berbew | 68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe
Size

73KB
MD5

7e67cbfab26c11fafca416dc7bc34580
SHA1

731ada0968887f28ebbc12407d6a9b591b2b4de8
SHA256

68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781
SHA512

fa1ed9daed636bdf8f57d039d394710abad7cff6978c87d11704675b246ddbb1f9abbff29850f84c0cc0a91934e61ac51219566274bcc76cf222e37a4c4fbc38
SSDEEP

768:jFyVw7OvV4ivYdrlssGMRawtvC5PGzfUdd+2vGHXd2Lcx/FytCAs2p/1H54XdnhW:ZyVqlivirI0Un+7XYIxH2LcdryyAd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1492	Klgqcqkl.exe
4428	Kbaipkbi.exe
3444	Kfmepi32.exe
4524	Kikame32.exe
4460	Klimip32.exe
5076	Kbceejpf.exe
2316	Kebbafoj.exe
3076	Klljnp32.exe
1068	Kfankifm.exe
2012	Kmkfhc32.exe
4844	Kpjcdn32.exe
4972	Kfckahdj.exe
3944	Kibgmdcn.exe
2912	Klqcioba.exe
3092	Lbjlfi32.exe
884	Leihbeib.exe
4248	Llcpoo32.exe
3904	Ldjhpl32.exe
3716	Lfhdlh32.exe
1192	Lmbmibhb.exe
2652	Llemdo32.exe
368	Lpqiemge.exe
4440	Lboeaifi.exe
928	Liimncmf.exe
4912	Llgjjnlj.exe
2796	Ldoaklml.exe
3864	Lbabgh32.exe
916	Lepncd32.exe
1892	Likjcbkc.exe
5084	Lmgfda32.exe
1164	Lgokmgjm.exe
2388	Lebkhc32.exe
4520	Lphoelqn.exe
3452	Mipcob32.exe
3436	Mlopkm32.exe
1512	Mmnldp32.exe
2032	Mckemg32.exe
4628	Mlcifmbl.exe
4888	Mgimcebb.exe
3312	Mmbfpp32.exe
2492	Miifeq32.exe
1328	Ngmgne32.exe
396	Nngokoej.exe
1500	Njnpppkn.exe
2500	Ndcdmikd.exe
2860	Njqmepik.exe
636	Nloiakho.exe
4632	Npjebj32.exe
632	Nfgmjqop.exe
4848	Njciko32.exe
4544	Ndhmhh32.exe
1956	Nckndeni.exe
224	Njefqo32.exe
568	Oponmilc.exe
1412	Ogifjcdp.exe
4920	Oncofm32.exe
4484	Opakbi32.exe
4104	Ocpgod32.exe
3812	Ojjolnaq.exe
3044	Opdghh32.exe
4948	Odocigqg.exe
3384	Onhhamgg.exe
3824	Olkhmi32.exe
4808	Ocdqjceo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kpjcdn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6368	6280	WerFault.exe	245

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1492	620	68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe	82
PID 620 wrote to memory of 1492	620	68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe	82
PID 620 wrote to memory of 1492	620	68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe	82
PID 1492 wrote to memory of 4428	1492	Klgqcqkl.exe	83
PID 1492 wrote to memory of 4428	1492	Klgqcqkl.exe	83
PID 1492 wrote to memory of 4428	1492	Klgqcqkl.exe	83
PID 4428 wrote to memory of 3444	4428	Kbaipkbi.exe	84
PID 4428 wrote to memory of 3444	4428	Kbaipkbi.exe	84
PID 4428 wrote to memory of 3444	4428	Kbaipkbi.exe	84
PID 3444 wrote to memory of 4524	3444	Kfmepi32.exe	85
PID 3444 wrote to memory of 4524	3444	Kfmepi32.exe	85
PID 3444 wrote to memory of 4524	3444	Kfmepi32.exe	85
PID 4524 wrote to memory of 4460	4524	Kikame32.exe	86
PID 4524 wrote to memory of 4460	4524	Kikame32.exe	86
PID 4524 wrote to memory of 4460	4524	Kikame32.exe	86
PID 4460 wrote to memory of 5076	4460	Klimip32.exe	87
PID 4460 wrote to memory of 5076	4460	Klimip32.exe	87
PID 4460 wrote to memory of 5076	4460	Klimip32.exe	87
PID 5076 wrote to memory of 2316	5076	Kbceejpf.exe	88
PID 5076 wrote to memory of 2316	5076	Kbceejpf.exe	88
PID 5076 wrote to memory of 2316	5076	Kbceejpf.exe	88
PID 2316 wrote to memory of 3076	2316	Kebbafoj.exe	89
PID 2316 wrote to memory of 3076	2316	Kebbafoj.exe	89
PID 2316 wrote to memory of 3076	2316	Kebbafoj.exe	89
PID 3076 wrote to memory of 1068	3076	Klljnp32.exe	90
PID 3076 wrote to memory of 1068	3076	Klljnp32.exe	90
PID 3076 wrote to memory of 1068	3076	Klljnp32.exe	90
PID 1068 wrote to memory of 2012	1068	Kfankifm.exe	91
PID 1068 wrote to memory of 2012	1068	Kfankifm.exe	91
PID 1068 wrote to memory of 2012	1068	Kfankifm.exe	91
PID 2012 wrote to memory of 4844	2012	Kmkfhc32.exe	92
PID 2012 wrote to memory of 4844	2012	Kmkfhc32.exe	92
PID 2012 wrote to memory of 4844	2012	Kmkfhc32.exe	92
PID 4844 wrote to memory of 4972	4844	Kpjcdn32.exe	93
PID 4844 wrote to memory of 4972	4844	Kpjcdn32.exe	93
PID 4844 wrote to memory of 4972	4844	Kpjcdn32.exe	93
PID 4972 wrote to memory of 3944	4972	Kfckahdj.exe	94
PID 4972 wrote to memory of 3944	4972	Kfckahdj.exe	94
PID 4972 wrote to memory of 3944	4972	Kfckahdj.exe	94
PID 3944 wrote to memory of 2912	3944	Kibgmdcn.exe	95
PID 3944 wrote to memory of 2912	3944	Kibgmdcn.exe	95
PID 3944 wrote to memory of 2912	3944	Kibgmdcn.exe	95
PID 2912 wrote to memory of 3092	2912	Klqcioba.exe	96
PID 2912 wrote to memory of 3092	2912	Klqcioba.exe	96
PID 2912 wrote to memory of 3092	2912	Klqcioba.exe	96
PID 3092 wrote to memory of 884	3092	Lbjlfi32.exe	97
PID 3092 wrote to memory of 884	3092	Lbjlfi32.exe	97
PID 3092 wrote to memory of 884	3092	Lbjlfi32.exe	97
PID 884 wrote to memory of 4248	884	Leihbeib.exe	98
PID 884 wrote to memory of 4248	884	Leihbeib.exe	98
PID 884 wrote to memory of 4248	884	Leihbeib.exe	98
PID 4248 wrote to memory of 3904	4248	Llcpoo32.exe	99
PID 4248 wrote to memory of 3904	4248	Llcpoo32.exe	99
PID 4248 wrote to memory of 3904	4248	Llcpoo32.exe	99
PID 3904 wrote to memory of 3716	3904	Ldjhpl32.exe	100
PID 3904 wrote to memory of 3716	3904	Ldjhpl32.exe	100
PID 3904 wrote to memory of 3716	3904	Ldjhpl32.exe	100
PID 3716 wrote to memory of 1192	3716	Lfhdlh32.exe	101
PID 3716 wrote to memory of 1192	3716	Lfhdlh32.exe	101
PID 3716 wrote to memory of 1192	3716	Lfhdlh32.exe	101
PID 1192 wrote to memory of 2652	1192	Lmbmibhb.exe	102
PID 1192 wrote to memory of 2652	1192	Lmbmibhb.exe	102
PID 1192 wrote to memory of 2652	1192	Lmbmibhb.exe	102
PID 2652 wrote to memory of 368	2652	Llemdo32.exe	103

C:\Users\Admin\AppData\Local\Temp\68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe
"C:\Users\Admin\AppData\Local\Temp\68c4d314b6c3fb111b992bd0d86e7dc8e99e0a7258753f769e0df98c4a455781N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Kbaipkbi.exe
    C:\Windows\system32\Kbaipkbi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\Kfmepi32.exe
      C:\Windows\system32\Kfmepi32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        34⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        35⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        39⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        42⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        44⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        46⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        47⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        61⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        62⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        68⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        72⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        73⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        76⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2328
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        84⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        86⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        87⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        88⤵
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4348
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        92⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        93⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        96⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        99⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        109⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        121⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        122⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        127⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        129⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        130⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        133⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        138⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        142⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        143⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        146⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        147⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        154⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        157⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        158⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        160⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        161⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 216
        162⤵
        Program crash
        
        PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6280 -ip 6280
1⤵
PID:6344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
73KB

MD5
7d0287ab04d2297cde11cca7297dbf58

SHA1
c8e8eb0d20fde76403753a4f6a8be455fd0c57ab

SHA256
d70e116083d3262f31d66857dd967b83677211c2a0c7c0a366651c8fbb490d25

SHA512
043781c41b134b58655b56d007c75ef1fb3600455dc7cad8ef75391b786a96a48368b16c98f0013fcbb6fddfc02e016ddf489b51bf08847e1f9421dbfcdb78aa

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
73KB

MD5
b7d88e8aa3956ea2d1551ce631269a95

SHA1
e2c96e821ef8096358a2166a217abdebab9a6516

SHA256
b124e95b705969358309a65bc92e70643f31877d2049e7fc8092ccbce99ae7da

SHA512
d8dbaa0fb0d3475ae6a4eb0d7f128f82eb8b63d2e1331c4ee0d5bf899bca669e176877c81f523f6b7faed9414f7131b10dd15c8e96b569d6466d88275bc1313d

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
73KB

MD5
62e806d4834d0330ae44a3bdfa410c00

SHA1
36f331a864eed86785644d81ada7b52cbf7b69a1

SHA256
04a732423fb001b902e4216b19d834c8b81fe028c392a49013688ba8d9377f81

SHA512
47bfe94e67e2af112883fb1f259ccdfab74e42d64ddf3e560fcf07988e23532b0bd64a1a5b68e5e82ef3ac7a27aaea4e2b33a5419da457146ee3b9d5670ddd80

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
73KB

MD5
3d66622cb14e9d23155cfe49c7ee8b6d

SHA1
6ddc47df8f51890411147c121e838100e1d10c4e

SHA256
26958c52146f69350621045bd0395de53bfa3bfcbc4f85ca2af302d4e2222522

SHA512
c78fee2a0a1205740d1806937cda9e223b04e9c65b9fd65ea3a6f546c654998ca1be06b2e89e477c3eb0984173f7275a6d33b461bcac7b10232edc5661424f9a

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
73KB

MD5
1dfa71a268e4cc8e6281a5c5c3f06376

SHA1
35ef98bcc6c0ff7ece630d91a288cba993ada14f

SHA256
301067e64995185d09ebe78e0c8065602292479a6cf7631271b57afa00932274

SHA512
031e921f646eb8d3eab7295965237c0f7d8c3eb4051f1f829038fe6fe4a6b040be17eff911c22d54f90ef8a53c5cb9b129c31ad4079130b14514bb479150c507

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
73KB

MD5
9e7f774e8e21dbcf9abbc30ff89cb83a

SHA1
c4d5f42669e3162d36069ad47e40dfcf840b804f

SHA256
feb815144045c80a29c9b4bfb381326f7a8a0e014ab24b4d00bf864bcb40f02a

SHA512
5410fa2a68575fae7875eddccc60c6baf40e6766a07b6bce892f8b06b14b844a6d37a3c61cf43a8205589096e1ee899d073e9b398207d8a8c5cb32f3f51290a4

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
73KB

MD5
4c8fa39c77206412e2a28520099fc3ef

SHA1
7da38f020a71badf25ee69a3b915ab489bfac81e

SHA256
26376bed74dda469489a27d159f0a5c91bcea07bf344e6d55ac293f6d820c0bd

SHA512
792caeaaf3050abfda693f543aa83732b67a534fbd3772e5d048039e82804d9e63311837e4f28a12934887d7d43ecbc386693ab6834a0ae84d8e05bc1206da78

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
73KB

MD5
9fc0dbe5394aee644e6093921f78cfb8

SHA1
5f77fb9ffd092a77a202419176e1706f4de63fb6

SHA256
f22b6f9d5d139dc9e025fb6fbe0618b97636fc8869267d79a6af98f07d210ca1

SHA512
2326ab7b0aad2b9ce3e54175e46464880052d4a6660f22a51624babf5ecbdfe8a75e17eae8b3b4e59e8a1f764976082625a63d7e7263424b95e10d0b8a7916fd

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
73KB

MD5
9642de03ee0578080c6b7bb6ccb166ec

SHA1
69341875a2491a1401413da0f9491b06b83ef3e3

SHA256
a1c0064501bac09ed5abb873e634d69c0c1477c73bc23da0d50708a2c2356e24

SHA512
ec2d960f065086d2894fcfe686bff85276fc729b2898529d19646997a8c63895140d11b4a43481b3a50338334973710dd397fc2eb0009a583ada932e433a5578

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
73KB

MD5
c73703b0cf0d239bde8286c986943e7c

SHA1
ed008723ea85bdb40fd8b2d114959ff753677e2d

SHA256
ce8c67c92bf948e73efa7c3edec1274baf97450db6c50a0f6f0c7abf26d13fdf

SHA512
0eca81d89f80461e0e14fb91e070e746785071363e9e6106b583c225a1121c03c7f512a1c03c73407e30103ffc8c1cb30c936c6ac3cef3ad41a53bbb417f28f8

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
73KB

MD5
0384f21c427c67920d1d4f7bcf30fe0c

SHA1
39045b58df37cca8d794db3e2be86ed0bf39ba29

SHA256
d7d4d4821d56da160098d88d90e2867a860d90527f4134f7b81f7ee18b4a8fe3

SHA512
cc9de4bf323c0d97907c81ef4f2e14dc2a01e4ce61ff6887fd858304dd3c8aa359887db8e73b0e9263ae9e24fe6e976acae708e4dda9177ea9a98571623c0930

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
73KB

MD5
7c6f69b09bfc8f67f0dd35511393ae8d

SHA1
562cb80af4c1c94b6a3324d78612b25231a2d0d4

SHA256
6f85bdc4cae01fa8ca849c96356e2a926e29790c7519de77940c30117e5174de

SHA512
0e4b6b42f3c8801dc0c46b678071a1db73cb0387dc407101748ef5c57afeb61a3b10005478ef83b420b3802b6c5a0d4491900899f1176cd08bc490121625caa5

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
73KB

MD5
21fba0a067fa3d3b89644d4d880a1208

SHA1
7d7c9bd3c35ae19cc9bd56e599838613f73d261a

SHA256
7ce9f05c195c98f76b99835b1c492670155255f24a3e432c780446e694962a23

SHA512
9a458316247f96e67655551387b7195f4baa12523ef0f024e64b4ee9f4d72ceef5f09dd26c1912a62952c102d7005c60e9d62f4717fb5c183bcb5bd51ac33f40

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
73KB

MD5
02490847d81e1526187999f1534f18c8

SHA1
9352c67e37bae65651120737ea5021cc0ba53421

SHA256
c65288b584ece228097f8c5617a271c40b49d2716ffb0c474aae43ed16afbcc9

SHA512
5805ae2edc00ba3ff3f6fc7ff0708add985633cc9c7879de4035876247f9ec997f29a37a5f62009adf691cf702e3af859ad5bd1c22da3ee37ad7a28d96c74960

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
73KB

MD5
c0c52aa5d2af8cefcee08058c0a08a35

SHA1
c779c8baddcf02beca9a51e8acb0e8b4b25fee10

SHA256
33b9fe1fab0b36674289addd63bea867400a2b16d66ccdb44d362b652607df61

SHA512
508817aaf8a62b1575f07a255fbd7199965d04ce476ff56f6da7a98e19fcdbb12bf0cf3e3385e87dc7c232dbc6fa4eb7507d54a34128037e0b0353bfa0633b87

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
6e84c44c1bc83451d79f56fbae48acf3

SHA1
001602616288173bbbfdcdc0664bb229b5729b55

SHA256
8d1064755fda1f3832305700c625aa59b2144b3de8d568b760b02751f92a8088

SHA512
636a42261870895c4528526ab8d33faf1d32d1ee1d856d973bb2f14e05ad0cfe758051d3a50834b499c3e9fd6381891040c115f533acdd5b996080da0a6a9307

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
73KB

MD5
41d770722326bbda5a4c68398d4930ea

SHA1
7c72c991bd4347a36551f5ed8fcb6a053844a630

SHA256
a9838e3205f7f979f1452f18b9e4bbb68432e4edcfd6f940f68828f59cb8ce11

SHA512
d9fbf1f357608f840132b1e6683903f02f07a8fbb24e1f70b257f3392c07e221d4518be7e8483a5bf5a0c7a0dac43010accd2d7368af889aaa026765c965212c

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
73KB

MD5
bdee16365d7f5a726d00802d5224b9ab

SHA1
f310e91df7f6f8905de9f004d063b841222dc2b6

SHA256
f86ac490a1f7fa6c33cf98146bfa126a88f2766a46bcf97507286ffc1ab62054

SHA512
11b43eb63b835e20fbc49cfbb5023db1262e74ff512c1d651361a64176bb5e7736344735b671c63e7e0820921895e9aeb445a1f6d93c3a8b8a33ed1d12a3c92f

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
73KB

MD5
589babc10eb5124ef29bd8030f213738

SHA1
df69f4f6b228848158883c2602839407c78b67c6

SHA256
22a4e40124b47e507a69cabab26cccd95f3b0d2ff1b4474cdedf6a46c1be91bd

SHA512
7650935bb7cd46de0bc33bcf718f76d1bb4e6c502f4142630c9d2da2e6efc96e9d705096fef2f9da7f869b2f1cac2d7976d7b405354264471219acb75bf79d34

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
73KB

MD5
70f988f28e9f6e0e195f9bc05cdc8c3e

SHA1
d0ce530c125d7a33393134b309989097da0a1796

SHA256
c852ddcc67128786dfae415307e442e3eff45e5960cdb7d56225d1640566d397

SHA512
4c43e62566b87ff0e726d027fd2ea44462f0ea9b1943060b11817b4101441cc053a7db44ebe72d11edabdf174d9a11899699d5d517dbd75c3e3efb84f8a1fe7e

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
73KB

MD5
0216c200b9c4279bdfc956d497de553a

SHA1
d677b775e2202b2ac4be184c5501f8ae5f2159d1

SHA256
82d274026b9893619bd044e4ff9358bd1bd589f904ff3d939b13d86c33b78756

SHA512
7138b333acf788461e34ac39d877e76bd8a9ef163f79c755c050b577d9347e45199c3c7bbefc1a5e7d249bde621c9dafe0c4bbd0bdf1b46af4d9730861121651

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
73KB

MD5
60153c024757504e5adb606ccd4bb35c

SHA1
d622b6c449cc018679b17380317866a39cc112a2

SHA256
55e686055dd3f5a2c58314168922f7dccba82ec93c04ddb1f4626357c018b819

SHA512
5ff8ae58dba9a208e0efba118ef343d7eae2adda6dd9d71ced5a79cdd04315db1e46897c9b91abf7756bb8cf9f3963a8f598ef73bd8d467436eae37ac2a00997

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
73KB

MD5
9d07506795eb522023b24278d6ff94c7

SHA1
59635742319b5b3a4c166dece92552b5e304f040

SHA256
870f40ae8b566a8ed1d7b4bec282972a987fc84da8628c27cb40a19a22b321cc

SHA512
88c80f49678999b8c950d50152aa3891ee71671ceba97a566d28c9f9570d17ba58efcd69f6bffb15176edd7781dbb549abf701f56ea0ddc13e8edec3a96d0e03

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
73KB

MD5
2e4ac99a69320fac39843823153ebc3d

SHA1
ef2e17b158d72abe093f7e43cb1a04f17d76e939

SHA256
68a3a010992174afc8d306f029716df77ef99c64caeb9e46a4a1442f0d58aed2

SHA512
ca549cf0b866bc1d60b48c005ebb48eeec4f9729e2c133060ca753ac2d965898fed1430c527e846a8a2d376817163f018ecfffc3e8e5cbfcc4e3b350cde4d581

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
73KB

MD5
f19ab5302e3be6bd60259bbfa38fea91

SHA1
8e5cb275c862b0842bff599de17f159c372ea7b6

SHA256
24f3ceff1ce63043eb4d30d54ba1d8870e08ef2681bbaeed82e41c26e632d460

SHA512
79893b6468e212e9aaee41dff7c8497c0e8428ca04428cf0faaeda914f8595ddf754130526e689d3fb43ee9114a8431ee93d6b0d8ef49b9c9d07734567cf5fa7

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
73KB

MD5
24d02a63e481a3d717581cc46cf3bfe4

SHA1
d1c327e4ec8f87ede0172465279007be6923e148

SHA256
e2dbe836368d3ebef705fa0a5b6c5b7036adb74a7b5c40ac972078cafe9ebea0

SHA512
b6a661a99ae6905493382d91732ef3d90435bcae7d952c06498a03908d01a4ba507db488a4a789c1ce08d6e66a7d161ffcee652d76b94dd1dc209af3a0900036

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
73KB

MD5
f89e1733612b36131cc6e24b9741ef55

SHA1
dec8785738474e5e8b8b746cce8bf48d28dab4b3

SHA256
a6050e0276726492588860fc19b8a3bf31f80fd28c9beba622183a3bdc4c7483

SHA512
753a76b92f1b4e81a8da92fbba69817aaadd673a18ab0a58582314e7ccbaea063f7f1f259600182ae389ea60050c2d3c70f8f17f2d72ed297ed1337ea6f079da

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
73KB

MD5
4519ffce1fc9f0e062c336edcf28410e

SHA1
ad7dc3eed2a152e1b201d68776adc2417dde4e35

SHA256
7b50af9a00fcec70fa1513561d6da6a5e2470aff5592aa2d3f09750a08c3b007

SHA512
b77b47600e2e0bd0331db425f02979d80992d5d352a4377ce8dd588573ba308ca78330e7848138c2888aa841189af682587e23a4dbf68f2f28e5f787e61db54e

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
73KB

MD5
da136e2f1e153ea333044536f20967e4

SHA1
ef7d550b8e270fbd9598cc50382f3ff87d240b86

SHA256
b2eafd3c04200fbf5043b404f0ffe16780bae5bd41ebe9638220c3ee67b43742

SHA512
9ed465601bcea7875d40d6ddefd7de4c7da8c40619e8dea1abb416b1d7521eb671ec1b2915c0c78426b27bd23ba04d8210c6e68f71c9211b44f9f5b9acafe75a

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
73KB

MD5
8f0c95065ff263c22cd424ee2134db61

SHA1
a2ca4ef250b3da8c6e90415867737a64fea814a7

SHA256
ad6af9cf1ac9244b2f37159e6e1847209615dbabbcc04fce74ddf4dd05ffc25c

SHA512
32b20a00dcdaea892124c6fefb73d8e6f325e1bbdd32934dd83983d4efa52397d051fc842ad32595c74708222ee8cacf7ffbf2b96851305b8879d6ffe3de0e57

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
73KB

MD5
4e03c03ef13612fdcf0638911d7a7ab0

SHA1
3ab03d3162bff09a33298f57e05830bac4d0cf72

SHA256
00157320e29a9f2626a3f322729a2621479ac70138bea090aaef2c432150593c

SHA512
d80b26804e84ea3deab960ffd015330b6f415488a2c19f9992ac500e970da6c22be198675466a804f0af1615e90d619c6856f76dba036aa67ae9d2bca5ce6421

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
73KB

MD5
2fbee7c75c658bf7c00bc5ff0743b5f1

SHA1
7224800065ac4b92eeb00324a4f66d0d0db7dd81

SHA256
d81e3f90479c2681b609104611c8aad445fd7b69c2c88501db50760efc42a0df

SHA512
81e1499afd21910b105824dff40c8ec49bf05bf1647fa9216430c1ac562f747e3c5403f9ad0772b2b0ddcdc51d55dd128bb806a685a34e62989ec64cd00e14ea

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
73KB

MD5
c911b8b9a940cd25e6cb83161cbaaf1f

SHA1
3535f6bc12acaed911244e7134d450b64f11267d

SHA256
2052c4df96fe3a9ab434d07601d8f07c5b918c39b6a66871cab73fadda4260f2

SHA512
f93b69968645b44ec656e669a3dd91217c164323d0a02dd52fd0459fa1b3ac477b840af2da442d5bd46713803860939c9a9857a515cf04448bbecd1437f496d1

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
73KB

MD5
aa5e3c827fc5ebcc78dc46f2e4c9a6b1

SHA1
4a6873dc98266dfb5350f91143a0ea512ec23491

SHA256
1b702d2529457036fdcb0f5a76772c81099be9a2933f5675585c58d655733ae1

SHA512
8c7f0cb1eb56ab8feaff9841dad539849668e1f51e74b19089f66f12c409ccaed668d53501e3ca9402adbbdcc13b7f71b64c313bffb9fb0c0b1a2c4990ea4185

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
73KB

MD5
54e969e540a2d9ba055112d5cd934018

SHA1
2aea19941e27c3edf7d903f3d0f629497ebaa061

SHA256
3a7860499ce865222da91fc200faef972de150bb2f2764ba6e1d32cfa497a2b3

SHA512
bfce92cc2201fe4d7efc37d96b137a23162069ca75a434ecd17c50fd63d1318a6a6d8e067d786c9f4d042dd4bfab8b09d263212f8d62e739d314b722bc75f6e7

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
73KB

MD5
4e15118058fc8ec55769a2d4aeb5356f

SHA1
0e52b8c0a367358072be471af947aa54d9b435fe

SHA256
e11dfc920e354a56a3eed22c65f2830a4a712faef97ac69d12743b74584f6408

SHA512
54aa68dde5b88d1cb3fc918a2787bc4b337dbc6fbd727359260d518cf220593b4a0869cde4da646899e0e86f1a8a2050e1afb46fc15669f840d29b8ff1b1f5d8

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
73KB

MD5
d420d26bf4a05458803883415e26d652

SHA1
c71305f68b6028454242d0c60b5cde38dc4325a7

SHA256
db9b9b1f71a8e0e508bd2ec925fd70873ad38e4a838b799bc2b4cee67bf4fbff

SHA512
fcf53cd494fdf1845b1fb41a4843233e2e840a94c5c43b0db42b6b2f5831044df693e0050db71c06210a77170214484417d884975d2dc4de2d9093dfced6a087

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
73KB

MD5
94f2ccd5ad178c9d847d4054b6efd378

SHA1
86db00529d9d23822c526868f54271e1ba9364fd

SHA256
1418a04fa720c175b1530b2ef7c1aa980185a1e563cfc768f772b41bc759bbf3

SHA512
74ad578314c65b14e23a4275d76e81b364a4a81b967a6c20ba9cee163aa6497a0e3e7439f5fa5b608f5f85fa7f1304a913cba522665e2ec1f9e71f81c04c29aa

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
73KB

MD5
e9bca3ffc5116d6b930517d1ed8ce004

SHA1
5c8c6b7a9fc7bc16de2d29398577a0e99a9f64c7

SHA256
ef910e056c6c9963c5a6ce6b7dcb29b5994ac6601e99bff5cfef740fe6454e4e

SHA512
ad46b6b8b8b516a324f6c2e1f7b69fca15aee1c251d991f0611cb4237311a8b6c31a4f4bd7cd5853e35314f5d0d31f66f7f84a49ef31f04ef86c93651b64f3f9

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
73KB

MD5
f6fb40b4741201b5ebd20f3acfd21383

SHA1
6b517bfa4561ae04a77de6b249c68a4c22a05289

SHA256
836522ffd61358fe18aa2a598f2c4688c3edc8a87594cf407d9118e83c29f253

SHA512
6cb00b72fba265baf5f920a74ad4116c5c80ca100518e8c69ba2fedb83c227635f28a823416c1c004b516f9aee5c159ce549e6bf9f1d210f9a5055e90f2fdef3

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
73KB

MD5
3d2cc8b45dc6dcf7f6995808f1e90871

SHA1
509737f79fe1d9f115c44b1f10c4d9563e9ae968

SHA256
6b365fa98a73ccee206ba689c75f9bb2f35cddd6c3d5b32abb575874e4fe54e0

SHA512
17ac300a9d501c501fe72872abcf346f76b1a40a60744c1c81521264cc496b6d59dc933d2d83bb01577355d2a444e19eea696e835861f97336a4ddbec0e45bde

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
73KB

MD5
65ec1b6186fcce84fcae5c6f6c3e485a

SHA1
7b0f501685fe83e0f90caf02b51fbe34e2f6f819

SHA256
046368b15c5ade66b0f8e7750b175339f06217177cc8953069b5ffeae44065c9

SHA512
a33837e3537ce371b5061428cccf5064d486ffdd7c65e5e457f76a4ae96ba052eea00f6fcc09bd6b6e73b2358855f9703c572b369b94cbef822571b614a0e1a7

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
73KB

MD5
118745a4ca030574f79febb11638e153

SHA1
c38587d80a7aee6c44cc08d2eac48f821255b36a

SHA256
dba2b871ff6811c9e7ce4922844ffbcda2ddd8ff290c729e3b0ade9cf3bb544c

SHA512
bbaea70eb10b337e6c6542dacab15d7573ffb8f28c6ee80422eed593dfd09e0c54bd84b97d62d307bd5e071e1eecd43dfa1a4435b63fd3677390313e6b877de4

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
73KB

MD5
a907c2925b30e77fa9ba821c5ef8c703

SHA1
963f9d0db84447471d3eebb520540e753ae5435b

SHA256
869665018ab1c8da25d76d41c84d7e621c33613d6d10e45dd10d0e7e0b9ca33f

SHA512
24a0f87f828db739d3de767d0d59f433a8d34b7c95401d627e4c3232d91151972f2296f8263bc2d8ac619c024c0fafda46ceb9e9a53f4a5ecd123ed1fb695ab0

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
73KB

MD5
2283c86c7c73c14efbeb541d711c51c8

SHA1
f12797e4c9ad90d520b59d3bc607e504a750625c

SHA256
783c0800ceb32ce45304127e531de6520435e59602e783d8cb70d878105c9c70

SHA512
95f605bf5e33b3b717be7582f0c42f78e2f9a609d5c731880eaa6fb08ff3b095fb2a098d3de5886d5ee8829caf3a754cadfb3b589abc8f0363925571f3922828

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
73KB

MD5
d6b34d52935d0c7847a1c6fdedfe72cc

SHA1
138b33c7dd31d0ac0e7ed86899660d91075f5423

SHA256
ef7161ba65c4c38ec37aaa1afc44dbe62653ccc0b60fb81b545371fac884d629

SHA512
d0529fd8c3c40bd3128377d76cb21a5288171946b794ea9948b611eac1baa16565c84e12c2409c4d875704024037226ad126019fd9494689b0e4ca742c2de673

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
73KB

MD5
b761e64575653af1b1518da40e003349

SHA1
ecd0ddecefce2b5155b1ab3aa8db00a842b26527

SHA256
4789798f1a70c2c6acf61f4fe28e47535a65339964eb62dd9a9ceb55d2c93077

SHA512
d023486a1da69dbafa665043d78eecda7f49967badc9d68854429d609f57e1e7697fe7b8b598371221df87dbb7a1deb38dc75a50e0bfbea0aa9a2e085f35429f

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
73KB

MD5
21b53efe8a1f36a653a3f0c1272a396f

SHA1
0d3c5382002b6f6872f423916febe92e86760304

SHA256
2008a05acb4bf9f7ffd115550e5e363669d9bc27be22f8f88a143785fcd31ece

SHA512
7c3b34b3ee881799222743773d537a460f29d261669da3a124bc2e5cdccc8b9fab5647b15fc50910b3e0f7834a1f5f273768c4a4cb8eced041580807028511f8

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
73KB

MD5
a0926d1f8320cb2118f3e4536aa28ee8

SHA1
3e076e9008a80e01a403a56c00dc25efd1c22e5c

SHA256
643eb41871f3388181b3cd60db745d6833e3e7e1f2187786d6d4cc9ff7a38f9a

SHA512
af1bbd24dee9f6196a20443bb53162aa8ee04f32cfdb34556ec1b138187c2741d13487592cf5efed276639aad785b4a4fb7d4fa225c5a744a784ddb57a906aee

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
73KB

MD5
e0c11544c5af177bbb5c83f6fa86cad2

SHA1
e096c1752dbde3c26a3833780ae095fbfafc2e43

SHA256
241d346ef7e3c44d62e2a6ec7ed20b6bafcc0294e358dc91622d0b9da051298b

SHA512
6a37aef1b7321298ba71e8f179e99f1963ce87fdfaa0d64d6a5e0b64982a1bd872c9e63b3347f6c15f35716f20858690c164fbeff1689e61b867f13ff294eb00

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
73KB

MD5
ce6880367ec561ebf06161e19298ac4f

SHA1
75084b8dbeba2602f3a552e16219d9c3940337d1

SHA256
7e612f77888fe87b2a73c3386813f1c8b8b2dcfa95164ca9294b231a55b6acef

SHA512
b876641b7d9ce0ea1ef1161bd14f34a5ab7cf08360492b9e296ea0805ad0a3be06683af8b65acc527ea8bfc13fbece73ea3c574cc3b411025d3409e0895971f4

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
73KB

MD5
5aceca99192beb8584d18cf169becfe8

SHA1
f0d8462bb1b8241792c31928640255c0439234db

SHA256
031b52f4016970c9be8c340026f727f7904d2c1c556340cc0eac52d3a77ca461

SHA512
f6fc2a70baa3896e3a9972f19562f96219c7af33fe07a8fb77980594d37e34d3acde351dc838df1cfe7561da43361ff39676aa449b69ec96be9db6bf161abae4

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
73KB

MD5
14c0975d6cab3d2405b1ad30e9f6ea97

SHA1
a57f1cd9d05b135926a75957641fd34ce3dfe99b

SHA256
2bbb145062790654807be77c8616ded9cb01182efc016a5c388919381801fa6d

SHA512
5df663114487e45142f36b897bf26ba577327be4b77d474417250b894285811af248afe5ffa754fd439364b3315b5b91ec8ac2ccb86fdbefde61dde3cafc3512

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
73KB

MD5
d374c12171ccee7be6aa05ba9b50f03b

SHA1
dc859007684a5b9d085744897d0f512672c69c6d

SHA256
fd1da9231966b645eb9ad141a7a60651711df83cab27576686f0faaf818dc03b

SHA512
7d2923992e1f269011dcab34030cbec9921d90c46aab006a32bb6b3f55475867315273d488dd88704aca00086184df782d1fc04e6c6733787de42a9ada972fb4

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
73KB

MD5
016efa94851485f70b54742135ec9538

SHA1
1db135d97235c7fa6f195f54474dd69fec38f445

SHA256
c9fdba2155b4f2f59f455c752716f149db09b6d15c3ba413f19d82bd55520a36

SHA512
be43cf6b0bf96a5ea50113cc601c8089ed24982085f88d9303ff9fa0d5f9786460f404f741bd0a709765b79959eb736f49344ad5a815a545a50ff00b6382438e

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
73KB

MD5
dbfdd07808bb7022bdc3a5ebd2b23983

SHA1
ba1b15a4e234e7cda5a09ff78ca52b67749ef560

SHA256
e8aa927914783c707e33f4d30b4cd8b5f1e7902b0063c488c51c27a6baf9c5b1

SHA512
d55b3e9e37b0b7fe92ddccfee089da6a163f1ba2109884a7aea7df7b6f1623f17064445e9f0248b92ddbb7fbb9682ad1aeefe6d24a73e9ba714b3f7658913da5

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
73KB

MD5
b17becb9934961d851a28d476a03e077

SHA1
44bf413021abb06e6888206d63c2c5fd15cc5576

SHA256
78159d2cd51bc9b63665d76c9aad521796dd12cf80611a02514abee0b99582ba

SHA512
f6db9eda679de1cf70653291bbb5f3a31e12ab53546dc000d08b6f4b7fe5cefd22a848215db917ef366496e58428fbcb8d7f01abcfaea29c21bc45c7375e26dd

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
73KB

MD5
77214ba2413b00122b6e5469235457ea

SHA1
b1d422efd21fec7e71c45aa6913434769f0ba4b2

SHA256
15716f25cb9ca12c481c090e6a5c7bc169898a7acdb3e6a195c00d556e99db79

SHA512
89b020c33747190113137651b91ae5de0d6419cc2f20cb2dd67967030b89ca62edbdfeb67aa69e8d295741aa73b0b6d8fee6a24baea7e4b8bc30b71c61ca0f5b

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
73KB

MD5
6a2d0d87e16f7a1521b2235b4642bc00

SHA1
5b8dd81bc8d9de9e92c1e9d3c0eb3700b8c523b8

SHA256
56c4fa63d7b7e424679a5f8c9240934ea3ed851dc1c4bb87877424bc4f193681

SHA512
36dc44b1924a1a2eb671b9ff2ac117f891c875a931990351c3e9472776b0b841c68b1cf7466be22b10233fa622a2c9a9fc6e5fd2e62a686b1d13daaf8e97dff7

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
73KB

MD5
ea9288bf8876ff95abe7bbc0b8c27395

SHA1
2772752b7241c3a2b4b0f8de6ad5e261ffa621d2

SHA256
a1d24048ac4fcb28609afdf9e5fceb0e52351495ebaf0f1f260b8fecdff4c9fd

SHA512
48e09eb9e266d487df0f34f87d58f341b6d122111c85ba69786cff3b9b107a37d25ab03bd26be104cd69436a4bfeece7d0cebea0dd49e1c3fd6a66ae91a3fa94

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
73KB

MD5
8e31a154c03cefc8a8c96658a2db11c4

SHA1
ca6296aff345f518652614b581ca91997fe37733

SHA256
4333e68aeeb30f652f09d21ea549547c956ced102b0d021d3f1d660109bc613d

SHA512
247d72abf45a5581cc1ceb696cb95364c0a06d069e3788972f08c5ce82ef7a894e64390386dc646b800422646b7142751f17e71ebb6ae9a06b14a4fada9153d1

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
73KB

MD5
ca9a064a958df4cd1996a640bcf55a21

SHA1
0c57a5ddbd6b4a77e575cb68f001778984c39b4f

SHA256
b63f79bf03bbfc2b94b5921845cef10def98019812163c487972d2d201547670

SHA512
9d67d63403524be6dcfb39474ed00ffc6f2b154878e6d93ad5a828cdcb34bdd410ed904b921ea43e9c97f144d536f9adab5cccae6322fcc1f0f4fec10c165cbc

Download Submit
memory/224-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/620-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-1177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-1171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6004-1158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6072-1157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads