berbew | d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365dd

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe
Size

45KB
MD5

f06e74f0f40a22db0a78f7a02ff735c0
SHA1

7de431d22452f0e7c67721ea2d203865712bdaba
SHA256

d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365dd
SHA512

12e0ae0519b7909d9b14d937443dba6835087e7452b50ce91da7df64cb052ba88a79f367755bfb8fcf8d01c44677263d1893c4fca5d20664d1b77287723a334f
SSDEEP

768:rVnoEA9SRdPIL/vzJ6WyOH0/wu7A9OLKrdM0i4dRK76v/1H5hj:Jx/EbzJ63KRusEgdZJdRK7yv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
988	Jcefno32.exe
224	Jianff32.exe
3116	Jlpkba32.exe
4712	Jbjcolha.exe
4848	Jehokgge.exe
3424	Jmpgldhg.exe
3728	Jpnchp32.exe
1044	Jfhlejnh.exe
1500	Jifhaenk.exe
2752	Jpppnp32.exe
764	Jcllonma.exe
1220	Kemhff32.exe
2032	Klgqcqkl.exe
4252	Kdnidn32.exe
3908	Kfmepi32.exe
3444	Kmfmmcbo.exe
4564	Kfoafi32.exe
4056	Kebbafoj.exe
3544	Klljnp32.exe
1628	Kfankifm.exe
5016	Kipkhdeq.exe
4108	Kpjcdn32.exe
2276	Kdeoemeg.exe
3136	Kfckahdj.exe
4476	Klqcioba.exe
3460	Leihbeib.exe
904	Llcpoo32.exe
2712	Lfhdlh32.exe
2900	Lmbmibhb.exe
2512	Ldleel32.exe
1640	Lmdina32.exe
3996	Ldoaklml.exe
2808	Lgmngglp.exe
2892	Lmgfda32.exe
3972	Lbdolh32.exe
4348	Lmiciaaj.exe
4812	Mbfkbhpa.exe
4140	Medgncoe.exe
212	Mlopkm32.exe
1532	Mdehlk32.exe
2232	Mibpda32.exe
3292	Mplhql32.exe
996	Mckemg32.exe
4832	Miemjaci.exe
436	Mlcifmbl.exe
2424	Mcmabg32.exe
2408	Melnob32.exe
1792	Mlefklpj.exe
448	Mcpnhfhf.exe
4016	Miifeq32.exe
4300	Mlhbal32.exe
4112	Ncbknfed.exe
3348	Nilcjp32.exe
4960	Npfkgjdn.exe
2012	Ndaggimg.exe
1476	Nebdoa32.exe
1412	Nphhmj32.exe
524	Ngbpidjh.exe
3180	Nnlhfn32.exe
3496	Ndfqbhia.exe
2532	Nfgmjqop.exe
3704	Nlaegk32.exe
4372	Nckndeni.exe
3624	Njefqo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lmiciaaj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5696	5404	WerFault.exe	233

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeoemeg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 988	2412	d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe	82
PID 2412 wrote to memory of 988	2412	d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe	82
PID 2412 wrote to memory of 988	2412	d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe	82
PID 988 wrote to memory of 224	988	Jcefno32.exe	83
PID 988 wrote to memory of 224	988	Jcefno32.exe	83
PID 988 wrote to memory of 224	988	Jcefno32.exe	83
PID 224 wrote to memory of 3116	224	Jianff32.exe	84
PID 224 wrote to memory of 3116	224	Jianff32.exe	84
PID 224 wrote to memory of 3116	224	Jianff32.exe	84
PID 3116 wrote to memory of 4712	3116	Jlpkba32.exe	85
PID 3116 wrote to memory of 4712	3116	Jlpkba32.exe	85
PID 3116 wrote to memory of 4712	3116	Jlpkba32.exe	85
PID 4712 wrote to memory of 4848	4712	Jbjcolha.exe	86
PID 4712 wrote to memory of 4848	4712	Jbjcolha.exe	86
PID 4712 wrote to memory of 4848	4712	Jbjcolha.exe	86
PID 4848 wrote to memory of 3424	4848	Jehokgge.exe	87
PID 4848 wrote to memory of 3424	4848	Jehokgge.exe	87
PID 4848 wrote to memory of 3424	4848	Jehokgge.exe	87
PID 3424 wrote to memory of 3728	3424	Jmpgldhg.exe	88
PID 3424 wrote to memory of 3728	3424	Jmpgldhg.exe	88
PID 3424 wrote to memory of 3728	3424	Jmpgldhg.exe	88
PID 3728 wrote to memory of 1044	3728	Jpnchp32.exe	89
PID 3728 wrote to memory of 1044	3728	Jpnchp32.exe	89
PID 3728 wrote to memory of 1044	3728	Jpnchp32.exe	89
PID 1044 wrote to memory of 1500	1044	Jfhlejnh.exe	90
PID 1044 wrote to memory of 1500	1044	Jfhlejnh.exe	90
PID 1044 wrote to memory of 1500	1044	Jfhlejnh.exe	90
PID 1500 wrote to memory of 2752	1500	Jifhaenk.exe	91
PID 1500 wrote to memory of 2752	1500	Jifhaenk.exe	91
PID 1500 wrote to memory of 2752	1500	Jifhaenk.exe	91
PID 2752 wrote to memory of 764	2752	Jpppnp32.exe	92
PID 2752 wrote to memory of 764	2752	Jpppnp32.exe	92
PID 2752 wrote to memory of 764	2752	Jpppnp32.exe	92
PID 764 wrote to memory of 1220	764	Jcllonma.exe	93
PID 764 wrote to memory of 1220	764	Jcllonma.exe	93
PID 764 wrote to memory of 1220	764	Jcllonma.exe	93
PID 1220 wrote to memory of 2032	1220	Kemhff32.exe	94
PID 1220 wrote to memory of 2032	1220	Kemhff32.exe	94
PID 1220 wrote to memory of 2032	1220	Kemhff32.exe	94
PID 2032 wrote to memory of 4252	2032	Klgqcqkl.exe	95
PID 2032 wrote to memory of 4252	2032	Klgqcqkl.exe	95
PID 2032 wrote to memory of 4252	2032	Klgqcqkl.exe	95
PID 4252 wrote to memory of 3908	4252	Kdnidn32.exe	96
PID 4252 wrote to memory of 3908	4252	Kdnidn32.exe	96
PID 4252 wrote to memory of 3908	4252	Kdnidn32.exe	96
PID 3908 wrote to memory of 3444	3908	Kfmepi32.exe	97
PID 3908 wrote to memory of 3444	3908	Kfmepi32.exe	97
PID 3908 wrote to memory of 3444	3908	Kfmepi32.exe	97
PID 3444 wrote to memory of 4564	3444	Kmfmmcbo.exe	98
PID 3444 wrote to memory of 4564	3444	Kmfmmcbo.exe	98
PID 3444 wrote to memory of 4564	3444	Kmfmmcbo.exe	98
PID 4564 wrote to memory of 4056	4564	Kfoafi32.exe	99
PID 4564 wrote to memory of 4056	4564	Kfoafi32.exe	99
PID 4564 wrote to memory of 4056	4564	Kfoafi32.exe	99
PID 4056 wrote to memory of 3544	4056	Kebbafoj.exe	100
PID 4056 wrote to memory of 3544	4056	Kebbafoj.exe	100
PID 4056 wrote to memory of 3544	4056	Kebbafoj.exe	100
PID 3544 wrote to memory of 1628	3544	Klljnp32.exe	101
PID 3544 wrote to memory of 1628	3544	Klljnp32.exe	101
PID 3544 wrote to memory of 1628	3544	Klljnp32.exe	101
PID 1628 wrote to memory of 5016	1628	Kfankifm.exe	102
PID 1628 wrote to memory of 5016	1628	Kfankifm.exe	102
PID 1628 wrote to memory of 5016	1628	Kfankifm.exe	102
PID 5016 wrote to memory of 4108	5016	Kipkhdeq.exe	103

C:\Users\Admin\AppData\Local\Temp\d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe
"C:\Users\Admin\AppData\Local\Temp\d0c08395e20be5f2cc46c14eb1fd185dbdd6a31bf18a14e1abb224a22de365ddN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\Jianff32.exe
    C:\Windows\system32\Jianff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\Jlpkba32.exe
      C:\Windows\system32\Jlpkba32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        23⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        28⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        35⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        36⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        39⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        40⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        50⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        52⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        53⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        67⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        68⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        70⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        76⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2160
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        83⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        91⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3904
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        93⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        94⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        97⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        99⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        100⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        113⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        114⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        115⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        117⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        119⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        123⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        130⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        133⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        134⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        136⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        146⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 404
        152⤵
        Program crash
        
        PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5404 -ip 5404
1⤵
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
45KB

MD5
b6bf2f00de9487dd20c99728103a6d44

SHA1
b1b8194ffb4751d9bb71419f6bbcd6405ced0869

SHA256
3df0a23fe0dbfb78eca2dd81ed9b988ef4d42dd4b91a13ebb83eb54ae1b12e61

SHA512
2e054985d9d4426afdc434b4db9fa1499c28dd59d4a11a6399d72e4aedb2a0317e7fa7ca68bd2f300ceb96e103527d5bae572e9b22f2afc9eac2da94dd2d43f6

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
0952c9416a0359c161353754df68f804

SHA1
db4b091b7495cade6d5e612d0b1bd8a2940cd0ea

SHA256
3fc4c8a0e3cb7baddb3eb55136c2688300669ba6dafff1f4ff3c8e13571e56c8

SHA512
2b67b98ce837ae1277304163a6efc19efe931b97a8cc15ae89bb4d36f24c1f0493dda83b8ecd31639d2411e43e763829c18c0d41d8bc8c5643c2efbb717b7cd0

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
45KB

MD5
ea5297f6e7e4bb4717c9662b3da7c09d

SHA1
53e7f3f6f3597a57c96d8680326ae05df3ee038b

SHA256
212af4aa3f45894a29a92eb653d1eeda09161cab3b4379ea68ea39b773c3c91c

SHA512
35ffab6e674d8fcc8bd150e8e33e77afa711f446e055f3b1d9a041cb417cb6f79925b89ec603e12240400e64ae68f78818dad298c11be6f5cfc05dc948f12f43

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
45KB

MD5
a794b7c6668b30c236b1c78ea8628499

SHA1
867a8694d2ab09fdd5d8aef4c22ea103d5fd0d0a

SHA256
2d91d52ea523662825361bfd08765f2e87bab0d93b1ab4d00f913cc6bed40fb3

SHA512
7b063e992fe98ec76e53a287037cf50568eb5cec271e819cfba412c8410beac31a3ad52028effefdf125b2416d51ee681adb0e27a1d2f29e716da0beddb1cc9a

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
45KB

MD5
86c3803772d0672fae2d017591120691

SHA1
d501a1ecf944d1ade2a2fc50f8f18629b732ff5a

SHA256
de5d6c7c0aed06dda1cbfcc72647a4475f40c40adb646ab71515972ba42469c5

SHA512
aa4530dfbfe4302afe2c0b852786671179e8782a9fc2798a21382b125b71636466595d0bb9d15357dfdfd9b4f69251f29d234ee2f50ae5276bdf6343e1f01fb6

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
45KB

MD5
229ee6a903bd9cb50e0585a9de99d877

SHA1
de424e0e886a9837bc83994546583b9756abe787

SHA256
21e96b4fbf63820aca011e685eb12071ca30ec323587f9d239fec6b89b55e7e1

SHA512
691eeb5ad70b7668ca9f605062333219ef41b497c5b0a0aa2b52ff3fdf8b1940e570cb20ee105d46fe09cead81a558ab45964c5632b1680d94a0a87244c9e3a5

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
45KB

MD5
e8f8c416a04810fea1d3c93ea82ebb90

SHA1
88f94e90f5bf907bc8ba83b51ec3195d0b4aa4cb

SHA256
4f5c201473258690fb1130e99cea81e91cab0424b72eab873dfc3462499c1a36

SHA512
7767988d90efe4eed8ffaf062ca70a24bc03f21c252d5b175f42e13cbad6376772fb2b0d0547d539de1a05475611d51e29679da9b2da588e7e548daccee94578

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
45KB

MD5
1b7433d3897db586f6a0c327fc3f148c

SHA1
cea48d3c13dbc73fc71e2aa6ac69818651ff0329

SHA256
7a4d194a1828cf0c2aa88f4b28a9a26473107f8bfac8db37acdee2e8debd2421

SHA512
9abb2c50ff14ed2e3a9cf7d479a986926889abca37968a9ba704c27d948f793d76be267cec33bd5989310c585d47b758d0dc26e38d158c9eadb6083a11f91b63

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
45KB

MD5
784c04f9695bdfb52f668d2bc1ce75a7

SHA1
20cd68fa6386b30cdee6cf6de83bd02a2365fd5c

SHA256
0dabc18bfd3cbc8a26950f1309c30c43ec68bf9a6da3939fa6bfe6a8a490e35f

SHA512
f81960d5601ad1e375c6d765e050a8e7f34599adbeb22d595c38ef77c283a500d8f8ccafcfcc17c68518f3390ec782ae0e44d731f15318623e021b653803b343

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
45KB

MD5
e251e65874364d0be91c74c73b1a095f

SHA1
4bbf7b4860ba1aa0f53e64a83be3b4dc447f4a53

SHA256
2d0ae757ff8eaca1f62b3219b38761785f4d295082da628456b708d85f61af23

SHA512
8cd1c2b25d595fba951c7676fad463b7965d3f133670035597f8256ab901db65ac0640f2cc639fff1e26ec4cad2f51a1d3ad8da7106031517c43cfb6f71f1eca

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
45KB

MD5
cc14fe3d8cf34a93d3b19ab6e0f25ce1

SHA1
b5877a7c2ba69519b11df61c80b353dadf8a7a98

SHA256
2593aa3a672c36b1b8b93b294c58ca1171fb847ab62986100a22df161e07340d

SHA512
6ff9008a683d2750c5e451cacd97d68c7f158f6c54860b815ba632ffebc85fa43c96112fc884204e3503914bdc851be74d1b47b2f5fc87fe4c21b8e37bca4811

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
45KB

MD5
01999a93e034de67be2b195eaa0852b0

SHA1
5a708810b6c5c93eea35c8014e20520eafbd9b98

SHA256
ff0f73a003572fe917f162b487e56cf45abef39209f701ef7cbe096c7561869e

SHA512
50196bfa7ce2b908c6481416fa857cf6fa6a23e0b42a89785b1a81b1c73098c3cda77d8164c294d91e9a151ca2fcbd26ad9df14c148cf487ec9e3294097c6a25

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
45KB

MD5
ffe4216fccc776a76469178c03372f14

SHA1
cae063e2676efa0baa0744e03eabfa9441dcdbb8

SHA256
67a5d8ddf504ed877c36d0f46da48d09bce7ad20112454cc4180779cd51c81c3

SHA512
8f3d1fdc000b1fa3d8e7c452583aab9023e86c1c1b718b3dd76a805cef9bf925a3679997850ac85071ee5168ea14706ea4c38af1f6e3cbd3348dd7ec25e6da99

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
45KB

MD5
9b88007470c21694f206f382dbfa3178

SHA1
138feca5523a1247815357eb8f5fb7d9b0c1352e

SHA256
92b11f498bad31f97db3270d8169ec97e3d6e6ba8f894284a9c0d82f22ed9dea

SHA512
ed6bdd5d28cbfe5197d809e8e94555a5a8814f9b256626e5f25f286529a1797c9e434f6e94800cbdc85b73e2960b8dfaabd574db82a952abfcbd4caea47f74a6

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
45KB

MD5
c87fa314bbb13519eae1ab15cf6c2f0e

SHA1
f4c50a6a40ee05c175fa0db89fefcc57248d1ba9

SHA256
2832eb4f49e5c68de271ec82684bb566dc28d6a63fc0f4c5ca30bcca9354a8b3

SHA512
8d6d8f400eb39318d9a8432000c0cef878b39d8052abeb9accbe41df02c20ee017cda1b343a3d10b6f58041dec2dd589e187a42785845902f7fac8d36df7c16b

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
45KB

MD5
2b9a8a32efeca76b31d81409cb4ca525

SHA1
6712d5e349fa3601c9ebfca714f3a74402fb1bd1

SHA256
9c830697d09cfbb7ac43d9bfae65fe9fb6ca23002a77900244cd1907d93e3f08

SHA512
1df97ec85aeb5c6fc335b14d8c8c36b8a3b6e0bc88f67ebd97e13c76b394bb00ae6d9914a183afe14103d0affd9499ccf713d2b13707e710dc742dce82892b02

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
45KB

MD5
ac8296cf22eb68c1b794a361fd875494

SHA1
9a340eee87974c1d0b2846917a42c3bb9e0a6bad

SHA256
2e3a9a2b8890c9b14ac01bfe4322e1bf73d766a9399e77daead5d31ecd7639c2

SHA512
143466e3876c7ed135329a1ced8f5b8f6af3c36ce2b0e826a78f54983d852dd0811b119d029fe2f8c80a01ba5508acf9256056c99fa5d76cdb45fd951415c7f9

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
45KB

MD5
8c082c616c8861a20b5c2dd9f714a80d

SHA1
f0dd544358273fcca688c07dd65f773bae47bdc7

SHA256
838be57a9e8a80298353a62d6209a203b9af448a3274d1bf2a6522780caa6879

SHA512
5aae67fced492299f9aa74a5b062ae3e9f518035bdfc87ca74aefb7eb9aab5abcc54379698a826bfa0ad5535037d46a8c7f5d6d6f67d71e32bda9c70894fa8b9

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
45KB

MD5
bae574bda9a6ca5d95ea8a4a96b6ade5

SHA1
d736cd999d7eb2c874b6b849dcf0aa07ee5f297a

SHA256
b4aec1eef86abc266d0ae33e300d8c77cc1c9bd729302599da21286a633bae3c

SHA512
008aa6501990eca6d45c0b196df235a5ec3a001176ed54c86c922a38ed8377b24aba987559fc04f8bcab4956efa91a6b7b47431e1953e583165148dc8f76f159

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
45KB

MD5
a3af97c02c7f0eee80a993013cf653d3

SHA1
834120a96d3f710976ce5bf72c2d009c97b10c0b

SHA256
927c92b67a0611e614ac9d2119e8a4a3b85fe203d4d9608fa50a5bd7e9ce8a2d

SHA512
fc2feca94729a0d010229c47cfc79d279af03e21b56471216ab967da211025062f3da681a55914d4b84082ad38b5fabfd40bf1eabf44012c71e4c64f3022c3c5

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
45KB

MD5
ebfcf9d209baf0ef2c5d1170c66274b0

SHA1
5f86172bc1dd03932f5465238d49c88f3bcffd3a

SHA256
a936f5883a7c7e605a55dc570a85cdbed914e5b692cfe48e81e0d4d8a8f12f14

SHA512
733abd8c3add48d97b7de7521bab3f27a8082ac53e6924da796f8b905e01768aebcd2fe0338e6ebe183e442e84490162a3e57fe0bf4548b74409c50d607edbf8

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
45KB

MD5
4d22876426a4ca47e8a1f4cdd66f663d

SHA1
d494f0deb2a0610b20d5a303e3d601920fbdb222

SHA256
8ab214d66c6367ee2f272dee6718d9d726608cdcf18223892125f484599d7503

SHA512
e2880d58d2a4038d37f32ae0c37e8e82b3cbd3c2d08597dec4c20e2ebe5a6dd01d91cb91d7ee93adfa026c9035bc3ff2934915d23022c328b508858573ad9f20

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
45KB

MD5
50cc034fe5ff28c9ef39b6ef5da2d781

SHA1
b8b063cf16c4d88d601ab573e51e40703992a8da

SHA256
fcf51e09338b85285d785d1de104c01cd0dfcd20971969853fb147c80122ffdb

SHA512
b70bc475f3a5a7d7fa37649dc9a5e451358f588f9c5deaf03b076087a2e2fa4d13b6800cb312b21206ea96bd3f07e31649494f2367ff0d3c6eb1ffcb9278fd92

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
45KB

MD5
2fef0a81d3a4675e92cedf7e0dd3a920

SHA1
00782c7b2bcbad6d88959508b29713eb75ff71f0

SHA256
ceb9a87e0ae0ccd87bb09f165f9b24da65bb8544bc89c6a6bbfca850c4f310fc

SHA512
aa1e8735b9c6a1a53016e24d5da4f39b2868e6197245a35a051c6d7588e41945f65f628d5488b0c4b0aaba67a885086d253e23c6ee6c037d92eb33d7e2c3eac2

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
45KB

MD5
0fd52f2a991c6977f71d3d6b8d97969c

SHA1
895bef0592e886278361d75257c73c49669f33c2

SHA256
b93c9a5bb6e7f0a88de906a35bcad5b0586a3c02ea6678b1983ef500e187f4b4

SHA512
735ad0199b80eebb38aa6f8fce82d4c0a95969fb83c881ec5913caa6f08e38f7a07e70d27a38447b1618f67e75a9c15ee315b89c69650b5ba94678034cdb373c

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
45KB

MD5
e64c0f339c1c7178a116f04baf584d45

SHA1
5904c4be6658327fdcbd46f0e0e7a75e7ca2371a

SHA256
fb83df1f0f43885a1c5317f053a92fa21f27b17c6a4ebb6dd6d4935a2dd18fc4

SHA512
237c656a4f165359ec5ffc3ae88a53f55406fefa87ec666cfbc5a9df8f9fe500d512ea0b7a7f198e665c167535693482a0af5f2b2232f9bd07c082ed43366097

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
45KB

MD5
5074d610f4a901f07f249da228515cd1

SHA1
9185528b6b8eb76d8e5446fe693f8978d4536e37

SHA256
885dac1aaf3479c2eea44480825e63f25a1674e6e4e138549d8e9c80704ea49a

SHA512
cc2f639ad396de797d5d05e603518fb1849e7e8fdca46aa684444eedbb7b4597f1ba3bf5b8c5679a6458a8b016c7dbd370217bf7a99abb2703ab7f0cba494acb

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
45KB

MD5
8cf3da4de279220bc5eb388ba3017380

SHA1
2272151fd95ecdd0e3f352dead3aeafe1707cdf4

SHA256
b7e838e548124097688dbbc302a0801a6de756f2edcfc9c16b104c70f270174a

SHA512
983e1eeb7b2f81a3b49e27e3bd4235d10f45ebc8c4a85a264a8d035e807060b406c9ee40a744b730f74adaf00f2df1e26c078af14ac348615f784ac3f15f888c

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
45KB

MD5
773f287c7f7df2560e7e0a90203a20af

SHA1
9667dcac044ea536742dba4bb4850c653f4fe826

SHA256
bea9d1a521505e3893c99c5b5428ba4a38ac68549e4dc9e13c2abe9af1361a97

SHA512
016bc157d4a4fffe873c42fd81191db1377daf82475aa87b80910c46c4a4f925abbc45f2eeb749fca3aff085cf48e77401d569c6dbcf3795c435ecf42bdd9906

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
45KB

MD5
bb6814131c0fa988fb0db6e568273d3e

SHA1
a3ca69076cec07df962ea40128b1036262f6b0e1

SHA256
eda11566b9113dface8d78fa31c60326a596a82566d907029de000dcaab68fd4

SHA512
a5ea152fccb559f8f4d60e20e819e8f53d2b6f02231dd6943b8113cfcf18410c8da796edccaf6e9087fcbb89e65e07b0c30a291007743722f169f1066e4d47f9

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
45KB

MD5
e2f7cd0eae0523f419deeef92334987d

SHA1
e2278a558c0f1af8aad08bfcd3a625514be1270c

SHA256
7bb0ffbbc21828219d1fd2441df3005988c772b7a9fbb96df4a22d983b2c99e5

SHA512
5999a0ebddf4e4972f9b97b23264ea1cc2f3fd449ec5dab7aacd6f9d21e4c5ccce722bb9e13aa18dd760e55a3af14d9eb0f272befd960ddc23fbe1eb7e1c07e1

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
45KB

MD5
7db2f5c83522bbff60f627da286b728e

SHA1
56af3c845a5d8be1aa60340eb1cc61ad47784506

SHA256
2bfe683435d53ebdf5ab83ee78ff9eeca6f2730990803b2cb4e006abc4e8c446

SHA512
20fc13e67b80a386cf3e8b7a5b68f6f2b8df1610df5c70bf431c66d08587fb1d884609728a32814954b61812948e42a8d1a6628630eabc7a7e503b6c915c456a

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
45KB

MD5
27df975b94aedf1e6fa92aaca5595d0f

SHA1
7393a008a4eddd9d97a6f9cceafed5771ae8216c

SHA256
b6c6b0ef71a9dac46a7b5ef212603b12c05aaa135682b8721c0c5777919b8970

SHA512
1e0defaa217a6716682e725050c02b461f3df81edb6d47bcdd5fdc620836d4023e12f54bf3ef88536e0e53aa3aa22d556cd0e02003a7cdd6f3a57f7bedac71b6

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
45KB

MD5
4ed2745f656fd349c92578ca53db3f09

SHA1
e49aee1cdeccefe5578c6fd9f248f79b226d0ac6

SHA256
67aeeeb9ab7c18cd01a19664d808e0a15ee1c65f5437529c9851de492e6ef168

SHA512
586c4c5f92b133abf825baa98977915b175671bf055fb79fec06b64f199bc5a74646dc19f5db4d3acb38a707fb73c9537fd5727fa2439985bff4b411fc84ef63

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
45KB

MD5
985a9b567796310501f5cdd5c23c2fa3

SHA1
a31568a7d50740b6915a1a3a6ab723274cd18f94

SHA256
98100f9405942c20942db18484bc992f593587f36ebb1aa21e3d7edd354ccd6b

SHA512
cd2299f97b35efc712d14e10be202d50cbcb750dd8559b88b9659ab9d8f31a5fe90352bbf9e3fe7f780473e5ccd25671961a1192ac6757f3cdde1a3b64723afb

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
45KB

MD5
a85089ed6d2b0e35b8b6634bde29f3d8

SHA1
908c2c07ad05bb793e0a9c33b9a3aae0d64ea36e

SHA256
c2057d0f78c4dcf51aa66f573e517770b3aa93af0d4923898dd3446e6ac35001

SHA512
e705c3be24353ac81791f36e21df1c22d0a44dd99400f8a164180c1bf1cf843fe1f7d14f186b637c5c57bbb53da50cf45e8c63686669d1f878aabbe9c6afabe9

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
45KB

MD5
9926b62e0046be1535143360e4390035

SHA1
9ddf7dd2f454218677852354f4f3a7a009c5a269

SHA256
7b8a2c3a5654015f1090551f1ae317632e8a08474ef5dec93ea80e6302e51953

SHA512
5cfb0507e3608771011e6928159717cfa50dc3d8f6468eb8c32f674025525fb9c11c3c59ed933f17956dcbe430b3eba21f905dca7aea77153da03a4d3d9a3eab

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
45KB

MD5
423cd989f88b88b315c6e78caa9d47dc

SHA1
264724046c8e6e0ebda37f74bcb8e68a44c9c721

SHA256
354aaa443e6a7f3c3291fa04e2da42bd6fcb87325df98f3164c620d89d3bec01

SHA512
fdda042cd4d61d9b81fd8920d88cbfca23e67a4db0bae8f55277e2e590e7b4f49264c55c1265861a0afa129ba0a4517c96d54526c4360ba3f23909cd19f99de3

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
45KB

MD5
49d76379998c92a970f60ce15189e3a5

SHA1
8b0057491561192f53f73158f749a3873fe92742

SHA256
8e18862f3c361970f1f10662847f89d1cbe6dd24b061ebe64c5f6584a884b788

SHA512
50a769a3e58826868429414e6a3f636f78e0548cbfd49e14aff9be6b2f34d49022153b8c9560f6b3bbf99c605e72d7691885ab2df0db0634dafb24f8d3de8010

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
45KB

MD5
b9458beae77b6234744a6278ca1a1a01

SHA1
d7a20d8091917b4d6cd6a2eaf0c8869c840e3555

SHA256
dfb937689c5af9de5b8d2caa6c14794e8483b91b3938cc464cbd0aad961101bf

SHA512
040bc56e2d1a6e12cf8ba065978da4fc161dd711ac8cdcb29f419e61faa6ac4f05780222f211135a9e841c61d5faebcf8dbcb4b8c218bf7b5944cf6fbc79c14d

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
45KB

MD5
c0e2865e9d3aee64f4dbc4f05cc17743

SHA1
72f88b2299bc76f575f89e748651fa893db42bf1

SHA256
55c8048888219b253171a216657122583d2a153e2d11e81dab9e937c1495cfb6

SHA512
b1d08c7d4158a6b59261a4a2144db005594a9a6df5717183a7787eaed9b711c64700da079e03fcfbeef0d38f52bb7d61fbc794fb87bcf0914ed6c3cecc71acd6

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
45KB

MD5
ca33c3511353770616f42b555ac8de20

SHA1
d32d33b899b345f12da17de68b2314432ae0d9a3

SHA256
12e9f926f1f4bea2b9e29347f937020b08710a283474a5b8692b9499180281df

SHA512
eaccfd7378c3b424df19e8dbdf8aca33d8fa9ad2414acfb8f0e994f7e65417910ea22c58c5bca672ce7204146651e71fda8a20c3a906672da62b1a41230dec95

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
45KB

MD5
02953f5bb3155cc63888ea1792bb8485

SHA1
7574509b79d94e047ad5a9610694f0a88a290b12

SHA256
b6093fe1a83576caeff7b826ec45b0e96ba5e0cc4601441e598530cf8fe6f01a

SHA512
831f1f617a2ffa5e7e491e504da596eaa08b6aff98ab91f53df9f3fd46fe9417495feedc95f5cdf368b4ca70c945062c61fe3102a718b9b9c38ec66ddf25a4ae

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
45KB

MD5
4927cc6724301ba9bd895f5a2739677c

SHA1
77e697c014ca64b8dfe90d2365b29c16cc6d7f77

SHA256
ee3bcf9615f816be96f293e4990950d86e392a8ee91a87d356775aa93c52dcdd

SHA512
de1065fefc93845f7041fe145c3c89198209fd4b4adff1378cc494ae779e19a1ee55309739728d10cc08df5e5908ba2c1323f4eb958ee3dc55a1635649116633

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
45KB

MD5
417b13ffa224d6df0edd76ddcfceca47

SHA1
4c16475effbec0bde777aa0f808d48a6c2d12a5c

SHA256
b827064841cae20ddc7d39cfd3d3173664f9c55383a0c8a77660d56b7b34312e

SHA512
f4d356c88a2b4f3a1d72249a9fd15525edf5aad797eb800af30cd2e7eb322019dca26517fe67e0a73bdae2082878fca18ba82509b2866ef7c7f53fefca1acb1b

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
45KB

MD5
8ff8cb404a8a2d88798eadb2c978e8a1

SHA1
c7cf2e2d650e20ef892afb0f0295d370f84feb03

SHA256
78c91b0d440d57c1bf2f9348d1501e838ec8ea6ea31ca1995f8237dbcf1cf991

SHA512
df51d3e27730bbb294fd9e38d760a22a5d7d6ae9a573c8403a36255d7f3463ed34e7e0da28244579578e828d451a720f33b1a5b3765b192ae93a29ba84e0bd34

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
45KB

MD5
6e1f4341ddf12acad83bb8f9fa172d08

SHA1
009f8d3c4a58da3ee58604dc67b7daaaabc14ac9

SHA256
e6aea3688e594f783f9678cea62e62ac6e0686095522f3a96a5e20cf108a09c4

SHA512
6d1d7460b1cc479777e16f1c3afbbf8b7f30cb1ec3b93343975b7c68b07c482376bff4bdd4d3d8d2942ad4106f5096344451071cf1762bbc5c57dd73f7f65c43

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
45KB

MD5
75c76a86cb109230f1d6ee02732e59cc

SHA1
dc12cd3486dd6b57856c13eca45bd775912b7042

SHA256
1745ccca8f7de07e3f6f918c659229e775569d72d430921f999c60923ccd1fec

SHA512
94af0f348f3d18e7c19043a70fff22818f64644cce2c96b440dd949151365b2aa7c4e644f8ef688e2f82613672f33865b581469492a7db1763b94c40b8f7f3af

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
45KB

MD5
9cbc2a8258abeef0ad16f212b5182346

SHA1
d311611b3061d9a1b946b44892692aa1ca9924b7

SHA256
5b114a108b58439f2fca5519cf1cd4f38ad6b355530bcc9f4633923f24e0efbb

SHA512
39733c1de35f63d1fbfe33b5a81f55d9a5664dbaabdea9dd767489f1e0668fae7c1a39fea654d6832e854111f554e943ff4c8681a31db66bcda65da68dfaa12f

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
45KB

MD5
ac3ed767e748621835e317a00e467d8b

SHA1
f4c66b2e651d0e53600a723a6fa208127942201c

SHA256
93872a8a822ae2c4955c187ad46a59a7596582f83b56b80238303512cd55d0a3

SHA512
d2b7838478402faed10dcf570422679752f3fdadd78d97430920055a68f3ecfbcc76af3e551e9fce6c42809cfb0388dd1eafbc0e71bc809f9c2f8df925f4edcf

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
45KB

MD5
0fbc3c1ec4211dab73e7a3763c846011

SHA1
587698740602643eee8a5c131985b545e521ee34

SHA256
310b9e5b948abf3105de9a6321bacd3fdcd58c09111225f2cdc5a4d78e75d7ca

SHA512
c1032fe7b60d326789337b2306e1303d30c8b5e70f18edbeb0aa9a8668dfdc5c3eb75a75521ab5665a41774a5710515d5900c258ad2f1b31781fed34f9c3e039

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
45KB

MD5
089a694f530df769be4d3b4444a6f8ce

SHA1
8886a08cd2d58b5dcd79ea352b798ba11e57b45d

SHA256
2587655027beaa50b85bf07db83d06baa830c09784488c7c8a50f9e6b07f7bcc

SHA512
5ee84835698bbf39e40a59a04857c828fc945a48cf0dacb0742855cb9660865aeab0411f02ae6045beb6f5f9f2de3467e51bd27d7171fe1450e1a72613e26ee4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
45KB

MD5
857ea97c4776475563fb95995ea94362

SHA1
083a806028cd242929162b0478a9b60926b62c8d

SHA256
3212ca9203819342453a82f8981744c1b3c8f8dfbdad1496a9799fba819622ec

SHA512
9985b217e9f60db50aa75773e82e8f3b924c593805d016f73cef69b506180c15be00499d055ad4efaaaa38da72952e41acfbf9bf1a5a3df40b58ea06bf8743f0

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
45KB

MD5
cb7c9fe2aeeaf5bbbb9943ba671fc009

SHA1
1074e61fc9cbf9b0f94002b8a23e8cbfdc6803c2

SHA256
3f03af9ca91573ade3d4d44cdf2affd69ce10c60f8db0cae610945f956ec4f9f

SHA512
2a90afcd5c8192eef19b3069ec3f7ded89899a134c512ed9d8f6286d34c31922cb08832616646cf659b9a8273d23497a28536875c976ea9dd27e44e119281971

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
45KB

MD5
c5e1f6a9a723e2b97bba87c02be16b4c

SHA1
2b2028cd0e01208b1eae3431d13b3495cb27905d

SHA256
009916ee264c253c516a678456b2d05d53112e527a8c9f2cb9c3716a04a96e96

SHA512
43743f4a82dd51321ca7dd4b4d4c0c638239d8892699385ae3f6c249a1ad57a29a21f69621584dd9a752099960f438fb8c3cd08937b65fc176e3bc9842ffa96a

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
45KB

MD5
2025fd2f5ae09cfa9774c6bb06ad736a

SHA1
862064707768760760780d849dc182b3f211119a

SHA256
91e295fc04490306be6ab363ba6b6e5374aa3e39219e452e7df5ec7a0d50de63

SHA512
aa74482928be0530eec0a676764bd92934e8c1556c53c1eeea019f25169f15096b2eca4f0c8c8e13da2b9c14c14f70bdc1db9f4cf68fd533ea1d9b6bd08ddf3b

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
45KB

MD5
0f7b943b19f7f091403a729ae437820b

SHA1
e7ebe6c17e18a96f5010613f35abe25c6cf058d6

SHA256
4f20d4c87e6f348f2d79d81d662a6df4232633f7356e72c6dadba28ae79834b4

SHA512
c21f5336986bdd0a1ea9b745992d42e63d418dca3be50562fb9eea0d5dc57b88ba18f07f77b3b55fa0afa46339009bc6a21c4819066af26a5da33522526f585f

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
45KB

MD5
8e8c65f3303fec0c498b500b7c19a361

SHA1
5846dfcb2c2c079426c32bde68220e672baa2f09

SHA256
fc0b5649f5bed68ea87c372a8d10e08ae711b6d3fdc337e66d0333959c8efaf8

SHA512
dd680343c5088615a64cd3c0228befbc577fa76105793d2ec969f9e79017e9657c854bfd26f2e3f7d91f20a8a91f9328f1d0440982b82ea6cbc19e88892c85a1

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
45KB

MD5
3ccb92bcef3db865e13f8716e61cbef5

SHA1
bc36158a94e3ed9b78d89e06d836714d26cb963e

SHA256
f236579ca2ecfb99c736738d32e39245f2df64df3b0b305de326a691d72f63f0

SHA512
3a1abd7db2d6c13de1bcc6ad4589b919dff734de4ca2c0a6fe2ec8342fcacae28f03ddb3f6e4f1bcd7a69bd64a8068f9a769d989d8e0e0c8ba3a7fb33bcd58d5

Download Submit
memory/64-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/524-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-1136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3908-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4108-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-1148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4712-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5124-1065-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5268-1062-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5756-1080-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads