berbew | 0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
Size

99KB
MD5

6b1fc72c2ed8ee4ee89a55866e721c4a
SHA1

4d8f8e1b83e902fe0943dbfdf30514161a6ab028
SHA256

0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50
SHA512

f567efdf51c98aedaf59561f07a3b44418460a4e639821776efee14eb542cf3082bf34c63d6b60ed8321841ca8722437cef119d00066d2059b273b1af3137b87
SSDEEP

3072:/37EnQkjfiSrrAWWluosTALgb3a3+X13XRzG:YdfvWlDGAU7aOl3BzG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajkbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmhbgpia.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhiiloh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpfkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paafmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldpnoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojeakfnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piadma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiilge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlmoilni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlmoilni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Monhjgkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpfkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laodmoep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnfji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afqhjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfjkphjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfidqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpbhjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopaoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obecld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkdckff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldpnoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojceef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojeakfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afqhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Albjnplq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfglfdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfglfdeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piadma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddcimag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paafmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qncfphff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amhcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amhcad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Monhjgkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfnoegaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plndcmmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dochelmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqfabdaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqmmbqgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plndcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjeejep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbhjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpdeoh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 48 IoCs

pid	Process
2832	Kfidqb32.exe
2628	Kpbhjh32.exe
2900	Kpdeoh32.exe
2876	Lajkbp32.exe
1936	Ldkdckff.exe
1852	Laodmoep.exe
2236	Ldpnoj32.exe
2124	Lmhbgpia.exe
1776	Mlmoilni.exe
568	Monhjgkj.exe
1308	Mhhiiloh.exe
684	Mgnfji32.exe
2096	Njnokdaq.exe
2044	Nddcimag.exe
2244	Nfglfdeb.exe
976	Nopaoj32.exe
892	Ncnjeh32.exe
2012	Ocpfkh32.exe
1036	Okkkoj32.exe
3068	Obecld32.exe
360	Ojceef32.exe
112	Oqmmbqgd.exe
1748	Ojeakfnd.exe
2420	Paafmp32.exe
2808	Pfnoegaf.exe
2816	Plndcmmj.exe
2776	Piadma32.exe
2656	Qifnhaho.exe
1784	Qncfphff.exe
2620	Amhcad32.exe
2068	Afqhjj32.exe
1252	Afcdpi32.exe
2728	Abjeejep.exe
3024	Albjnplq.exe
2424	Bfjkphjd.exe
2720	Cdngip32.exe
1868	Cbjnqh32.exe
1048	Dfhgggim.exe
580	Dochelmj.exe
2468	Dgnminke.exe
1292	Dqfabdaf.exe
1580	Epnkip32.exe
1012	Eifobe32.exe
1576	Eiilge32.exe
1468	Ecnpdnho.exe
3056	Ebcmfj32.exe
1992	Fpgnoo32.exe
1148	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2448	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
2448	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
2832	Kfidqb32.exe
2832	Kfidqb32.exe
2628	Kpbhjh32.exe
2628	Kpbhjh32.exe
2900	Kpdeoh32.exe
2900	Kpdeoh32.exe
2876	Lajkbp32.exe
2876	Lajkbp32.exe
1936	Ldkdckff.exe
1936	Ldkdckff.exe
1852	Laodmoep.exe
1852	Laodmoep.exe
2236	Ldpnoj32.exe
2236	Ldpnoj32.exe
2124	Lmhbgpia.exe
2124	Lmhbgpia.exe
1776	Mlmoilni.exe
1776	Mlmoilni.exe
568	Monhjgkj.exe
568	Monhjgkj.exe
1308	Mhhiiloh.exe
1308	Mhhiiloh.exe
684	Mgnfji32.exe
684	Mgnfji32.exe
2096	Njnokdaq.exe
2096	Njnokdaq.exe
2044	Nddcimag.exe
2044	Nddcimag.exe
2244	Nfglfdeb.exe
2244	Nfglfdeb.exe
976	Nopaoj32.exe
976	Nopaoj32.exe
892	Ncnjeh32.exe
892	Ncnjeh32.exe
2012	Ocpfkh32.exe
2012	Ocpfkh32.exe
1036	Okkkoj32.exe
1036	Okkkoj32.exe
3068	Obecld32.exe
3068	Obecld32.exe
360	Ojceef32.exe
360	Ojceef32.exe
112	Oqmmbqgd.exe
112	Oqmmbqgd.exe
1748	Ojeakfnd.exe
1748	Ojeakfnd.exe
2420	Paafmp32.exe
2420	Paafmp32.exe
2808	Pfnoegaf.exe
2808	Pfnoegaf.exe
2816	Plndcmmj.exe
2816	Plndcmmj.exe
2776	Piadma32.exe
2776	Piadma32.exe
2656	Qifnhaho.exe
2656	Qifnhaho.exe
1784	Qncfphff.exe
1784	Qncfphff.exe
2620	Amhcad32.exe
2620	Amhcad32.exe
2068	Afqhjj32.exe
2068	Afqhjj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kpdeoh32.exe	Kpbhjh32.exe
File created	C:\Windows\SysWOW64\Dihoofcd.dll	Nddcimag.exe
File created	C:\Windows\SysWOW64\Ojceef32.exe	Obecld32.exe
File opened for modification	C:\Windows\SysWOW64\Plndcmmj.exe	Pfnoegaf.exe
File opened for modification	C:\Windows\SysWOW64\Dochelmj.exe	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Enoinika.dll	Dgnminke.exe
File opened for modification	C:\Windows\SysWOW64\Monhjgkj.exe	Mlmoilni.exe
File opened for modification	C:\Windows\SysWOW64\Afcdpi32.exe	Afqhjj32.exe
File opened for modification	C:\Windows\SysWOW64\Bfjkphjd.exe	Albjnplq.exe
File created	C:\Windows\SysWOW64\Jhpgpkho.dll	Ecnpdnho.exe
File created	C:\Windows\SysWOW64\Mlmoilni.exe	Lmhbgpia.exe
File created	C:\Windows\SysWOW64\Agflga32.dll	Pfnoegaf.exe
File opened for modification	C:\Windows\SysWOW64\Dgnminke.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Eocmkdfd.dll	Okkkoj32.exe
File created	C:\Windows\SysWOW64\Obecld32.exe	Okkkoj32.exe
File created	C:\Windows\SysWOW64\Opdnkeqd.dll	Obecld32.exe
File created	C:\Windows\SysWOW64\Oqmmbqgd.exe	Ojceef32.exe
File created	C:\Windows\SysWOW64\Abjeejep.exe	Afcdpi32.exe
File opened for modification	C:\Windows\SysWOW64\Ecnpdnho.exe	Eiilge32.exe
File created	C:\Windows\SysWOW64\Lajkbp32.exe	Kpdeoh32.exe
File created	C:\Windows\SysWOW64\Gfdeopaj.dll	Lajkbp32.exe
File opened for modification	C:\Windows\SysWOW64\Nddcimag.exe	Njnokdaq.exe
File created	C:\Windows\SysWOW64\Qncfphff.exe	Qifnhaho.exe
File created	C:\Windows\SysWOW64\Pomebdea.dll	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
File created	C:\Windows\SysWOW64\Mgnfji32.exe	Mhhiiloh.exe
File created	C:\Windows\SysWOW64\Nacjlp32.dll	Njnokdaq.exe
File opened for modification	C:\Windows\SysWOW64\Ojeakfnd.exe	Oqmmbqgd.exe
File opened for modification	C:\Windows\SysWOW64\Kfidqb32.exe	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
File created	C:\Windows\SysWOW64\Mhhiiloh.exe	Monhjgkj.exe
File opened for modification	C:\Windows\SysWOW64\Mgnfji32.exe	Mhhiiloh.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Ecnpdnho.exe
File created	C:\Windows\SysWOW64\Chdccacf.dll	Ldkdckff.exe
File opened for modification	C:\Windows\SysWOW64\Ldpnoj32.exe	Laodmoep.exe
File opened for modification	C:\Windows\SysWOW64\Nfglfdeb.exe	Nddcimag.exe
File created	C:\Windows\SysWOW64\Ncnjeh32.exe	Nopaoj32.exe
File created	C:\Windows\SysWOW64\Ikonfbfj.dll	Ojceef32.exe
File created	C:\Windows\SysWOW64\Qifnhaho.exe	Piadma32.exe
File created	C:\Windows\SysWOW64\Ldpnoj32.exe	Laodmoep.exe
File opened for modification	C:\Windows\SysWOW64\Oqmmbqgd.exe	Ojceef32.exe
File created	C:\Windows\SysWOW64\Ieoeff32.dll	Epnkip32.exe
File opened for modification	C:\Windows\SysWOW64\Ojceef32.exe	Obecld32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgnoo32.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Lmhbgpia.exe	Ldpnoj32.exe
File created	C:\Windows\SysWOW64\Ddhbllim.dll	Lmhbgpia.exe
File created	C:\Windows\SysWOW64\Njnokdaq.exe	Mgnfji32.exe
File created	C:\Windows\SysWOW64\Iclafh32.dll	Paafmp32.exe
File opened for modification	C:\Windows\SysWOW64\Afqhjj32.exe	Amhcad32.exe
File created	C:\Windows\SysWOW64\Olqdoelc.dll	Abjeejep.exe
File created	C:\Windows\SysWOW64\Dgnminke.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Laodmoep.exe	Ldkdckff.exe
File created	C:\Windows\SysWOW64\Pbihnp32.dll	Amhcad32.exe
File opened for modification	C:\Windows\SysWOW64\Mhhiiloh.exe	Monhjgkj.exe
File opened for modification	C:\Windows\SysWOW64\Lmhbgpia.exe	Ldpnoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpdeoh32.exe	Kpbhjh32.exe
File created	C:\Windows\SysWOW64\Monhjgkj.exe	Mlmoilni.exe
File opened for modification	C:\Windows\SysWOW64\Amhcad32.exe	Qncfphff.exe
File created	C:\Windows\SysWOW64\Lpcafg32.dll	Albjnplq.exe
File opened for modification	C:\Windows\SysWOW64\Epnkip32.exe	Dqfabdaf.exe
File created	C:\Windows\SysWOW64\Pnenhc32.dll	Dqfabdaf.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Ebcmfj32.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Laodmoep.exe	Ldkdckff.exe
File created	C:\Windows\SysWOW64\Hmcqik32.dll	Afcdpi32.exe
File created	C:\Windows\SysWOW64\Fikeom32.dll	Mlmoilni.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1372	1148	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojeakfnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albjnplq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgnfji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnoegaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjkphjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dochelmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhiiloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnokdaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfglfdeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obecld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhcad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmhbgpia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlmoilni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qncfphff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldpnoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkkoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcdpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbhjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnjeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpfkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojceef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmmbqgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plndcmmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjeejep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laodmoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nddcimag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqfabdaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifnhaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfidqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monhjgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkdckff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paafmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piadma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpdeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajkbp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdinn32.dll"	Mhhiiloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfnoegaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacjlp32.dll"	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nopaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeganjdl.dll"	Ocpfkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcqik32.dll"	Afcdpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfidqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfagoln.dll"	Kpdeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkdckff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgalk32.dll"	Laodmoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lajkbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qifnhaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qifnhaho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldpnoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqdoelc.dll"	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoinika.dll"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfidqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpbhjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddcimag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afqhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcinlc.dll"	Qncfphff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnenhc32.dll"	Dqfabdaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lajkbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclafh32.dll"	Paafmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piadma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcafg32.dll"	Albjnplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojceef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plndcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Albjnplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhegcc.dll"	Plndcmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qncfphff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnlnmnm.dll"	Ldpnoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhhiiloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Albjnplq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Plndcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll"	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laodmoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojeakfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmekdl32.dll"	Afqhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfjkphjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikonfbfj.dll"	Ojceef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamoho32.dll"	Oqmmbqgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpdeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpdeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddcimag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2832	2448	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe	30
PID 2448 wrote to memory of 2832	2448	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe	30
PID 2448 wrote to memory of 2832	2448	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe	30
PID 2448 wrote to memory of 2832	2448	0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe	30
PID 2832 wrote to memory of 2628	2832	Kfidqb32.exe	31
PID 2832 wrote to memory of 2628	2832	Kfidqb32.exe	31
PID 2832 wrote to memory of 2628	2832	Kfidqb32.exe	31
PID 2832 wrote to memory of 2628	2832	Kfidqb32.exe	31
PID 2628 wrote to memory of 2900	2628	Kpbhjh32.exe	32
PID 2628 wrote to memory of 2900	2628	Kpbhjh32.exe	32
PID 2628 wrote to memory of 2900	2628	Kpbhjh32.exe	32
PID 2628 wrote to memory of 2900	2628	Kpbhjh32.exe	32
PID 2900 wrote to memory of 2876	2900	Kpdeoh32.exe	33
PID 2900 wrote to memory of 2876	2900	Kpdeoh32.exe	33
PID 2900 wrote to memory of 2876	2900	Kpdeoh32.exe	33
PID 2900 wrote to memory of 2876	2900	Kpdeoh32.exe	33
PID 2876 wrote to memory of 1936	2876	Lajkbp32.exe	34
PID 2876 wrote to memory of 1936	2876	Lajkbp32.exe	34
PID 2876 wrote to memory of 1936	2876	Lajkbp32.exe	34
PID 2876 wrote to memory of 1936	2876	Lajkbp32.exe	34
PID 1936 wrote to memory of 1852	1936	Ldkdckff.exe	35
PID 1936 wrote to memory of 1852	1936	Ldkdckff.exe	35
PID 1936 wrote to memory of 1852	1936	Ldkdckff.exe	35
PID 1936 wrote to memory of 1852	1936	Ldkdckff.exe	35
PID 1852 wrote to memory of 2236	1852	Laodmoep.exe	36
PID 1852 wrote to memory of 2236	1852	Laodmoep.exe	36
PID 1852 wrote to memory of 2236	1852	Laodmoep.exe	36
PID 1852 wrote to memory of 2236	1852	Laodmoep.exe	36
PID 2236 wrote to memory of 2124	2236	Ldpnoj32.exe	37
PID 2236 wrote to memory of 2124	2236	Ldpnoj32.exe	37
PID 2236 wrote to memory of 2124	2236	Ldpnoj32.exe	37
PID 2236 wrote to memory of 2124	2236	Ldpnoj32.exe	37
PID 2124 wrote to memory of 1776	2124	Lmhbgpia.exe	38
PID 2124 wrote to memory of 1776	2124	Lmhbgpia.exe	38
PID 2124 wrote to memory of 1776	2124	Lmhbgpia.exe	38
PID 2124 wrote to memory of 1776	2124	Lmhbgpia.exe	38
PID 1776 wrote to memory of 568	1776	Mlmoilni.exe	39
PID 1776 wrote to memory of 568	1776	Mlmoilni.exe	39
PID 1776 wrote to memory of 568	1776	Mlmoilni.exe	39
PID 1776 wrote to memory of 568	1776	Mlmoilni.exe	39
PID 568 wrote to memory of 1308	568	Monhjgkj.exe	40
PID 568 wrote to memory of 1308	568	Monhjgkj.exe	40
PID 568 wrote to memory of 1308	568	Monhjgkj.exe	40
PID 568 wrote to memory of 1308	568	Monhjgkj.exe	40
PID 1308 wrote to memory of 684	1308	Mhhiiloh.exe	41
PID 1308 wrote to memory of 684	1308	Mhhiiloh.exe	41
PID 1308 wrote to memory of 684	1308	Mhhiiloh.exe	41
PID 1308 wrote to memory of 684	1308	Mhhiiloh.exe	41
PID 684 wrote to memory of 2096	684	Mgnfji32.exe	42
PID 684 wrote to memory of 2096	684	Mgnfji32.exe	42
PID 684 wrote to memory of 2096	684	Mgnfji32.exe	42
PID 684 wrote to memory of 2096	684	Mgnfji32.exe	42
PID 2096 wrote to memory of 2044	2096	Njnokdaq.exe	43
PID 2096 wrote to memory of 2044	2096	Njnokdaq.exe	43
PID 2096 wrote to memory of 2044	2096	Njnokdaq.exe	43
PID 2096 wrote to memory of 2044	2096	Njnokdaq.exe	43
PID 2044 wrote to memory of 2244	2044	Nddcimag.exe	44
PID 2044 wrote to memory of 2244	2044	Nddcimag.exe	44
PID 2044 wrote to memory of 2244	2044	Nddcimag.exe	44
PID 2044 wrote to memory of 2244	2044	Nddcimag.exe	44
PID 2244 wrote to memory of 976	2244	Nfglfdeb.exe	45
PID 2244 wrote to memory of 976	2244	Nfglfdeb.exe	45
PID 2244 wrote to memory of 976	2244	Nfglfdeb.exe	45
PID 2244 wrote to memory of 976	2244	Nfglfdeb.exe	45

C:\Users\Admin\AppData\Local\Temp\0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe
"C:\Users\Admin\AppData\Local\Temp\0db71e8fe258ddb28551065720b0eaefc746e5660c78057197573395ba1e2a50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\Kfidqb32.exe
  C:\Windows\system32\Kfidqb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Kpbhjh32.exe
    C:\Windows\system32\Kpbhjh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Kpdeoh32.exe
      C:\Windows\system32\Kpdeoh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\Lajkbp32.exe
        
        C:\Windows\system32\Lajkbp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\Ldkdckff.exe
        
        C:\Windows\system32\Ldkdckff.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Laodmoep.exe
        
        C:\Windows\system32\Laodmoep.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Ldpnoj32.exe
        
        C:\Windows\system32\Ldpnoj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Lmhbgpia.exe
        
        C:\Windows\system32\Lmhbgpia.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Mlmoilni.exe
        
        C:\Windows\system32\Mlmoilni.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Monhjgkj.exe
        
        C:\Windows\system32\Monhjgkj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Mhhiiloh.exe
        
        C:\Windows\system32\Mhhiiloh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Mgnfji32.exe
        
        C:\Windows\system32\Mgnfji32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Njnokdaq.exe
        
        C:\Windows\system32\Njnokdaq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Nddcimag.exe
        
        C:\Windows\system32\Nddcimag.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Nfglfdeb.exe
        
        C:\Windows\system32\Nfglfdeb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Nopaoj32.exe
        
        C:\Windows\system32\Nopaoj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ncnjeh32.exe
        
        C:\Windows\system32\Ncnjeh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Ocpfkh32.exe
        
        C:\Windows\system32\Ocpfkh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Okkkoj32.exe
        
        C:\Windows\system32\Okkkoj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Obecld32.exe
        
        C:\Windows\system32\Obecld32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Ojceef32.exe
        
        C:\Windows\system32\Ojceef32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Oqmmbqgd.exe
        
        C:\Windows\system32\Oqmmbqgd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Ojeakfnd.exe
        
        C:\Windows\system32\Ojeakfnd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Paafmp32.exe
        
        C:\Windows\system32\Paafmp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Pfnoegaf.exe
        
        C:\Windows\system32\Pfnoegaf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Plndcmmj.exe
        
        C:\Windows\system32\Plndcmmj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Piadma32.exe
        
        C:\Windows\system32\Piadma32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Qifnhaho.exe
        
        C:\Windows\system32\Qifnhaho.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Qncfphff.exe
        
        C:\Windows\system32\Qncfphff.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Amhcad32.exe
        
        C:\Windows\system32\Amhcad32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Afqhjj32.exe
        
        C:\Windows\system32\Afqhjj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Afcdpi32.exe
        
        C:\Windows\system32\Afcdpi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Abjeejep.exe
        
        C:\Windows\system32\Abjeejep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Albjnplq.exe
        
        C:\Windows\system32\Albjnplq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bfjkphjd.exe
        
        C:\Windows\system32\Bfjkphjd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Cbjnqh32.exe
        
        C:\Windows\system32\Cbjnqh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Dochelmj.exe
        
        C:\Windows\system32\Dochelmj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Dqfabdaf.exe
        
        C:\Windows\system32\Dqfabdaf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 140
        50⤵
        Program crash
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjeejep.exe

Filesize
99KB

MD5
32c81bebfff5d7d1a6ffb187a531726d

SHA1
7d3660f6b32418ee8f8d2c7597686a92e7562a86

SHA256
ab3f0edfa50032a01466bacfeb76acc69ef99a3b7666575355dc2bd3742d0771

SHA512
de694e5ad0ed4246a5614784722f709f431364dfbf9f7d89945500fce70dc39cfba72cde1902bee6ca6f54f46b9334b7e710eacce90c2ad7fe54078e4b46ce40

Download Submit
C:\Windows\SysWOW64\Afcdpi32.exe

Filesize
99KB

MD5
b628fd454f4d0506446322c3de5e69d6

SHA1
3313af560b27a9b15c079fb0a63e01d1c111d0f8

SHA256
9bb7b89800e0042a943fe8d4fd0b237e9af14966dbd4a2fb94328202adc4d99f

SHA512
bb41c1abba804043d90452d1e5dfcb8e38ecbb277266a033b118a337c7dc5b3050e3364fb8c5ac6042dce5299e7bfadf4ad1ae83fe7856d96a4aaeb68b64ffc4

Download Submit
C:\Windows\SysWOW64\Afqhjj32.exe

Filesize
99KB

MD5
00b5cf04456d81651103a70083ff93df

SHA1
43860a282e256497a68ff9c62db3f34a7c58e0d8

SHA256
5444b1df1c7c3f0124be17b6db1934de48419ba534dd60b184a78ad86f80bb85

SHA512
03d7c432841494abc664cd950407c62f61adc36264b18682209a3b71719259a89ea454891ecc43734c3b06cbe2a36f3f4963a1f8e351db18ead2f289e5b7ed04

Download Submit
C:\Windows\SysWOW64\Albjnplq.exe

Filesize
99KB

MD5
24ea074c5df9ffbb9a29308a604ff345

SHA1
f15d7639e972b3c4b6c506a6e2e11d499545ae7a

SHA256
a6c369fbf576a0a8e05df6a163b78af1a23da1bae10e0a66434549334c3cec77

SHA512
89e1cf307de818334dd2f8f9679fcd32ffcfe80d940e0283730b4d3fd387e63cadfbb72f7983fd0aa94a786c2999ec5a07fb24a4c3667755294cec9e3b512d46

Download Submit
C:\Windows\SysWOW64\Amhcad32.exe

Filesize
99KB

MD5
a3bab7eb716f6c43e83c3e88b32a6f54

SHA1
bad17b1dc8bef236c64f1b43ffddec80a6899d6e

SHA256
2e182266d69656ffa413d48dd7c7b6017b853ebf5af042c69ed1cd9c588732aa

SHA512
06bcfdde72778db5c98c86e43ba2007185b9ee5df9675618d725207cc815f7b98ab460c67b20c33192b872f0b150b43f81b22506a9537ad693b0af41ec0fd8a0

Download Submit
C:\Windows\SysWOW64\Bfjkphjd.exe

Filesize
99KB

MD5
6e9943bea702b9346bb8526969544728

SHA1
98db3f0e39ca680e1e89330810265a42829c2fe8

SHA256
8aa1c1449797a663823906a55b5800caa450416a9c88a0adff56d47d9b75194d

SHA512
4bb9006f591294370131ec9624231b6d9f67da510b1a5606d642788138489bea189fa631e581fbd6cfa068a00c4b1797142ea43408895382442ead2ec3db019a

Download Submit
C:\Windows\SysWOW64\Cbjnqh32.exe

Filesize
99KB

MD5
dc5ee33d4dd4904746c026aed30b53b5

SHA1
c715de8901507edff6d1c0a48bb5cc21131efa34

SHA256
290cd3d4ea94bc3eac8db897f22b5a1ea6dde23c4c88a968cc119390d0c91454

SHA512
276c2da8829d1a57c1bc60757af0211c5902e3d65929847e204aa8a70115b8c940ca14e984320f5b8bf8dbe1bfbc4f373e35082ef6ba745aa84445dfc90a778e

Download Submit
C:\Windows\SysWOW64\Cdngip32.exe

Filesize
99KB

MD5
47feb603f785b539d3de3c7006e08eb3

SHA1
81c84776712a2f1c08aa00523c315a73c614e648

SHA256
dcf7dac763943d6e3cbac9edc4b7b549e2a5117328b186e3d7282a4af97d122c

SHA512
1998c8d78464cb4c30cd761ac9cc7600ce0558872d27f973e08e9797b823b0fbce20e9035f6234f298bdec30f078eaa4ab04f5ffa909d3e31169fdbab2c305fb

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
99KB

MD5
3e613815bfb2828a001fcf157957aaed

SHA1
29c5552687e752c7347b8fac8c29a8bb8e46e1a6

SHA256
7cec629459ff44f78460763ff98330d196b0ba8c14673115fe5e5bc828b6b57a

SHA512
78340ff6b208ce4bac26f69a529100e4b7e6ad71f261540e71eb8d27feb0c00785f72251035184897ee5b1fae4f33748995229de47759b7eb37de1c2958860cb

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
99KB

MD5
1ab26f3e8599a9e6c49741bd07a963c3

SHA1
2fedbf59846088c221e35d9c85e95c3c67db5556

SHA256
79daf9538c68fbacc41cbe49fe019f94ed45460c4297b3c9afb4d606089392bf

SHA512
d8ffa2b0994f02ca50ca102ed441c531fc756415b3193e4311fb97ccba907c3fdac6f5742bf4789391179e26b9ea118048da142c4a947cc010e15a46bbc00104

Download Submit
C:\Windows\SysWOW64\Dochelmj.exe

Filesize
99KB

MD5
d8996e56a6841eb8a01be7b9bbb4f555

SHA1
0a8678dc33d527a3458db02ff9436205d9b3f546

SHA256
f9b635cc1b92cb929408f04a30d0531f3a26be9f14dc627170de0142c3685025

SHA512
08774ba6e5a6e4d9165b18f0e869279bcff4783753dcf0c90902db98c4757e1ed7442a707c9df4f2f15524c643c6f2b0c05eee66c0d21159c9844fc91de3a4ac

Download Submit
C:\Windows\SysWOW64\Dqfabdaf.exe

Filesize
99KB

MD5
f59485b87053503e1e9716c8ba5a8ded

SHA1
02ee7f57f11c18f0844a0e3660ff01dcc583f038

SHA256
c75b4d0338ddf29ae9ac341a4a28c8594208f9bea691ce28bb4e65865dad3683

SHA512
ea41e52e5e1e6ea08ce2e353e819f78f112a1e217b71d3154c7291155b8fed313a73209202c2f1c7f2a00bff8a656c100395bb343c3cbf0db21165cfd7079254

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
99KB

MD5
fbbb3283adcee852b9e646e8acfc34a8

SHA1
55172a9b2b8e2e52c4c2c117daf92e69192e738f

SHA256
57ea4ecd3d48a21fb87456cf86fb6041ca1b0ff75ab30871e6001f59aa563381

SHA512
3764bdf234fe580c932fca338536b81b5c36bd4030715b8c6d14eb9a46fe9745910638b1d680478674ff6055e43ead69e2f70aeab5a032bfa5781436f2a87551

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
99KB

MD5
9bcde94d4f98d8331a659e0c1fd224ee

SHA1
ac83b67ccfce8be874c5682ac2a28db647032736

SHA256
4b0a35aa6c0638af598469ef22e59d500bb967938b8964a516850918c9685acc

SHA512
fde9291562db5e6e620b62705e4ed06c666ecc85aab639a5818bb89d4964fb20a242a7673b258be2d1ada2b3eb0d7afaac3f342f95107a8239c91f065ebf6477

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
99KB

MD5
6bc13d4fa47bfadfb5a47d8a968e8200

SHA1
ba619f668115239a1ba86570a0ecdc7781672a79

SHA256
b14e8ba57f5a849970db7e11bbb68ffc30ad303b65ae33cb16b2dde32a117e5b

SHA512
75210e62363d82510cb53deca2e99d4f481888bed89edc98a7f526c314ef32bc2564f75d738d1bbf86a7c16a6b8d05d058aa5a74b3ef5b36f76145bb00e173c0

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
99KB

MD5
3bc84a4119bbf65af067f9635315b730

SHA1
a7958351b869cd355e5cfea1aace43fd2cf95d0b

SHA256
d19790d0b6e1457376a02ed8297b0127aaa33a1a54ce398ccefa5e05b57e2a00

SHA512
95e248c25ff03dae9eec228bf30af6c201417ee3d7e63444cf1ee4eebc6250d648c8724ed79d3b2af8b7cf571cb79895d1deaac3f12c6515c694f4b548887354

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
99KB

MD5
784fd26f9f2fe487f79b8e0923007080

SHA1
bbeb696d203db652b68945214ec373d287f48805

SHA256
86e4f1a598dc317fa0cb81ad4c019108aef9171e42f12f406d308f22bc34e8a5

SHA512
b07a617dc513b3e0445ca84b2d84806cccf14477bc01b227a844655a5919c74a9d649756c9d4a4dd2fe51726ee261fbfc428286e5a92b19960a85c46265a4387

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
99KB

MD5
baf07e210bf043d7cc7b36b4e9080cc2

SHA1
502951306cf0d160ebdd04a331d9c1605cbd6aaf

SHA256
a39dac6566cc83ee670f696a9f9c1e980ad597429d3b38659baa1435363f58c6

SHA512
f666258f1d189fb9f9ce2b9530ad7d931cf75259bffa2667e7fc3fc8d751a9fc3652aad188eb5100849345ddf73b52978813f9bc428affdb90b82366a36d5bbf

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
99KB

MD5
bb6184265305909b60b9169c22d0ea33

SHA1
ee86be2ac7585875a2837334c7e0019b6264e4eb

SHA256
5147d6e2ccd6e8d9995d13a291fef5c9142236fdc491969d9db9acd803840255

SHA512
c40a3a378a829af362cc5a9b9a36d8b62f7ebe9d64785207770a0a9e15594433e9d624d9a6b35e83726142807e4810d370cbd2c691de1ed2a24985f79f6815dc

Download Submit
C:\Windows\SysWOW64\Gfdeopaj.dll

Filesize
7KB

MD5
127b2da9282321cfc9e98c45354b9b3d

SHA1
4a1d4b98ba6512f49c2d556f7857c9a6e57aa430

SHA256
cbbdf41bb75f654b377bd3df9857291be9a9e8edeb79d1d6f55cc4e924c43045

SHA512
b5012fd37dae01a105a32d3fc446c8105929085e0cca708b875cca075912a887487750bc1a604a711e33a4e6c25698839c2e3edbfea85b230f6cfa5711c2dd9f

Download Submit
C:\Windows\SysWOW64\Ncnjeh32.exe

Filesize
99KB

MD5
7e2937908414fec81778681ec4801ec3

SHA1
42fed2a5692efb7101127e80ff324c725aa1f4e1

SHA256
df2b5afcb9652bd20d196c23bd8b0902304baea65c064776985edf3f9b06759f

SHA512
025450b630b954570602ddee0e954b7e0e297072605304b05e2642bb909be4445b9158514a0ebdc91898e9c91182c3080daa24c56e8a79eae6815afbaf64a17d

Download Submit
C:\Windows\SysWOW64\Obecld32.exe

Filesize
99KB

MD5
ae7d87ad39b1b4ea5d6ceadc1cb8bc38

SHA1
51dfc303ef59c0f4ca1bbeafc96b2849a036aba6

SHA256
7b51d5f701cf67a366896e86cb5dcac2dc5fddb2147f5de75ed7d10b63e3b82d

SHA512
1abc94f828e9f57db27ce6d615c0bdee2b3bf9ce738463b58c93c3596ce020a4796343ad463a9b4d9600929c5b96d1a79ad762b9d2f2297343a0053638318225

Download Submit
C:\Windows\SysWOW64\Ocpfkh32.exe

Filesize
99KB

MD5
a1f4e25f9cce918c4b58950e07f3c814

SHA1
2386bf1cd5523bda8d2eda25ba37faf5f5c3ba9f

SHA256
b3c0e5c7f32f703247b4dd1555493b1264b62a303e28583facb85ea7565e6abb

SHA512
5f37475b0cbcd2c7f78a63b2b297ab63727407067b9975452162326825bf2b827c680cf22981396f58167d1f532921784a9d1b2a5703afa1bae0ef75287ebf6c

Download Submit
C:\Windows\SysWOW64\Ojceef32.exe

Filesize
99KB

MD5
94da856ecfba317c1d70a6cdbddf664e

SHA1
b3d5f73ed99ea7f54a17b091dae89fff8ab72d51

SHA256
76c219f0e5e0bf98f16a10d2cd979cd47ddfb754114150c85203e8f6d504c0cc

SHA512
60edec4245915269cb6a2c1bb56e81e199b841837a407e42438f806acd4d6d265afe8ef6e642d9245a75d48c68d627d93a4b9d61a014e87eaa596602c49e7507

Download Submit
C:\Windows\SysWOW64\Ojeakfnd.exe

Filesize
99KB

MD5
aa91dca3b82f6dd53b2ca82d6e7fc082

SHA1
c7c932555f2afb55743ea48e51e6b85162d0bb10

SHA256
16c4fe482fdbc87c49c5f6992a9b46ba840ae7a3d4f1bb68e986aa2993417c66

SHA512
36f78972b32139664ca9d8b677d292e9ffe4dff0986dc9dd6f2aeb512760cb5a37a9ca32c8303b41cecad682de6a69a8d01d436edc860bb1b3854bd59f6fbf10

Download Submit
C:\Windows\SysWOW64\Okkkoj32.exe

Filesize
99KB

MD5
1354b738a904b664485700c076ebc8d3

SHA1
8744be754b80d76dc689c4d82252960b3ee65d6d

SHA256
189cffeb604e7a2d57279b8159379a2a77430a670b08f07271f93679300f195b

SHA512
5920ff1cb5f3eaa804dc0843a2476167b42031815c58d18e0c0014ef970a723fddbc23508321dd9f17864b9487d1530a7eac1e3fb61af8aab3a19c8dded5ae2e

Download Submit
C:\Windows\SysWOW64\Oqmmbqgd.exe

Filesize
99KB

MD5
db7d19bb2064e430b4ccc370d0341bf0

SHA1
d1abbc88fe8286899b27f21ffdfb4f54c844f6f3

SHA256
eefdd1565bfddb572ce7b49e97c8f9c44eaaa3b1390096332a85b1e0c522820e

SHA512
9837f6b45b67977a39008f715557c512c20ec76b27178991be9741abb7c5d895ff04c83d405c52e04048581c3956bcc2fbb4509000e28070e5b5c3410d7806d6

Download Submit
C:\Windows\SysWOW64\Paafmp32.exe

Filesize
99KB

MD5
f5a16aeed43ce9d1c8141553127ff00e

SHA1
932554c034f7c2e82d4b4fa35e7cf9033a06b925

SHA256
7ea55b0b262fa285fab2fc1024bf987a1a09c21641dc2f7fff9d5c2b12dd38d3

SHA512
d92b444ab6efc89a3880ca00f0082cd23f53e2f3753787d32ef371f67a0edec39355ccac831acdc853763eb3c2f9b3ef66ffc2f0598a15dc4f3ecd8002a71a88

Download Submit
C:\Windows\SysWOW64\Pfnoegaf.exe

Filesize
99KB

MD5
57ea831bc6b668bb67db683a8aba04db

SHA1
d91048ef37fb65bced9503ebc46f9acc9efb4f9e

SHA256
dc8c50e5cf29b4ae444394f78eb4136225a8f0be3478f29c4bcc27dd826c0ed3

SHA512
af2136d06080edb4578a45c829050bd621e51c4365180128daecdfad60720f988cc236b9e1fc5802d26f802090083152f06b62b39567c0c0104016f1f76502b7

Download Submit
C:\Windows\SysWOW64\Piadma32.exe

Filesize
99KB

MD5
03bb54279dbd76b4d3daca4d0bb6cca4

SHA1
f37f4bc02dc83a3e75b663a8cf9def0d849d5963

SHA256
d509f2f31a46464f1bfc8c61afec364ecbeb6dfe060c83a50a1fd548fe27e9c7

SHA512
0896b0cd25b24944850e4257cd7988d3f07bdaf96d4730eb95d5ebf389367fd905ee9694189f1aa32587aaa85f4e80424f65c2d925ed9b9534bf84286c4ee877

Download Submit
C:\Windows\SysWOW64\Plndcmmj.exe

Filesize
99KB

MD5
52d941dc239ac367294aadddf8330cc1

SHA1
66fa22defe8528ff5e4e6c1c6325ec4d4b74b6a3

SHA256
439f84abf237e4cd9d8a9c0e69ece953cf0bc6bfafee6e93a0a18611c9452486

SHA512
fea9bec0846397bc8c4d0401f03354b569fda7a91348183e873dbd3f7be5413c4172fa81896c7a85b35b8d9ba8813f5c0b54ffb7106d5a6f1ee4480346204abf

Download Submit
C:\Windows\SysWOW64\Qifnhaho.exe

Filesize
99KB

MD5
acc673f4578f190ee0523ef18251169e

SHA1
f7857097de86dc6805de01d126e90ecf457aaa9d

SHA256
6d00b10d6ca024ff1c28aa54007084f1045d42f94abdd4b806753cc9dffd8a89

SHA512
c53bec46915468641ed803dd119b50c9a14836da522154182f431b555e7e9ee96ac35e68e1e326a5fa754ec8ff1037f3352661cd24210c1f0a9076de88d216aa

Download Submit
C:\Windows\SysWOW64\Qncfphff.exe

Filesize
99KB

MD5
783bd971a0fd60bc8bfb564aab6b73a8

SHA1
159d9c80d18540b4b4f282328acf1ea1747b1df6

SHA256
52780e731341e19dce3d67e0614ff19d84c292830cfa99631e5472a6d66e2c9d

SHA512
8b2543ae24eb2f0e70078e67fd4ab88f51674c9693bb13541e228cfbb8f23a8bc626be08d3a6600b57f300bb32978e66ae551eb1b544d35aa8384f07e028a8e8

Download Submit
\Windows\SysWOW64\Kfidqb32.exe

Filesize
99KB

MD5
19ee561a71d3dc406b1e418cd79bfdc3

SHA1
5f19d891225cae01ae489a45b62902161d9a787f

SHA256
7ad8ee6fb4a1e7eff70703dd6e2f6a52f1759961ab2191168c5a913731354dc0

SHA512
37fb717e0b67ba2ef2849ba1cabc3459a9f10cbceb1dfa76addd322280a2d6722b93f7ce011b565706118bcfde987af6deb060a56d32864b80baca4d4f90ab7c

Download Submit
\Windows\SysWOW64\Kpbhjh32.exe

Filesize
99KB

MD5
2122dc513e57e23e9e554dcf2ac10808

SHA1
41ea3c26c55bfb358d0ccab456cf2dbc7121f4d7

SHA256
7096d342dbd869c15121b4c2bf380958fba29320b2b38eb057c9efd83b6cd1ad

SHA512
0b9acaa5dcbe2d1ef52451887a0714875097744b7fb821586f463b7e74084c4ee87de22132429d4996c89477d031e2cf8b41711248e9a962f266bfd6f4b456d8

Download Submit
\Windows\SysWOW64\Kpdeoh32.exe

Filesize
99KB

MD5
05dc33cccbf71852b676d15859833ce4

SHA1
69c7b439507e1beed016a449ea3e6c663c4587ad

SHA256
84a4f7d04f82794d36ac558b10462c19f6fb477a3c9a99a530d882f370ce36d5

SHA512
7db3b5c595bd78c5a8dcc9532507dc501d61ebb51bf6a6bea7fb9205214a657f637ccca047ce68bd1a5f464b1872d2580bb56132204f4750aa09b58db015717c

Download Submit
\Windows\SysWOW64\Lajkbp32.exe

Filesize
99KB

MD5
04991ce920733f57f53528828e6b5418

SHA1
b27b1a0c6ad4136560e7cda0f7cd056bdd903ba6

SHA256
743f3eb3868a2ed08982bfe27595ecbd7a445cf800d7bb776caa42961d8057d4

SHA512
631d7a28b3de6c1a9f4798b1c41e89f07b11f6fa0413255b5d43609a8bef6688890249575d50d3772041a5f98fa8eee3da7d4007aef2644a36af770089de435d

Download Submit
\Windows\SysWOW64\Laodmoep.exe

Filesize
99KB

MD5
7e04dee6b29aaa9ea6176ed6951960f9

SHA1
311f9a2e958bd5137efe07dff8a95f0a1cff06d8

SHA256
1d25c29e2723ac3cb7d3f53f4b0142858a6f83b832a938874779febcf60aa1a1

SHA512
d4628042a17fc7321cf9f600a2961be24776af7e6f111f9cde24fd01f2f9a87eb9d26c3964f82f1daea4a981830b7c31da2c0f738556e253d7f304c8123e2d2d

Download Submit
\Windows\SysWOW64\Ldkdckff.exe

Filesize
99KB

MD5
4374aa752c9583ae16976bdcb44219a2

SHA1
76840b13219fce5eab02006f1f1a252fa63c66eb

SHA256
e88237ae07c3dd1aa778e26fb92e5d4980647097feb414e1b3138f0934a936a9

SHA512
f662a65edc02348bf07cc02a14a18ad39727d1f891672b28c5ce67e13a5aa22b5f3e03231b9865ee3bf814f94f37f2d34a6906c79f68cda141edeba8581edb59

Download Submit
\Windows\SysWOW64\Ldpnoj32.exe

Filesize
99KB

MD5
4459c82be4128406b30b07182848b0dc

SHA1
d2ff3fc473caade6285738e5406d67aa0f0fc3bf

SHA256
917418a845addf0cc6067822af34f5284e9cbe70688dae5019246e55b600681e

SHA512
dd6f9924c947b23168af59268450a425d22ebe8262dae75455e0a2cb1072842d596a3123c5a715e2d29b1ffd740f7ae6db6289a6dae2e125f8bad2fd88c1bbd9

Download Submit
\Windows\SysWOW64\Lmhbgpia.exe

Filesize
99KB

MD5
aacbb8459c582df3f7ad87ceecd45037

SHA1
139310a09752745847e903d1c4a0207d9c720457

SHA256
36d4142742039be5bc7202f1f977f050e7ef7db278e884c3099b1b769d1546bf

SHA512
cabac07e46cf8ed97677b7679d264f8115389cdd4f51404d605fba0642ebcd5bf864045c831f7ef7f04edfd51f41908fff7a8740dbcb8843ba688faef45b48aa

Download Submit
\Windows\SysWOW64\Mgnfji32.exe

Filesize
99KB

MD5
608e198dac5529993fe4750e8dfe0ba6

SHA1
a185df88a6151e17e0919c7cf669c4a200127619

SHA256
298b3dddae310d610b73f40ae0a34e3d7d35589136d465ae7c01b1a6b4f5e06b

SHA512
5928b8f716254154140b52d2245ce8ec08d13ab34dd7a9651992f385ee43e60e41c2c34638235462a6ec03b2e552c3875dfb67d4b83decf487ef977e0f5cfb15

Download Submit
\Windows\SysWOW64\Mhhiiloh.exe

Filesize
99KB

MD5
b7ae04c4cfdafa5a04d62268ca1677ae

SHA1
2121e5ecb957d434739b86b88026eb4265635037

SHA256
1b5248132a46831bc6bfbaab9a90a7f97ba9e1126eec42a96d43c31961e04377

SHA512
346372d3119beff55ef541352ca3ba82d01d7a89726ab6036e84220a22219ce4efa1af59df3c50a1c6094684d368da280bff13504a34a98a874b6f69de43a2ed

Download Submit
\Windows\SysWOW64\Mlmoilni.exe

Filesize
99KB

MD5
b5c598a6f7016a3704a5f914584c9e49

SHA1
0278408006f11281f2da38875ad3d29f8c2157d7

SHA256
cd58f5d75e43ae6cbb0462e558d7c3cc007784877a450f8c1911d4e40fb5e8dc

SHA512
b75dc93c281e5f5bfcc732f5da450fec461bb247ddf54086c2fb377ef01586e953875ee654840b72076bcd00d82c83d1d1ac9f98dd7269f374efdddd53e4673d

Download Submit
\Windows\SysWOW64\Monhjgkj.exe

Filesize
99KB

MD5
a2feff984b69fa74b8d8951213b45df1

SHA1
67cec25e00732be72c66e4d92520cb3c3a90fbbe

SHA256
bdabcaa08c5533d6cbe22650c17e8edc63ace340835624c21d9c006efc9429cc

SHA512
4f1b660c5dc3ac46406414b0ad32773825199c587b4d4f810cf48dcdf32fb72f4472d8386f8d0e84fcc81ab15d03be790333b7f9e85d88793e4f90505ac603ed

Download Submit
\Windows\SysWOW64\Nddcimag.exe

Filesize
99KB

MD5
ebbff96d9a17e291425766eedf571442

SHA1
b77f87d1ee3f73f7ac3a496371587b4b5ae8544e

SHA256
c8c96a1e845964aeaad80c9ed1b6e60889a1108cf18d34d7c2065d5a7c9dd9f7

SHA512
11b5300893761087634e299bb5257f12fbce4774c115de1d38e3c19401d2491361ac9a00b9241bfdb50acfb938fc91c433a2f377113e42c6863498cf012ad9ee

Download Submit
\Windows\SysWOW64\Nfglfdeb.exe

Filesize
99KB

MD5
0c571b7ca94331ec901dc38a5fa09619

SHA1
f36d98dc7d7fa90a34caca3b169b5bafcce05526

SHA256
cb96f9cc6df80070c58baf0f86cb7e0bda391449231acdf1051459d8c39b2fcc

SHA512
0dfe09d84df4b550d25d5bf430dff5ec6d61357e9cbe856062e8a2274e548ae52e5f7f4ba890b4e52ff2ffef7f5293a9c92b09d1c4bfc371a98af30f169bc695

Download Submit
\Windows\SysWOW64\Njnokdaq.exe

Filesize
99KB

MD5
4959959fca2e19514884ff6c0c9e5d41

SHA1
7149e35b6c7898ee2cd9f14e86646ff353a9e3f2

SHA256
8f8fb510f0f1efda8b770ebaa732c063a9442cd9eebec8192822f4af07fcfc38

SHA512
fdc1f573b2ab4c6b4919b0eda87e396bf0f66b473e477524d200e9ba1d154d98e53c8ec73e3ff199dc6f6d20655fb77207d9b74287e1980cfea9210d263e7df3

Download Submit
\Windows\SysWOW64\Nopaoj32.exe

Filesize
99KB

MD5
cbbe2536c68bb77d3a093dc2cfd17111

SHA1
d8ef6caf7a71cb359630c4e9f80562b9118ed514

SHA256
f9da4b0ae3948c21d2b0d9806550a289490b7567bca621935762c128dfd8b48d

SHA512
62e43b5b10e1eb6a9fd3e3e1cded92c87e53245237210afeb677dbf37fbc174c225a78f1cc98c49650aea5d4709b47159b1c96383444a658cfe9363f39a85191

Download Submit
memory/112-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/112-282-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/112-283-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/360-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/360-272-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/360-271-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/568-144-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/568-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/580-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/892-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/976-218-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/976-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-498-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-250-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1036-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-251-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1048-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1252-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-475-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1308-463-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-522-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/1576-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1580-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-293-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1748-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-294-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1776-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1776-127-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/1784-360-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1784-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-443-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1936-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1992-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-236-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2012-240-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2012-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-196-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2044-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-179-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2124-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-113-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2124-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-432-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2236-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-512-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-305-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2420-301-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2420-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-7-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2448-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-13-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2468-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2468-473-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2620-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-370-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2628-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2628-39-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/2628-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-348-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2656-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-398-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2728-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-334-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2808-316-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2808-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-315-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2816-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-323-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2816-325-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2832-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-411-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/3056-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-533-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/3068-261-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/3068-260-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads