berbew | db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe
Size

163KB
MD5

a1fcacedf10487da95e5bf0e29aa89e0
SHA1

a00a75655a7ed22c4536369c9e791d1f630f2f51
SHA256

db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854
SHA512

4bf0c8a89bc6f5ce30df5a072712e08c6ef80dfb72f26483a13bb25e3e099e43b21c8cc4cacc94811cf876f3626ca44a5945acc889bb238e7cbbaa55d764e99c
SSDEEP

1536:PAYX/1VxtY/RNo6/JGIgE5DzMZZZhVLi5slProNVU4qNVUrk/9QbfBr+7GwKrPAS:/XHvY/RyY/F8Dhk5sltOrWKDBr+yJb

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b9b-135.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
2732	Jpijnqkp.exe
5028	Jefbfgig.exe
4144	Jianff32.exe
3444	Jlpkba32.exe
3516	Jehokgge.exe
2672	Jmpgldhg.exe
1924	Jcioiood.exe
552	Jfhlejnh.exe
2944	Jmbdbd32.exe
1596	Jcllonma.exe
2832	Kfjhkjle.exe
3424	Kmdqgd32.exe
4272	Kfmepi32.exe
2348	Kikame32.exe
5104	Klimip32.exe
4440	Kbceejpf.exe
3180	Kimnbd32.exe
1848	Klljnp32.exe
1296	Kbfbkj32.exe
4372	Kedoge32.exe
3440	Kpjcdn32.exe
3452	Kbhoqj32.exe
2936	Kefkme32.exe
3528	Kibgmdcn.exe
1788	Kplpjn32.exe
4848	Lffhfh32.exe
428	Liddbc32.exe
3496	Lpnlpnih.exe
4864	Lbmhlihl.exe
3836	Lekehdgp.exe
3636	Lmbmibhb.exe
456	Lboeaifi.exe
3436	Lenamdem.exe
3376	Lpcfkm32.exe
3012	Lgmngglp.exe
1636	Likjcbkc.exe
732	Lmgfda32.exe
2172	Lpebpm32.exe
1512	Lbdolh32.exe
5064	Lebkhc32.exe
2816	Lingibiq.exe
3916	Lllcen32.exe
2176	Mdckfk32.exe
1192	Mgagbf32.exe
1964	Mmlpoqpg.exe
3464	Mpjlklok.exe
3932	Mdehlk32.exe
3008	Megdccmb.exe
1460	Mmnldp32.exe
4068	Mdhdajea.exe
4752	Mgfqmfde.exe
2664	Meiaib32.exe
2624	Mmpijp32.exe
4300	Mdjagjco.exe
1580	Mcmabg32.exe
2464	Mmbfpp32.exe
1664	Mlefklpj.exe
4916	Mpablkhc.exe
1496	Mgkjhe32.exe
3788	Miifeq32.exe
4420	Mlhbal32.exe
408	Npcoakfp.exe
3956	Ngmgne32.exe
3884	Nljofl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jmbdbd32.exe	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Kbceejpf.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jlpkba32.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jmpgldhg.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kedoge32.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Fqplhmkl.dll	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6608	6488	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikame32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2732	4492	db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe	83
PID 4492 wrote to memory of 2732	4492	db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe	83
PID 4492 wrote to memory of 2732	4492	db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe	83
PID 2732 wrote to memory of 5028	2732	Jpijnqkp.exe	84
PID 2732 wrote to memory of 5028	2732	Jpijnqkp.exe	84
PID 2732 wrote to memory of 5028	2732	Jpijnqkp.exe	84
PID 5028 wrote to memory of 4144	5028	Jefbfgig.exe	85
PID 5028 wrote to memory of 4144	5028	Jefbfgig.exe	85
PID 5028 wrote to memory of 4144	5028	Jefbfgig.exe	85
PID 4144 wrote to memory of 3444	4144	Jianff32.exe	86
PID 4144 wrote to memory of 3444	4144	Jianff32.exe	86
PID 4144 wrote to memory of 3444	4144	Jianff32.exe	86
PID 3444 wrote to memory of 3516	3444	Jlpkba32.exe	87
PID 3444 wrote to memory of 3516	3444	Jlpkba32.exe	87
PID 3444 wrote to memory of 3516	3444	Jlpkba32.exe	87
PID 3516 wrote to memory of 2672	3516	Jehokgge.exe	88
PID 3516 wrote to memory of 2672	3516	Jehokgge.exe	88
PID 3516 wrote to memory of 2672	3516	Jehokgge.exe	88
PID 2672 wrote to memory of 1924	2672	Jmpgldhg.exe	89
PID 2672 wrote to memory of 1924	2672	Jmpgldhg.exe	89
PID 2672 wrote to memory of 1924	2672	Jmpgldhg.exe	89
PID 1924 wrote to memory of 552	1924	Jcioiood.exe	90
PID 1924 wrote to memory of 552	1924	Jcioiood.exe	90
PID 1924 wrote to memory of 552	1924	Jcioiood.exe	90
PID 552 wrote to memory of 2944	552	Jfhlejnh.exe	91
PID 552 wrote to memory of 2944	552	Jfhlejnh.exe	91
PID 552 wrote to memory of 2944	552	Jfhlejnh.exe	91
PID 2944 wrote to memory of 1596	2944	Jmbdbd32.exe	93
PID 2944 wrote to memory of 1596	2944	Jmbdbd32.exe	93
PID 2944 wrote to memory of 1596	2944	Jmbdbd32.exe	93
PID 1596 wrote to memory of 2832	1596	Jcllonma.exe	94
PID 1596 wrote to memory of 2832	1596	Jcllonma.exe	94
PID 1596 wrote to memory of 2832	1596	Jcllonma.exe	94
PID 2832 wrote to memory of 3424	2832	Kfjhkjle.exe	95
PID 2832 wrote to memory of 3424	2832	Kfjhkjle.exe	95
PID 2832 wrote to memory of 3424	2832	Kfjhkjle.exe	95
PID 3424 wrote to memory of 4272	3424	Kmdqgd32.exe	96
PID 3424 wrote to memory of 4272	3424	Kmdqgd32.exe	96
PID 3424 wrote to memory of 4272	3424	Kmdqgd32.exe	96
PID 4272 wrote to memory of 2348	4272	Kfmepi32.exe	98
PID 4272 wrote to memory of 2348	4272	Kfmepi32.exe	98
PID 4272 wrote to memory of 2348	4272	Kfmepi32.exe	98
PID 2348 wrote to memory of 5104	2348	Kikame32.exe	99
PID 2348 wrote to memory of 5104	2348	Kikame32.exe	99
PID 2348 wrote to memory of 5104	2348	Kikame32.exe	99
PID 5104 wrote to memory of 4440	5104	Klimip32.exe	100
PID 5104 wrote to memory of 4440	5104	Klimip32.exe	100
PID 5104 wrote to memory of 4440	5104	Klimip32.exe	100
PID 4440 wrote to memory of 3180	4440	Kbceejpf.exe	102
PID 4440 wrote to memory of 3180	4440	Kbceejpf.exe	102
PID 4440 wrote to memory of 3180	4440	Kbceejpf.exe	102
PID 3180 wrote to memory of 1848	3180	Kimnbd32.exe	103
PID 3180 wrote to memory of 1848	3180	Kimnbd32.exe	103
PID 3180 wrote to memory of 1848	3180	Kimnbd32.exe	103
PID 1848 wrote to memory of 1296	1848	Klljnp32.exe	104
PID 1848 wrote to memory of 1296	1848	Klljnp32.exe	104
PID 1848 wrote to memory of 1296	1848	Klljnp32.exe	104
PID 1296 wrote to memory of 4372	1296	Kbfbkj32.exe	105
PID 1296 wrote to memory of 4372	1296	Kbfbkj32.exe	105
PID 1296 wrote to memory of 4372	1296	Kbfbkj32.exe	105
PID 4372 wrote to memory of 3440	4372	Kedoge32.exe	106
PID 4372 wrote to memory of 3440	4372	Kedoge32.exe	106
PID 4372 wrote to memory of 3440	4372	Kedoge32.exe	106
PID 3440 wrote to memory of 3452	3440	Kpjcdn32.exe	107

C:\Users\Admin\AppData\Local\Temp\db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe
"C:\Users\Admin\AppData\Local\Temp\db283d9d1380dcd14660011d9f285c6cb1e7bef6b564c6236cb7f28bbd33b854N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\Jpijnqkp.exe
  C:\Windows\system32\Jpijnqkp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Jefbfgig.exe
    C:\Windows\system32\Jefbfgig.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\Jianff32.exe
      C:\Windows\system32\Jianff32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        27⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        31⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        42⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        45⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        46⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        48⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        49⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        62⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        65⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        67⤵
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3904
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        74⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        75⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        76⤵
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        77⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        78⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        79⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        80⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        81⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        82⤵
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        83⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        87⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        91⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        92⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        96⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        100⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        102⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        103⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        105⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        109⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        113⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        119⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        120⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        131⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        134⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        135⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        136⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        137⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        139⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        140⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        147⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        148⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        150⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        151⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        154⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        157⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        158⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        162⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        163⤵
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        168⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 400
        176⤵
        Program crash
        
        PID:6608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6488 -ip 6488
1⤵
PID:6592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
163KB

MD5
a8ad30704ae5788f2d920d316d2cc4f9

SHA1
eca3ff94e155fa238d97b570f949de22fa0f60bf

SHA256
d716572fabd36a5d2078eddddb7c6f5d19d70f207605db66d24c72af109d048a

SHA512
e98d368a64b272b6e859acb9d4e9d664836946cca5ea35018c9060c19d3d21d8aa0ce060597787bc8b22690978151083702085b1bdeebf00cccca499797ce97e

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
163KB

MD5
5097da7c0d07f3f1b2b8b1a270731e61

SHA1
caa79af641003fb9c984326c457d5f8b61eaca31

SHA256
9b73aa0860a0608c607a0f42e025e23d313ba33fe33a83504685745167f6d47e

SHA512
cb0f7de659a2cc275916ca5c014a6af51ef9149883c4b6803be7911b10dc54ed66f5627f30d3e525bcd640aa7baab314bb7d259a6739db0102a14a4835adc219

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
163KB

MD5
e627217422188e83bc5ab2b1b9784530

SHA1
ed785ad759655ddc6ca063a58d8b1551d43c085a

SHA256
151e9125aa8da7d245bab53f42481ca8140b017bba5b84d2c520bc0bc006225c

SHA512
12c86972fd9f8a61bb58ec688909334b457980ce742d8293e626fe47eb62c18b664b3af5f1376a518dd49920759bff5d927510d9e9f7c039e7b0617b97224eca

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
163KB

MD5
a663979e6b563e4cfbc8e2a9b2831009

SHA1
eb9d5582d3b622b8ebd1cd8a078b66a7b2de8d24

SHA256
c20c607df77016aae4aa760729ba70fc4f6af7c17015642f8b8861be33f1e1e3

SHA512
0e8eae563d9c23216b9663ebe229889a13fe76508d44ab3b296dc50894842c931c5ff72a934031848508a9ed94e0242ea0bf1c8e492a4d99b9398ff263712a41

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
163KB

MD5
a1c1bb37d416c31f39d5e8fe42bfc307

SHA1
0fc2ac5e71d6342978bb3e6132a1dafe922107d0

SHA256
350a204c02fee53d8405c927d137157b9d4a65df19bcb1823a4841aace4a43f1

SHA512
bd9a58a614476b78d2ab955ba55c1e157146772157fb1a3839ca6a3160dc0cbbdddd3d2c2c6fb4f950f01ee2efdd30dcee59e8332057e71922877fea2f3fbf43

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
163KB

MD5
7505acb49b22dd2c9e3fe2122b651c46

SHA1
54542eb24bb8106be8ec2f9d8bfe08ee8e6cb94f

SHA256
f9268da0579e13fe3ab2ebd35e3d8879f9d2e877882994e703d7f4f5235d995c

SHA512
b2b41d2c0f121bf1d87fc1d430f4966437fe5078a2a95b9290b68cafee929c444be307e6b788e9c741bfd6ae246457d9832b0490a78c2bbf0e77a31b23da1edd

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
163KB

MD5
59aa0d6546db96a8359333ea298e7918

SHA1
0bcae175468ef462855e64b3ace1ec8d1f92e702

SHA256
eb80ec9a1cd4b65c4ef02e6cb40a2b9d91e470df6fa75a01ea5d2652147d4bbf

SHA512
3a7c41f56cf827ce89232c8101cf701be7b4d72900fef55e33a9b97de7b9921761aa55cd9cdab262ea40d27eda92632abc03b4eed5550c00ebe7b3006067125b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
163KB

MD5
af69993c60090764bb2392630e22b913

SHA1
dcee0fcd0e3d569a32bbb475d00f12de4bbe60af

SHA256
85792546779e9cd36bfb7c702de21224ebab6116905ae88e1c7bbb0f7d0c54a6

SHA512
0b5a7974e237370a7d7177b8e97ff35d3f43b96a274a23f2f057db4c84e92731860aa48bb1428fe926680690cacac550d7a6798e71336e90e9e638decde95d30

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
ed826d01a45e8a3d2c90d723e7619711

SHA1
9e054883edc76184035cec8e68cebca28f37b1bf

SHA256
7e82a4d4451583a343eead26ce12c87926715e66c6896980dec1201c5284ce77

SHA512
5bb2fd240390676796719696854ed25ec28babdf8833024ae10edd222347948f56388025234591201a90f6df00bec0a90efd0cd4c26a2a5139e6be6bdbaca6c4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
163KB

MD5
3a965e78cf7ff47d8d7d09e38762e50c

SHA1
69ce20e8324ba06550babfafa738320bbae5e4f5

SHA256
2dd47ec24358bf1410fbe9ddd232e0db401bb5de044db1dfe3bd6ef61cece1b4

SHA512
03f88b62e1d39e5de175faacee3847f4b1e3efeb7f14a4a1a98ea887db99c8e081277de4065e3ff3bf882418c56ab9bca710fdf050b0eb20f01b1d625d55b225

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
163KB

MD5
e704e7d5e99bc837bb7cd0a8f317c9aa

SHA1
c79e495d3b0289d66bad3a3cc65d6bcfc8e281c3

SHA256
18740302ae1e5b34ccaf08c5c662301f08b66da88e35ee42ab05ee15f1d082c4

SHA512
d5b3ce6b6dafb91be43aefa9f9092aa5473641f05abfd8c391ca9ac6074670dc5b2bc08d6c0b3269f487753e1433342557c8832c46afe8a346e04af705ce345f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
163KB

MD5
d8d173b6deb92847d953156251e35e24

SHA1
62ff4c619eccdbd3c5b539922254ecbe29c4ef24

SHA256
c23c6465ec28e3a9bf4ecb327893f7a74a7f89bbe08bd90b02b2129e1126015a

SHA512
b4494077dd163139f11c56d0281d927295b8e536060cad159f4a2f78c32f2c89975fea03819ac12cbc8d10632be7834a627f4023c6e7186a1f2dc8a7b44b432e

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
04c328efe0c2d1c0a8bff2c82bcb957f

SHA1
cd6ac540e1146f8b489f78c6dbf8286dd39cf1d2

SHA256
e676fc36e45f023c6977b9865e60fb1b93043a2be7a5b813551e1e65b0eddfbf

SHA512
7c2a89e58afc594ee19838f4125770990542dc5715bd5cf98fe3a1880144473591e604706d72deab4709cf77ac3b7505c867eeedb0db30ce88c3224d66fc52b0

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
163KB

MD5
8f9feb44aff30f99aba509207a74c1b7

SHA1
a0b7920abbfa08ba5b51d1c2a0f2a8a096b442e9

SHA256
65b698c739f193bfeb0d80faa4d84d1e22eae1a25e590e8fa346900fb6393fd4

SHA512
41568e7cd407a334bcf6d0f42d65952f013c30f904729a77a4d18cee5729da88cffc128886c92c2038ee4ffb1e92c838d26b210dfa6d3bbf1628085a0d35570a

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
163KB

MD5
cf1f86d4f564b5e970ca2baab8a00d01

SHA1
a07552d0c3428c8fa5bc7f9c475d986a8753b6ca

SHA256
735133a654af61a728a544e258bd62081c5ffa2acde6929508751702fbe789dd

SHA512
20cfc74e5f585af42d15a95bdfb99d720650983ca27f25464e3c11c04c1040d4b9ea119dd4c487eaf7158faeadd43bbeaa765b2cc15e03abeab4befe8626404b

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
163KB

MD5
be8f16abb251f115e19a5d09cd3ea42b

SHA1
9c0f71fe5a7ea5a2510a70a1ed2c82f416d26fc3

SHA256
6f0ece3fcc8fc080c690ae3ebf952f7ff908cd6ff4e585b78ecdcc3f05847a3f

SHA512
b6bbd0c280a0370dc7fecc57340a2862eff97815d3d60c64029ae8799de2fcd874cf92c51b0197b09e8fb1ec81294fbce1011036f608773f9956c1ad65aa6188

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
163KB

MD5
ff6c02c27da73a3a4cb5d6e06afaffc6

SHA1
c0403ebbe268df5243b0df192c9517920a216fdc

SHA256
dd5d1fc2c9b0343113651b00fb2113e7efe093022d95cbe6639d5058f6955a8d

SHA512
6338af608696e9ff4b75bb88b572cfc61bc11c6308ff065533ce64562300d56bebf6b5408b28b10fc34a9bcfafde1afa491ae792422434d062b4d41bf0a89658

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
163KB

MD5
7aeb2960207f006d2c9d24f6d182f408

SHA1
f95051f28e3695a7444d70b7a2231e9d10aa5dec

SHA256
f3348055bb8a1276909d1b2fed3b5723f3cd7afe6f99028527b9604279582975

SHA512
9a914d56c9623ce9cf190f31650f4ad8574d67e23ac567166f2f6830df8e169e7a0f2f75b5ba2d529e6d7d59fe9a58272465ec7be2abce456968fd53e4eb3005

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
163KB

MD5
621d00a9bc3f964b7c99939f7571faf1

SHA1
6ca6704f9bc6674158e78daa120b45aa9252f859

SHA256
2f0904e63d1fc0086a904c0d9aa4718161d355630e2cdab502f90b4f5761e6ec

SHA512
6f2408b44214ae9f899fafd20bb4094fc12e967801fc22ba290614117410da43505aa48ccf525407ededefac74bbd3f0fccbfbc65a4e5a2b2e45b8474bbcc7cc

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
163KB

MD5
52160baa110857677833b7dc55cf16a6

SHA1
b757c614ae1d10564741fd2a9e2713d83f072baa

SHA256
0a5b6a925e8b90d878b5a89c1c9aa44c97389b54ecc77853206e2c7e769c8ffa

SHA512
522f61fcc311317f1df23f4e62a1552442fb756d4a65916dad7a211e28feb6cf4979a57cbe2e99e8de3f43bb296a85ee886bc1032ed058b73388027be9f4a2c5

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
163KB

MD5
1a13a5d398d76664d7ea83a856b4490e

SHA1
b6ef7cbb4be770b53954b7ed881eea9168fc8722

SHA256
9f0a1154167f033d16f530dcbc14ffc265a7dd6bdee230447355a92ade7e37b4

SHA512
92953963a3a7a79f15bd6d956b603b94e4f880aec8315f7b7cea61422448e260825842bb611136b1c77efc236cbfd46c076a261a81d10d5fcef778a91247f7da

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
163KB

MD5
fbb378cc534daa661683e54c80f3b2ed

SHA1
f2482eb19b7473ceddb732fb8dfc0471dc583ced

SHA256
72054ab93d7b04d7f22a3d85239906331014d8f3e2730e09a46042246697f170

SHA512
7227886efc552c8187d5496d4b42bc8b90182e05bcea9b8d0e5a0d56add5ca4ffae815f5bb2a1b0e4c2ece8d01061e9ff43d545c8214e482511e56e6c41a042b

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
163KB

MD5
dd5581f1c85c831546580ada8816ec7c

SHA1
97c8d0fff2142e5d2bb3e0ccbce57b35f1d1ea70

SHA256
efe091167c6d9a2552e4ad23757e797f745f4bc79f61a73bd289f314597b1c93

SHA512
40297f94223603ae4c49afed54526fa10a96e62f763fd0ac6b6182d823d43a60448652ed19a365d26d54d06eab3364f3f83f8789fc91fc61b6273a924fcb7599

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
163KB

MD5
0b999ab3a483123b3109657144152d02

SHA1
4ff2b3a622a56303bc85a71a6510140bcf087066

SHA256
e644f9b1d091397412a5cc7613118599551f1ead35a9c050267b90b7f6591fac

SHA512
aea0707eee20ede6c7df6081f7cadb995215b2297cfd12092c47fd15c25089fd1e37f54ebaac83f03ea0bcdde7e34ae8af7774ef68d296e92d0e5f960c5fec6a

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
163KB

MD5
aa63ac3bd3bebe92be34b1adf3635144

SHA1
8df3616be9e867d9668d49710caea04cca246e0e

SHA256
1cb073eca043a584c728a666e7626ceba0d5a17421e7cd45e71409dea735218e

SHA512
9085af60d48156987a38d925fe3846bc4dc83a5618689a19e960993f36d6d18266555178671d65c987c47d48c94a87713eb857b4e31ef5571be9481e45d7876c

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
163KB

MD5
a34705c384c42a622edfc4e6bf89752f

SHA1
5d706a49d0303567b3636067645bf7e493728be3

SHA256
122ab87ffac9d8c6274808a2a1f71ac6947e02c8eedc39df06eeb974110272c7

SHA512
6bcce057c48feaf36594cd125f730fb9b324ad7ff3af410fbea1171f300766aca1985289ddf46648c2cd3ce3ecd5a9c11aee3de00589e71cb3444d90546c0f75

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
163KB

MD5
286eeece66bb88e57d40c6cfc90bd05b

SHA1
d94f35dff9b7816856719b37c14a123c250b5426

SHA256
0e0ca35f3904b564b6eddcc0a1ddf8c8a50a0dd8a0f47f099d53ec7baf3eb8c9

SHA512
47d94da9a4c179e29f46ba9c79e44e903da02b2611b38e890067b4071bb417b702b8716b08a4f8f7e742a54c83e3cf4581ea6303e081dfd2cb136e9904ce2603

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
163KB

MD5
5ad049d2512dfcad3b330ce5e9978ff8

SHA1
c414fdc862248110bdf6e372e82dabcc68d808e4

SHA256
280e2ca3a2060ccf1469f0d244b01129741b95e0be29789032cb9567c41fa446

SHA512
4a8fe2fabd18bcf1b6b097441195676c1551dff5d410c1ca749c934e91acb7dcface42c4f103d56b87f89b9bc11ce5c587c5aa26e86ab5efd12a6ffbf4c34bf3

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
163KB

MD5
bdb0ec73a591cc285d86a86ece7ba8a3

SHA1
e063eb5f92d18f07dd58199f552676c8a8d839ce

SHA256
9585647dbd5e2acb9d5f7bf8bdcb6944719bdcbf1f40752340e409ad30672ee1

SHA512
b720dd2cbb6d5951eeb2e32e7cf04b0f11c47be8607b86cd330236f638258c4c695fd54067e9b606a93523c1d231f9f548e3d79dc5dfccb365ae93a1e05db341

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
163KB

MD5
adffff1d9c4dd7591e136dab890d27b2

SHA1
cd0138a9d26bdfe11bcfae53e550aa6fc4170e63

SHA256
a7e1a4f1ed01960ff34902b40784c556fa338bc9bd529646b6c64fa85c07590f

SHA512
f4618fe03f81771277ee899bbf1ddfb81ad2dbdef2f8e01f71b56a8129cbb8228cfda9403b48c6213f6063ff7ade5a4ec5f44c227dba8740cb7198b817dcedb9

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
163KB

MD5
c073de6d795c943b3827f034e7ef3159

SHA1
b420f35d85fa7c7dbbd0ea734f6f82bda050887f

SHA256
8bbadc418d038bbfe759759132b78413f005c25596de6b4b2a02f8a609833899

SHA512
b1bdc51985d42ef9e619227513467f25c1741de38d44687942cf7164594f62d441ce261ab5d547ea2950f341cb83c7f94c14755862f50aeb3bdd3d59a0172992

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
163KB

MD5
c237f6236dcdee4b84da2b446e171710

SHA1
acd20344b2c980fbce48b7e9ab8e28ab5aa343b0

SHA256
b1772c52a10b7b1035072e28bd7c549f62d666e57320fa97da1456a036deb578

SHA512
d949696aa334a49380a54165b12dabc754f68d50090fb465662c7aa8571005a993ee035c6c0341e045c2fa47c851572c1b5dc64421aeb07982501e7ed3e38333

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
163KB

MD5
738931b31fdb7dba6c8c7d1ea4dbd70e

SHA1
de6f5a85a06c29eb75433ee5a6d2b14eb764358e

SHA256
b5658b4092d555013b37dce97a19761f7375682d7b81eeab4e6d0be237280b35

SHA512
05a87d78c683a632b21a1fab86beeaa50cc5586271877e7943eda08ceca1548340fc351f6ad9ddecc2311ea852fa076f436a8429b0032a495655387d5778c0fd

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
163KB

MD5
090d4ab42ed5ac58c9c009464471631d

SHA1
92d382a28e821e8cd0053bf258d911b367faa7d8

SHA256
5a9c3a7a955e929dae25539af956a39fec004f82edcd74ba3112b799a829a702

SHA512
2337a6535e0e64ceee2e0607626dd81deec4f02067de75b6c35cb861203df569402d8583d247f7e786742afbed590f6ebe04c657faad54c96008a0f30c29b434

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
163KB

MD5
31e24cd3f2803b9cc982ff378ec594a0

SHA1
a3e725ad8798e276233d31ece7c6205195110c62

SHA256
bbf3a2810b87d85fc27d192813916be0edb13dabf059f316aab1fe7b507213b4

SHA512
508252cedbe72dc54ca37bb9413e23955d8b796eb28c2048ce302395ecb168b925bd5775aba5e3dd7a5cad6b17205e6ffa10db4cad35e58a32d36e9fc538826d

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
163KB

MD5
4b2d23d4149d3f0e745d16e2c8fa2125

SHA1
31831eba7e1fa9b5e0ca780f7e5a69f4ed027ce4

SHA256
046df0b675ac0cd872015a3d842245f1fe2859c6fa7632753e07d29cf3ab9f87

SHA512
7e48a8963224fcc131f86065f1d4ca5818546b414733fe159cc8a34c8b4409973b5a5411873b8e44b5be239b39c76e1f4daa4ce26672d705f09aa4772ab1b600

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
163KB

MD5
90a1eeb8b7866d3ee711860fad8bf696

SHA1
7165caab4b4192465cf310886e7fc07b66fbe832

SHA256
5dc51d7a29fbdc45729edeb8554e211a32faf0b025d291c1d2dab48568e8cc3d

SHA512
3f741ee6a01015ead8d25c6a21804eba585c2ffd1bb1a8b5595ff3d61eb587452cfdd7f0bcc69424915cbb62839a472622a667172f283850fcce846c919d0096

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
163KB

MD5
eeb25fbe148b9c2be041d4890c0ba19f

SHA1
41b3dbb2a5a9169706058d042fc57857e209f010

SHA256
60270e34a06f618b8d0291b16f25d8bc13d20e08fec72fc79ca67a8233bf196c

SHA512
e8c955ead5d0c85b8ae9e94caff0cc9bf2ef9bfc51db00cd7ca7785b97ee86187cb5237cc5f6466716f051b8aae32194a0fa1c144b5b88049e3e3e26f0cbd1b2

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
163KB

MD5
a34b55f3f2d62b3d5bb17fd382795dd5

SHA1
1465c546d5ad03f04a52b0266c5b8769176d0c40

SHA256
142aea9b2d437f41c942afa52caae86892bfa398f79bc055c8a78716d4dce2fe

SHA512
fc3bf8ab70197b192ce6b976efa29a2df4522209cb99eabf990e8f6c4e36568dd64765a5da15e4c74bac95ad6b5d791c75adace37bb6a88a784b343155bc518d

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
163KB

MD5
49dfc5a088ab7ffc326a9f4a555c42c2

SHA1
c05aa7e51a39e165f115b9a1edcd29fe627b819b

SHA256
bc34720c41c5222af8d3ddf834b2f04aa65ef2a8ce222068ab348706091603a8

SHA512
a335a97f384dff73c9bf53bd0e8ea5b84cf054d6df3bbdb13324f66d4fa11b4843963d311aa7a180535e6ba63099e92817f2058f004e3336995f40465f7e4b69

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
163KB

MD5
029a5df4b0d00d60253c77a13a66b9a9

SHA1
f04e777cc8dc03c1650f6756eb33ee327b14ec89

SHA256
49e4fd35e93a84dc2dd48c243a37727befa0317f1e6087b10a173aefd663b6d4

SHA512
73aef60b29f8531b5accc688c8a5953764b6025b2005e5a2923edc1c7d1f61e2e8905e5c09489dcf85b84da9e2d6fa66c70b81ba0f5af62cf46d60db72470b6d

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
163KB

MD5
3ff373ebde91d999be314bc6e672ab46

SHA1
519307ada8ed552eb1a4bb90b17f45e7a68a609a

SHA256
c267e6c39291593a8824c831aaf9111778d3ef50f9024555d01ca75bb6c5b7f8

SHA512
899fda112162bf20594f09dcac987f216cdc5a83126c31c387f3280332e70206f4a72ddf7841566305676063c05cef5fa7b75d593b2ef07f76db03b1041db9cb

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
163KB

MD5
6448bd4ca7e090bb78cc4a969992f533

SHA1
b28832a417c4cbff8647dcb034bda000789fd41b

SHA256
dccc4ab7603f6ec4e5e7b9f81f17f9f1289059e7679ada88a73b7ded14dd493d

SHA512
a297a44b4468d1a2fbefa0c49ddf969b972343a63c21e085fe5df180ac836b321128d1a831830ad01937e4748098bae0ea120011c0fff2e041b9ea1e6f11e6d5

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
163KB

MD5
defe2c20e480feee7a6e55717c9ffaca

SHA1
a092b92b2d0af062a5b607230ce11e9e34f4e956

SHA256
3dc90a0518f23b739d60d1fbee05592670a82786435df990bc22305eee8bcbda

SHA512
576631e2d54c91f2c053bb87861215e80658bde75bed4d9628a341a2e54c2b610e8144113f5a7b9f4d176849b8f3879cb6743bea87d1eaa86e0c670301d1b37e

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
163KB

MD5
916b8bf79a8a829b46aedd15b7cec43f

SHA1
c9075bf9cc13bd0d13b598eb77736def43b7fdfc

SHA256
ef20a33266c9b29d2ba3e5e873568e95487a8a63240f8dfc2c86d236de6a9c9a

SHA512
02e3bf0643fb24a129565c19e9c0cd7f916e99921b986872c2484903c3341d381411f68a2a3777b3adc8cd166e5f2208346cbcf2ae0019bf48a8b1d35c2369e4

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
163KB

MD5
709a5b20f54d5ce6c6485b65c831f434

SHA1
37dbe68acfb5d673700086234b18ee343946b97a

SHA256
06f259a373979fad32b378979e8e5f96a2e8134069bb3dc0bd7b60eef552cd9f

SHA512
d0e5709af30e525965619275dd90daf7291d5f2f40a96346935350cc2323f3f5e1f113a5ce41e61376198560fc48e7d1bed4461402d63a449b93dacc213e8d9d

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
163KB

MD5
b62a256c0d5b2ba9392a45a64241bad4

SHA1
5f9736700aa33c0c581353fa4c57a9cb9e23f621

SHA256
25ba6105da4152695c786ff9585492699b88d5c45b322c406047f0261d09d13f

SHA512
abfb4bac55c0881fab9cca7748374afe9fe6c425802271f49d6aeeba86ca6179167397dc518a924e5fbb42f44ffe850419fe203649a361960dc3d63be68f9df7

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
163KB

MD5
6791c52f09a69bc81ea53fd574ded5dd

SHA1
6283a0f226092e9d9d1b07d28035b1333c9bd50a

SHA256
cfb89edf5822bc5a4ac8735ce81097ab2e5795df25b40cb99a31a223db7d3f29

SHA512
1c046279d47987c0b49e76546ca4198d0f17aa23a0494d821ac1cbf9efc4519efe91368986ba792088ba59ec020850721917dab5380d25af3b382dbf805cc33a

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
163KB

MD5
cb593227162ff3cc5d26afa71164f0b6

SHA1
1faf17388027fd2952c9316c4f15705e539ed251

SHA256
ef19c578db96cb5b29f36c4098e066aca6788b4fe9564d9b8189f33b04a4c5db

SHA512
8d77a72dcb10326506f199ec28bbd32019570fcf3b80934ec2825df7a915156bb1925b24811c697027cb19f3d13e00c372f02e717dd7d1435fbe468a1553db89

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
163KB

MD5
cce045a58516c82f49bbcc70302bf847

SHA1
888ff67dd47d26c1abd1d69d1f821432a4fb85dd

SHA256
6ce9452baa3ffb96cf1afa2f7c0d8a375e0d64900e2c24697e4376b186c4aec8

SHA512
6abd2c1918fbc237eda182dba34ea4f2d2aa63e5a19764165d0642d2cec4cc00d3499997c5b9f6e9d92ead701a9bc49735efba476a464ee4a3d2c1bd429035c8

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
163KB

MD5
84d8c0419836c08c13e5e18e36e35149

SHA1
26e7bb7550d73ce6d9ced037420b7d35bf2ad4ae

SHA256
940c58d0ee655dd439897f9f6241222fb91c2dd5b0e71d2f8539f7a0e7e2ee7a

SHA512
3ac6253418271f3b36e8362997486354fdaa72414e6296a427125a94468a22192287dd426e290249bb230060b46e717922d1282c34ca574377294017cdbc9731

Download Submit
memory/116-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/408-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/428-1464-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/428-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/552-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1192-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1288-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1496-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1636-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1788-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1848-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1924-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1924-588-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2120-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2172-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2204-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-548-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2464-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2572-569-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2624-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2660-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-381-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-581-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2672-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-1352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2816-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2832-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2944-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3008-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3012-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3092-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3180-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3376-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3436-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3440-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-568-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3444-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3452-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3464-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-575-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3516-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3528-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3540-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3576-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3636-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3788-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3836-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3884-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3904-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3916-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3932-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3956-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4036-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4068-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4144-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4144-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4228-541-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4252-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4292-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4372-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4492-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4492-539-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4624-562-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-375-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4776-582-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4864-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4916-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5008-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-1512-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5064-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5372-1323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5636-1312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5848-1274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads