbee5f8332b077ca1a0c95f690f021846e7847c347e507e779489

Download Submit
C:\Windows\SysWOW64\Klikgl32.exe

Filesize
71KB

MD5
5b1a83d1da139e9f3f9f27c9ecc334fa

SHA1
3bbb9635c5ec5605c15948d4346d4a79419ab774

SHA256
b8a8aaabb1a0ccfdaced89f70d79c9bcc6d25954e3a81038e28f7049b32c950d

SHA512
b78b2a3dfb6c4458f08a5e26d3f60b5975ae242bec37d499c3dbd7a32211095542ef1bbed635bcb67a0e063b1b595875625d43bea66d899c874e503c0420833b

Download Submit
C:\Windows\SysWOW64\Kocnhhlo.exe

Filesize
71KB

MD5
86d4e0ae5f7afb030fc64e2d28f7bd79

SHA1
625a8f4aad9ed6f01c1cc3cbf94cff0e435f741e

SHA256
0de888079107c44f20db6c546c7b6a21ccdfb5722e54d36c8bc9eeb210f16ca9

SHA512
0c32671d878d16d0bd07564928254774e49c4c7a1d404b54938ebbf80c70c7d888b2b807d01670ff7b96a8f293794db8f15c0b57b8312072593d3bb225eac5ea

Download Submit
C:\Windows\SysWOW64\Koggcg32.exe

Filesize
71KB

MD5
ba550705d043a678089b611037861985

SHA1
44e2bc0fa2e34f277b2d76c862a44565af3d4838

SHA256
62d3a50aa0e011ecdf4ece4a5cf714abbbbad81842685b1b4821d4b39c2ffc4c

SHA512
2e4f51d0b9f41e193e63f207dddc85d61d90f5f158dff2e7f4f107d1429dc1c7ca885437f525b8ad68d7b62d1cd9de5b69c6f8fe0e46eddc8f46d6e29e936531

Download Submit
C:\Windows\SysWOW64\Laacka32.exe

Filesize
71KB

MD5
a0e011b7438e19089dacf986e7fbeeea

SHA1
e9099d0685a035d867d633b661666be6513a51bc

SHA256
9adf314d818af7605da6be695bf758872c00f5ee2885550504da18f5c90913e6

SHA512
e3bd9dcd6a46cfd506d885ce8ba1260a4f673877389d8a633c46c04d16c1370ec8f52360c0d5c8f118ce1eb0d398391141f825963a59a243d68ed655ea7561f8

Download Submit
C:\Windows\SysWOW64\Laoffa32.exe

Filesize
71KB

MD5
6f82cd64961a17cee31130aba9d2ed73

SHA1
292c96aaf8cd91c3ffa0247345d703f7761a4ac5

SHA256
984574856193b56c4a634a72ca18066621ec08d9f1a05ded13b220c98234c8b2

SHA512
f13c254a28926982ec1132e8c6b0b87ce119997585b5d4427510e33fb5e9191265cf39089fcbd16d30c2f07391922a58eda3fdebcae06e43f0cc16b244c7531b

Download Submit
C:\Windows\SysWOW64\Lcaped32.exe

Filesize
71KB

MD5
c8532a10ba81ed5b0a245252baece4f7

SHA1
61f76193ba5cc1610d06a31efde905a7ec83306e

SHA256
335ad079424d08d62707bf5c24132599125325dc80911097ea04fe58031a24ba

SHA512
168be5fac4e6f9c7f7b132f634d9a493ca26946f57f17a655e18bfe7a8c44f6c18b02eb9d1351730ec52fcb1c844902772ea4a141b14bbf05d769edbb08e4e42

Download Submit
C:\Windows\SysWOW64\Lcjide32.exe

Filesize
71KB

MD5
dbac059a42f33e87bed7bf199a0ab3c2

SHA1
0a39f806fbab40eff430b9f5c31da5e307efda9c

SHA256
2d4233c4b98062ac66c489e0c6551c31966376ca8e4d821a6154d8dd67ed1b23

SHA512
8e63472e19cb620bd14ebf175d4401aa684491a8ca564f532d91854521f1b4e9707f1260a03b6143efb7fcebf55064ba990fd564b7fe60055f3a7832642f3442

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
71KB

MD5
f4d9596fc0d0cc60167e28a3930830ee

SHA1
cb46f79c018572a891cc10261d3d9f0f85fdc1ee

SHA256
3de55bd6ff39317160b2c05732ca98f4125462f70fc99481957292fffd2f815c

SHA512
ede65f2f238120e36a28f4a53cc28a29816854d4ac63ce8a568ad58ccf33486670ae18dcf40b16b0b07cb863fc4ad4b5c422d8bd82290e88e517c080578bf6ce

Download Submit
C:\Windows\SysWOW64\Lfplap32.exe

Filesize
71KB

MD5
89f56e9ac0b5f80a758a87d9320a55c4

SHA1
77c283f9aae7ff28ea919eba95d878098c32aebc

SHA256
4999a0738d07ff0e33008c396ad5faabdb52f0b9e9773bd9b16dac1cc76b4006

SHA512
699f1cf1d119da429d12cb1568ecacc23acb3b60c9ece3e3997a165a0bf0568bf7473fb810cf0b4d450effbc7dd1f9e44564d0fa305335096edff655d4287afc

Download Submit
C:\Windows\SysWOW64\Lhnhnk32.exe

Filesize
71KB

MD5
4fd4135e9da00d60c1f106e6c4af2c65

SHA1
ae907f451ee775489978acac704cd5165428ff03

SHA256
64e465c6a6f360c98619b24512c978b01903ea0969a8cfe6f88c40e9d3c2b357

SHA512
429469b662270fb02c456f658128dce3d9eabaae33f92c78462c41af1e77ffa3524a072edc13271b58d88e8e046fec8baf72e6ec093b7b588211359c37ad38a3

Download Submit
C:\Windows\SysWOW64\Lidbao32.exe

Filesize
71KB

MD5
9ef4bb2dd81a1b7356b9b7dc3e91c708

SHA1
7013738d66659897a09d4c59aae841d18ba9f0d9

SHA256
a0a54c5b2475db48db32246056034f843f089c419dd60352699b0154843d0a06

SHA512
587b0aa2209c3b080c6970a8b17e767943e25543b6987b649d9c3fdcc6b5dd06e88c132615d358c0056e73c891771382f7030fd1adda90008e1c3574a69a11b5

Download Submit
C:\Windows\SysWOW64\Llekcj32.exe

Filesize
71KB

MD5
1db31e75077e574eef490f6d6a130c7c

SHA1
11177265806f5b1160358631c8c4e5d48752556d

SHA256
d2e4d211677764970b2e11ff33995f983f52b20feb22655b5677f770963a4d91

SHA512
bfeb4e68b1f3d5b15a22f16e4e1990dfaf91292d948df97070f9ef99b4f0145ee4675e99c1eba30a84dba507ac60bbba5a96b389776386bc79da62e291ac25f0

Download Submit
C:\Windows\SysWOW64\Llpahkcm.exe

Filesize
71KB

MD5
7a6bcf538b83b3f4eb3078647ec1d6c6

SHA1
a6ff5cd642480d6fb58ae79a7fc7a06ca167f5d5

SHA256
ae45e02c67c23405254cfe8629231139a9a2f11633654de0d6d0289808b99126

SHA512
aa52105be8dfaaf5df45f47190d5a8bba1aae590ec4257362b82eafe0f775182300db7a16b9cd275adbd2bb989de83e8d38ebc747a41139224d6dd4abb1b8d82

Download Submit
C:\Windows\SysWOW64\Lolaogdd.exe

Filesize
71KB

MD5
239399f8027a39979d880c6d7b89e895

SHA1
01d0bf0a480a470b088cc912594a4f4b27b4ac94

SHA256
62028c998a3b35254df99dc2f09d94ce279a54fbbd8712e6b2f4ca9e610fa2c5

SHA512
02c89c253af5d1b25427197363ff7dee451107f9c850da7c9e9bde052cdb0b88e41cd34cf0e41a78658eabe4027ea6734c6118fd9fc9ee130b1722bf42109db1

Download Submit
C:\Windows\SysWOW64\Lpbcii32.exe

Filesize
71KB

MD5
928d01654d154f314b04531ba8b689d9

SHA1
a8d4c4fa6636b8cc375ed608f29e6f9b6c4ffc33

SHA256
a57a9731a64b53b053fa9745db2343990fd4bc36bd28248ef6bbd3afb12f19f9

SHA512
1a38c66628c011b5174cd4b25683b62fa34b1b2bb4dbe57415659fc7b5466bd6a8fe0f1eec4c5085f58922ed30e23bcdf254453af75b811fb6233768b12811d3

Download Submit
C:\Windows\SysWOW64\Lpepoh32.exe

Filesize
71KB

MD5
feb19ce8399d3e2abbfd8bb994a90f54

SHA1
d4686cbcd03f1039ab1876476049178905b6c2fb

SHA256
74e003d60c53120482c711a09af548954eee692bc04d2b1eec6678129f95804d

SHA512
7c713242a64ad9a457598c5bfb7f6a81e304a058856171cfcb28debfe8a3f23c2469f2d594ba274a495b734295af80bd395f6313f7a3a9cc74a035b50d746e45

Download Submit
C:\Windows\SysWOW64\Lpnjniid.exe

Filesize
71KB

MD5
38e9e67acbce52719cda886ff27a15bc

SHA1
b61164e823199bab5516451ce16a5afc3481eb84

SHA256
3c182903af6039966042e843b4314300bec4b48dd1da15145b6d04a761a26ab6

SHA512
33402f4f33459954b0432af1b96f5535182fb82a2140ba09260b69d791ebdf41f6b080a9f61ed2d47495ce6664b92f226da5ba7ac333bf86ecb793cd73352168

Download Submit
C:\Windows\SysWOW64\Mcclkd32.exe

Filesize
71KB

MD5
98f840396ff31f564c39acf69db96c19

SHA1
f6685a22a33c59b4fe50401731cb596ab6c4cb98

SHA256
440f441111b91435fdf9bca4b5d52a879b04f36fa4215177351ad98b5ddfa74c

SHA512
6c0cf39a50d66cd8f55f0432540255399bd3a6e64af75254f6eb67ea260eefcb6815c7a19ab1f87c03f00cb7f0fa66d6bf9b7b9738678ae5619b65c133fb824a

Download Submit
C:\Windows\SysWOW64\Mfdemopq.exe

Filesize
71KB

MD5
87c77cf66ab26c0ade6102f8cbc3901a

SHA1
a95170f0b4bf83ac5075360052bc4d4d3ca192cb

SHA256
a7ce6869ee764099b74d8ac16bfed670e2e7b1c4ef23bc81506db871ead2c929

SHA512
352a83951d4f803c852552f5fbcd863a55812d6c39924e1b1ecbaba2718fbce9eeae1f7175e5c1bae40734f5db77fa0c3862f8310362a07848b493b3313d6154

Download Submit
C:\Windows\SysWOW64\Moacqdbl.exe

Filesize
71KB

MD5
57bf8f8e5b672526c904bdd7afc2096b

SHA1
5e635dfac49b886bf619937788ad7781d4f46d4f

SHA256
709d7c414d568f8ad7513c8c9aa3954945f1b65de7efce84c442a5d6942277fd

SHA512
1e65dbf1bd96caa95d2086628c4898b8a76b61669614ac476d8ac248b0ca2ae821fe1494cda08b95825f3e308c87a23c388d1e58c5d48d9a31b43f1da0cff167

Download Submit
C:\Windows\SysWOW64\Momjed32.exe

Filesize
71KB

MD5
e7afc1c14c6881d92a6bf1fe4bff823a

SHA1
ed61d41635b52f4bafc1afad59b066bc2952361c

SHA256
2d4c18851f9b52652e88c7e7746575158fb0f09d9ab08fe9448fad26eb90712a

SHA512
3a3b18b73bfbd0d9ea376427e2ad3c65921c34e3c14dfb426cb900e61547b7f789d8912bf078870204a64d7eea8608078c96550ff378b934aeac9a57666aa121

Download Submit
C:\Windows\SysWOW64\Nmjmeg32.exe

Filesize
71KB

MD5
8c9ddc7d7a891166fbb6f46b6001d72a

SHA1
90bf1ed5bc6755f7807c30eaede4d2bf89d34e4e

SHA256
858542a46692c1775d01a7b2ddbc5422b222cb0e0e8fad2dd1e2125980e747d4

SHA512
ee7c6f6d91be897e4a55776d59302af9f1a7bb1957c36a77084259259d31d54cd5412a49c810e91088a7210dcfb8c47f84683ed382bf0b2ce88a5f4c26a1078e

Download Submit
C:\Windows\SysWOW64\Obnlnm32.exe

Filesize
71KB

MD5
27bfc85038474de74e6d76211b20dbf3

SHA1
d078f71e337b44be211c3eb6431efe8a656086ab

SHA256
0078cff51fefe423430b576ad09e87f96785843ae6da1c93c28ac92441806e37

SHA512
5f27d9b4dee34381fc1ef669e24687e65ffe675209c1129842b8466b1de2b0bc3081f4e0255300dc28d7cd037a8389e42d6f861491d49bf9481aa78b76c98961

Download Submit
C:\Windows\SysWOW64\Ocpemp32.exe

Filesize
71KB

MD5
f179bd13d8d3bd606e2885e140e574b3

SHA1
35b165829cd9c99f44105229af2a86a2d72d94cc

SHA256
a51ab752e387d8d291b518266116a79f7d02bcf4b35251c9ed1159df57d6d466

SHA512
5df17aa96f68a0cb87b5558b19ca94652634b46e973d5128b1d32426d85b04cff69cae5d7d63e392bcea8c22c39d2b8fb3ef9abba43d19094a4721ddfaa70e61

Download Submit
C:\Windows\SysWOW64\Pmalldhe.exe

Filesize
71KB

MD5
7e09c606a3a5a9d2c9681d9d351d8c4f

SHA1
313e736dc22d16221c24f48a9bc3e871e4ff0876

SHA256
318b4be9f4ebdeb3057898095a19fcf67119cefc5b006322aeca30d0cfcfa333

SHA512
c3bff0273f151b33a632830adc991d0fcb288d90305e3532feca10f7352782fba5642a1f68dc53ab6e8db03662f018cf4150df8d8769bf7588e3bc93f5e385bc

Download Submit
C:\Windows\SysWOW64\Pmcibc32.exe

Filesize
71KB

MD5
06ab6e4c8c29eec52117ab0969008f9a

SHA1
773aa37193f095eb858249abd0a3636300308c4e

SHA256
b8d81c2f5437e0d8635d26cd72a823d192ddf05ac09d9f3c9cf037362160affd

SHA512
faaa7963e18e1aed31bcdc4aaa5c4c3cfacee9654a1546df30ccb36284abaa91acf4d55ec7fecbea35af9c48eaea0198521dba493782ab93626547e632c6cb6d

Download Submit
memory/228-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4748-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-1092-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5352-1083-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads