berbew | afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe
Size

63KB
MD5

f93e5f7fe2bd7e306f1d042154996af0
SHA1

1763b84b07bb0b7a72d403a9cedfb60a3359351f
SHA256

afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393
SHA512

2d59668b60451869aaa433b4da4f919907d90f9ac4e5c22991b68e1d2896a663a25e4823babdfff774da9732dc725dfec59eb7681ad3cd4138ad45d68c670d5e
SSDEEP

1536:fiukMlmYCfsK4nCJqVnE9DlUuPvyLjaeliSsH1juIZo8:fRkMwfReKB0piSsH1juIZo8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1396	Nnneknob.exe
3600	Ndhmhh32.exe
3440	Nckndeni.exe
4348	Nfjjppmm.exe
676	Nnqbanmo.exe
2044	Olcbmj32.exe
1600	Odkjng32.exe
4456	Ocnjidkf.exe
4696	Oflgep32.exe
1284	Oncofm32.exe
4736	Olfobjbg.exe
636	Odmgcgbi.exe
4400	Ogkcpbam.exe
4868	Ofnckp32.exe
400	Ojjolnaq.exe
2328	Opdghh32.exe
2816	Ocbddc32.exe
1424	Ofqpqo32.exe
3468	Ojllan32.exe
5072	Olkhmi32.exe
3004	Odapnf32.exe
732	Ofcmfodb.exe
3048	Ojoign32.exe
4536	Olmeci32.exe
4476	Oddmdf32.exe
512	Ocgmpccl.exe
1124	Ogbipa32.exe
1080	Ojaelm32.exe
2248	Pqknig32.exe
2576	Pdfjifjo.exe
3152	Pgefeajb.exe
2068	Pfhfan32.exe
1616	Pnonbk32.exe
3560	Pqmjog32.exe
1240	Pdifoehl.exe
1372	Pggbkagp.exe
1084	Pfjcgn32.exe
1888	Pjeoglgc.exe
4776	Pnakhkol.exe
3552	Pqpgdfnp.exe
4044	Pdkcde32.exe
3076	Pgioqq32.exe
3208	Pflplnlg.exe
4088	Pjhlml32.exe
4164	Pncgmkmj.exe
1736	Pqbdjfln.exe
4064	Pdmpje32.exe
4820	Pgllfp32.exe
4140	Pjjhbl32.exe
2320	Pnfdcjkg.exe
3916	Pqdqof32.exe
2976	Pdpmpdbd.exe
4376	Pgnilpah.exe
4668	Pjmehkqk.exe
4784	Qnhahj32.exe
812	Qqfmde32.exe
4252	Qdbiedpa.exe
2428	Qgqeappe.exe
4852	Qjoankoi.exe
1144	Qnjnnj32.exe
1224	Qqijje32.exe
2420	Qddfkd32.exe
3836	Qgcbgo32.exe
4076	Ajanck32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6732	6608	WerFault.exe	255

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1396	1940	afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe	83
PID 1940 wrote to memory of 1396	1940	afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe	83
PID 1940 wrote to memory of 1396	1940	afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe	83
PID 1396 wrote to memory of 3600	1396	Nnneknob.exe	84
PID 1396 wrote to memory of 3600	1396	Nnneknob.exe	84
PID 1396 wrote to memory of 3600	1396	Nnneknob.exe	84
PID 3600 wrote to memory of 3440	3600	Ndhmhh32.exe	85
PID 3600 wrote to memory of 3440	3600	Ndhmhh32.exe	85
PID 3600 wrote to memory of 3440	3600	Ndhmhh32.exe	85
PID 3440 wrote to memory of 4348	3440	Nckndeni.exe	86
PID 3440 wrote to memory of 4348	3440	Nckndeni.exe	86
PID 3440 wrote to memory of 4348	3440	Nckndeni.exe	86
PID 4348 wrote to memory of 676	4348	Nfjjppmm.exe	87
PID 4348 wrote to memory of 676	4348	Nfjjppmm.exe	87
PID 4348 wrote to memory of 676	4348	Nfjjppmm.exe	87
PID 676 wrote to memory of 2044	676	Nnqbanmo.exe	88
PID 676 wrote to memory of 2044	676	Nnqbanmo.exe	88
PID 676 wrote to memory of 2044	676	Nnqbanmo.exe	88
PID 2044 wrote to memory of 1600	2044	Olcbmj32.exe	89
PID 2044 wrote to memory of 1600	2044	Olcbmj32.exe	89
PID 2044 wrote to memory of 1600	2044	Olcbmj32.exe	89
PID 1600 wrote to memory of 4456	1600	Odkjng32.exe	90
PID 1600 wrote to memory of 4456	1600	Odkjng32.exe	90
PID 1600 wrote to memory of 4456	1600	Odkjng32.exe	90
PID 4456 wrote to memory of 4696	4456	Ocnjidkf.exe	91
PID 4456 wrote to memory of 4696	4456	Ocnjidkf.exe	91
PID 4456 wrote to memory of 4696	4456	Ocnjidkf.exe	91
PID 4696 wrote to memory of 1284	4696	Oflgep32.exe	92
PID 4696 wrote to memory of 1284	4696	Oflgep32.exe	92
PID 4696 wrote to memory of 1284	4696	Oflgep32.exe	92
PID 1284 wrote to memory of 4736	1284	Oncofm32.exe	93
PID 1284 wrote to memory of 4736	1284	Oncofm32.exe	93
PID 1284 wrote to memory of 4736	1284	Oncofm32.exe	93
PID 4736 wrote to memory of 636	4736	Olfobjbg.exe	94
PID 4736 wrote to memory of 636	4736	Olfobjbg.exe	94
PID 4736 wrote to memory of 636	4736	Olfobjbg.exe	94
PID 636 wrote to memory of 4400	636	Odmgcgbi.exe	95
PID 636 wrote to memory of 4400	636	Odmgcgbi.exe	95
PID 636 wrote to memory of 4400	636	Odmgcgbi.exe	95
PID 4400 wrote to memory of 4868	4400	Ogkcpbam.exe	96
PID 4400 wrote to memory of 4868	4400	Ogkcpbam.exe	96
PID 4400 wrote to memory of 4868	4400	Ogkcpbam.exe	96
PID 4868 wrote to memory of 400	4868	Ofnckp32.exe	97
PID 4868 wrote to memory of 400	4868	Ofnckp32.exe	97
PID 4868 wrote to memory of 400	4868	Ofnckp32.exe	97
PID 400 wrote to memory of 2328	400	Ojjolnaq.exe	98
PID 400 wrote to memory of 2328	400	Ojjolnaq.exe	98
PID 400 wrote to memory of 2328	400	Ojjolnaq.exe	98
PID 2328 wrote to memory of 2816	2328	Opdghh32.exe	99
PID 2328 wrote to memory of 2816	2328	Opdghh32.exe	99
PID 2328 wrote to memory of 2816	2328	Opdghh32.exe	99
PID 2816 wrote to memory of 1424	2816	Ocbddc32.exe	100
PID 2816 wrote to memory of 1424	2816	Ocbddc32.exe	100
PID 2816 wrote to memory of 1424	2816	Ocbddc32.exe	100
PID 1424 wrote to memory of 3468	1424	Ofqpqo32.exe	101
PID 1424 wrote to memory of 3468	1424	Ofqpqo32.exe	101
PID 1424 wrote to memory of 3468	1424	Ofqpqo32.exe	101
PID 3468 wrote to memory of 5072	3468	Ojllan32.exe	102
PID 3468 wrote to memory of 5072	3468	Ojllan32.exe	102
PID 3468 wrote to memory of 5072	3468	Ojllan32.exe	102
PID 5072 wrote to memory of 3004	5072	Olkhmi32.exe	103
PID 5072 wrote to memory of 3004	5072	Olkhmi32.exe	103
PID 5072 wrote to memory of 3004	5072	Olkhmi32.exe	103
PID 3004 wrote to memory of 732	3004	Odapnf32.exe	104

C:\Users\Admin\AppData\Local\Temp\afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe
"C:\Users\Admin\AppData\Local\Temp\afc90436d2caf60c7866c6dfc4ec36405cb51b316627e5e7962996d97cca7393N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\Nnneknob.exe
  C:\Windows\system32\Nnneknob.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\Ndhmhh32.exe
    C:\Windows\system32\Ndhmhh32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\Nckndeni.exe
      C:\Windows\system32\Nckndeni.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        24⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        31⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        35⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        40⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        52⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        56⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        58⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        64⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        66⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        68⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        70⤵
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        71⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4752
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        77⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        79⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        83⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        86⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        87⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        90⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        91⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        93⤵
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        95⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        99⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        104⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        106⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        108⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        112⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        114⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        118⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        120⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        130⤵
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        131⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        138⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        145⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        148⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        152⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        162⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        164⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        165⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        166⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        167⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        169⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        170⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        171⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        172⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        174⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 428
        175⤵
        Program crash
        
        PID:6732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6608 -ip 6608
1⤵
PID:6672

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 412e837f0b91499e45bf4ecb8fab45da doRrnAm7SkWxxhLrR71Ugw.0.1.0.0.0
1⤵
PID:6252

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
63KB

MD5
8601765768f8e2a4e9cbaacb0141e327

SHA1
8674b50f2d75b403376828948899de6dc5bdd5a7

SHA256
02b2a871a5ad2901b552029f9760b05364434cfd72fb683fea8aa9dea73bd88b

SHA512
51ccac70f0386531b64332577a9d2dec44d42ec38902a341135dffd9bb483eebd54d0a68662f79ba17f440c1494347b865ee964dcb7f03e8e1f62d3d0fa5e776

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
63KB

MD5
7d43beb81a38d1fc9e4d73f7a3d16cc3

SHA1
aeea16451981b38b699486fb2707f7f12718e1c5

SHA256
1e185d20f8ebe6895a1e50795fe037477e65ccb5d32d40e7550ca5a49fc6bc5a

SHA512
cc34763118a81ee18fbb97566b6a217b95a08f449356846ad95836b7d4278d459ed340a86ddb3de676c44415588bbd9aca03f68e017a627b00a3230534b873e5

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
63KB

MD5
0ad9d8be3af845eac1a8e49965e9b187

SHA1
3f98cfc1c6eac1ab3357a5b9d7a1858afc6931e1

SHA256
c3aad01492fc1266ba370e604599f8f7c338f918dfd05416855a4c8a47adf425

SHA512
8363318f5940d86e723940ddc36bd3aba90bca42e4ea234d3fdf747c127899a7625669764c1830d01cf3b0e4e38bcb1ed9ea16e4c0c79bf768b2c50873a54b72

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
63KB

MD5
c75a7143f457a32355346343e2771317

SHA1
6e8cb4317ec8797dba63bcd9d7b2f58d9d29513c

SHA256
dad9b62dcfcf315f4990ece9c33ba1209356b2befac170d9cbf35d027c12067b

SHA512
c851c6ddb984db6adeafcc9c09a2124824e5fa22f0a78fdfda8b59899e0824fa1633bea7d2745e75cc1dfebf3dc0fada4f180e342a9db8ef890149e0e07a7593

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
63KB

MD5
3a3064625ebebf66fbe9d45b3dd8a0f5

SHA1
61553095aa0d7ad93896a0316adf33ccc6b2a849

SHA256
dbaabf6e943730f9e8559b5b59c668e2671e50f636a047d666963cd06a4a3b5e

SHA512
4e469fcdaada59efe55de74b5d25e9c4bfbd8f8a5f5aba5dc98fc604d32e298fbcebcb9a6f7d1ef8ed1bd0029911b782a70ad61f43c5c035c01623048f3c045c

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
63KB

MD5
26a2f91e1dc9a4b522d5f3f0b05696f3

SHA1
ba295bbb97748032955069811733a4f3d1d7cefb

SHA256
fdec03f348cf3d004c505d2daf0832001150819dbbb76ad7893c3d390aebed98

SHA512
1abe16c15764453b84a645d98e1506b5800418402ef52f19257a133c3be3dd351f2c46680cb0712724c66b392fa1a8c1b8319a8504092505d5e6413ca50a7701

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
63KB

MD5
190781250ac22ffb1b627eb29c6f6dc7

SHA1
cc4f930804f16802eae2d4b7f622f5a4e23e69f8

SHA256
c9272ee417b2dcba2c9515d54a011087b8cb582d6f9b7cc28dde41ea524938c7

SHA512
6cca2b9a8bcf25e6fa45e957e9fe690b6bcc49039eb09a69504189503c54bd115a174aa7f1053d074228c14b40383ab6222f22cfe56d61b3441ec480374df400

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
63KB

MD5
0f1e10f094a9ce8e93c263a8fd643ab0

SHA1
bbef8fd2c49dbcc17a6cadd1e8e525cc955b3e2d

SHA256
9a50c9b1c755562cbf91a9c837bd07b24dd5de039b34143738b5cda4f23ede98

SHA512
2fe7c33c6d744608b00844114c09dd79d9e4eab869fb0d58834af949a6a2f4838669736cdd02b56b1f1bc3359bc9255ce9bd7a8d950d1e38f8f3ea76d47d35d7

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
63KB

MD5
537f33f7ce6ee6926dc890825905a2a1

SHA1
42b33d9f185b82ce99e77d325119863566d64901

SHA256
6d4d1bbc5f089eb9a6075a2a557f6d45503eeacbf8613e9dfc4dec4e7a8cf4e4

SHA512
bb1fcf702b48daf7facd763104c7a536364342c43912302eb6d07583bb982e8392fc21c1d5dabf63f402e9b6990a713a0a7dbdb957f3cac25f7dedb114e23236

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
63KB

MD5
a4f01f65f6b957b0123c0052a783b277

SHA1
bcb6581cc590d161e29c78644ad463ba7b6f8830

SHA256
d11648d4b35a260afa886180e71707113532a6277d61467d51d3507ada82548f

SHA512
327058c7582df78794bf682b9f087f8fdd97d2dda2d7df91b03d4850a4633b32c95ce732eb014d1cd205b3d79855b08a951ce991ff94dc0557973d983d6daa43

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
63KB

MD5
30bc560a83900d217934306559b5b768

SHA1
cd4d3f3e3f2aa90471166b870ae6c1083f91c96a

SHA256
3620a8d02568e5024aa4b254e6569351deef9cbc7e86c270151d5e26fd57f5e3

SHA512
c41cd9b0236e426cbea7712baeb26fc7ab9ff96d2b17be084debdecdd489828e3f5673819075b14e13e0e7e272960bb162d6224102c51036c54d46c312de2eaf

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
63KB

MD5
000118c0365f2236738ba9a262339945

SHA1
dcf0b0464587a2ba108c935781a32d36b3626ffe

SHA256
63597189c11cbb1e7c85171f4b75e9b46d39972aa766296f5c8822b1ca020c75

SHA512
ec188806ff17151d5488f75d0cd42cae6e161fef2e0b1fa928897dbd325b9ac93657f3530476ff74c63d734c659fc2fa42d6666fa904e09d3ce768b0554a5f91

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
63KB

MD5
82c46ca932069621a99558b3c95756f9

SHA1
a4dbb95a60460894bb5c36e8ac62c2c185eee4b9

SHA256
7eb3effa7be62fdba02a7c1d6f9449125ea1ce680c7e5d58591a1ed38ff23bf0

SHA512
a11119c285475249d5812f88d8ce93566e6b619121f17db6dbc74ff9bdee275cfba244c7e0c84821ab4d0335afa790e74851e082f5880db7819a1ce97158ecb4

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
63KB

MD5
4954dcd07dcdae5fe112e58db04e83b9

SHA1
a01aa114a9cca3d34ee84f03b75351974323f394

SHA256
0fabd25feee1fab6a143aa373016948098b14df7b3b7878e2eb98bb9690fca85

SHA512
ff66465ce7ad954d9721bdb5b9f6938bb66f94cc0db65419ba17c3b21ee72f4bd2483222d08dfcea9f960dc50ed3275b520d1b65b3c96971cc9b8c32be0950f0

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
63KB

MD5
073f9f48cf44b1a7bae4a1beef5aead3

SHA1
9baca9899a40877323833effa4525dc8c96d0981

SHA256
82c3cea00b54233cc8289ca5160bf9997e61b11eea93bf1875ff1fbcf1ebef6f

SHA512
ecd4ce771d70696b705119845ed1b8032d7e095f9dd64c5400fdfac2ca0fcbd27ebf9fcf07d9ba4c234d761fb3d31806130a6a403140518b2815f85efa6c748a

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
63KB

MD5
d35c1aff56c91a96cde2fc85cde8a0cb

SHA1
1e4057a76b56d9baf6f3c0533fb5a48f42f59499

SHA256
04060b64ed4840ac973b3175655becd5791c1c879ee437956e31bd5ff44b2b5a

SHA512
4ae92caf7291d3f0f8390e6a71a7d83636e3cafdda366a2bcd69e17a36dcbfb6d5362af9f754bd52d5a6e75cfb60fe7a17dc6d4f24cc58fbdc77b6ee5630f529

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
63KB

MD5
28032a48692d7aedd94095866465a1c2

SHA1
55f39486ab28718b4eb18b1186f4dedaf40c8de8

SHA256
d008d5ba1c681800a3c33a753266172b4487f7cb3deec528491e5d304747fb5b

SHA512
8e0fbdafeb5a1b0fa19928d8844ca90a2cd77df845d765ae2b761d25386bbd3406ea1ddee205d74e788f28e38aae32e9ee39a2f9b0fb4906479698e920263c54

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
63KB

MD5
338d8fb9d946031cec2861483b4cadff

SHA1
7a79734bc641c08fa1f883f5609c7c59fcbf5747

SHA256
00232a309e5299be1ee2ffe03c4566bf1131402ebc51d539bc9b9602e2565221

SHA512
5d25d21e2ce1783674b37fb6a91ad8dfea22e0bc34e1d657e7d3bbe59f6125559addbfbcaaef378ae486389d864b22ed3db2a6526dedb2967d1c5a94d84a2141

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
63KB

MD5
3af4891ccca63884de20614937311579

SHA1
7b34344777d1f6085f88cf00e0aa21de8ac01569

SHA256
56fce37ba1e8d0dac49727daa0536a5c3489c1b572010ce034e8b1a4ac01f004

SHA512
d7bb15ef8c7c96f186159cc7ec1ec8d62963f252e1b16122a7c2ce81fc1ffa1ba69b888221f32339f2f4e41ae6e4f90b0b6a965d386404457776c46b4ef45db9

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
63KB

MD5
a4f6ff08e5c03a4040ace2075f8d6601

SHA1
ae036268b9a1dd46f0ae52e6e263a1010b4ec740

SHA256
b3a9c8eb49c632fc0b4d9f3202b4514b9046c4be041ffaa6d8edb08a456111cb

SHA512
d5af1b192acbf8ae7741b18f64d982524c1798b7dd59267f02e85c1cb197e57b2822638209b3e753549e989c3948eac5fe781a07afdf65c3f5d7b88c57842a25

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
63KB

MD5
ce0e404fe76518c54a9fde55ed0b8f64

SHA1
000fdde8cc755f55864b85b0284c4190bc47f271

SHA256
a96260d4b79c52a7a0187b095dec4cf65233e564803e73033ed8ae0506d50804

SHA512
172f53855dd9b959ae87520fcd8dd4e6eef76e73a9bfe61cee63e2371c2747524252fcc6960b714233f69f62b2ac1aa267f4cf8c6a3d9ed06fb38fb1d889f112

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
63KB

MD5
77d87652ee38ea4f7347bf873b4a26ad

SHA1
80482955b5a8d749bf10e447b844280c65be27ce

SHA256
9d71bee6c2db56d49f8cd4c7ed30fa1f091fe9b9b084be33ef67a2d3e58a77b6

SHA512
f0de2fb62931818105d0f66e64e6caf9412af45dde10dc49f989abac6ce8fbc4882396f11b1ddaf972411ea654b0cb366bc05b6f24e0ac3457afc0794958cba9

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
63KB

MD5
28ad2230345f0126bf4507d113404a20

SHA1
309aad04ec6f2b404e687d545a8b9b32949d3160

SHA256
2600f7ecc602954afaf9d670e6a22c2208207978d12abcebc14e400138146816

SHA512
d0451228c2d04d092dea9669fd1bc63884c5052fa897455da829b4b7fe622cac4e0ffd3c1de2ff0dfe1b436cb3216d266e063210015d357a8d313cfcdd2acd70

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
63KB

MD5
076345cb530c5001f5ab862a27a6cdac

SHA1
573be070adf731f0e584c0c00695c1cfe8730071

SHA256
8a8665cf7836aa9af0cc03c62435a382198461d8730634f10a489f9d7278652e

SHA512
e591d78666d660138738d832fb3966847975e3560ca60d3e3a307f12d01d24ec7835eee7cb3619420ac27d6fb96501f727baeb0b427ae862e339e1ef164b50e1

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
63KB

MD5
16c1dcb289cf6c3254bc2380fcda032d

SHA1
954071104e26cb84190ab4a58671d435d5a5cfc9

SHA256
709221b51ebfb753bd2c9e0367f4264ea78cf28438f6fda68a600385c9ece430

SHA512
34ba2578a3e92434d6a35cec5c8b8077d3b2f9a2cbc0fe207b89481524a03a39277ca4e03b20f1bd2309bd57d2f3d6a48634263a3b66509d65869e8187f5639d

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
63KB

MD5
ef149bed86bc542b8abe7f74f3ddfb4e

SHA1
d07b2ab94f2f3730ac04319a54b929f562addd03

SHA256
0870b91ebfebd62bf1408cdb0c948dd1b69eab3fcf7053ab207bd48854361832

SHA512
a6be3cf78039f5f45ddb880602bf538cdfbdd20b4938ee4393277f20a0ae456cef542b16a946336971c5f08b77baaae1a92c510658b2e296498b29e9069b4262

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
63KB

MD5
148fde988ed510ff26dad900acc919e6

SHA1
5df7fabc8df20faf03d5434de2663cee0656450d

SHA256
cdddef65b3b8e6edf7fcd49e14459e2ac801fb311e3a64a46adcbcccca4b96e8

SHA512
1667a42947f9bea96823d9de31e31c9035a2f7f9c10c633d6488be8b489c91909f4088dd9312069a13210d0e0dbd0c413d38152aa8eacd1dae66d244617803b6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
63KB

MD5
587ceeb0b9ab0a7d2d9bff84fa8b1ca1

SHA1
44a12d19e30ba833f84a83d319c1c14f6cc9cbfd

SHA256
5dfa7a922a0eed80f42d08caf76ce7c54e83a6710310f6662a15c2a988e92b9a

SHA512
6a68012944d28ecc612981db03df9cfb702447ad8c7d526a3d1a3dc4a4ec67ead2af8a128a78dbbe7ce9ca9d47d59e189888934e444183a631707d600a10bcb8

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
63KB

MD5
aad25c8f157f8ae3794efa1cb99d6f87

SHA1
daf9df12a603013f56cfa2aad7bab163f1771a12

SHA256
807297c1130d29fffe0a2897eea251cb71603d17941d7f8e16c6e367047e4362

SHA512
7efa4c6989d54357243b0bcac5d9498f9f8d8354fb9981521b247bdc3195d23aca78c4f6ce6ba0a730620363e898800d03bf78ff72cd7c9826a9c18af45213c3

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
63KB

MD5
f4c671f329500f3361b6c128f5153af1

SHA1
ad4fe41b177a7f144cfe75677651b9f3431166cf

SHA256
7863899ec5d135a4c24a83646a6d20496345ebe862d70257b57bed4e1b9741a7

SHA512
f3ffa3602daaf32657ee8a3c8d8b8a0e938745d31cc4289145dde304268f4da88e82d301bc883fcbfa83e9fbaab1dda8e4630bb2ed9693957cfb4b3ab0c66fd4

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
63KB

MD5
d6055df4032005e7cac5fed7429790fc

SHA1
1226a949389c62dccfbd25ae725d4e30e35b4440

SHA256
7b4319b1cd3e842c8fdb9af0cce8a20dcdac41ec08ef1057bf56915e89ac3bfb

SHA512
059888ed573cc650c2474afdf2c9a581b1fbbdceea434754c91fd4801aaedd7f8dfa0c95f7605c58542a2526a435db18ce93f4d09e9caab55100173ad60c8ff4

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
63KB

MD5
4b24c00500cf4d941090ad3523042449

SHA1
1c85a14a58a49e87539b2561089119cc1f0a9ff6

SHA256
a3479a4d3649583d3531c98b0123134abd114056daeb88b097de35ef5f1f476b

SHA512
66f1ba0d76469736db3e16d6b29dd178138fdfab438587aebbe742e15393e0361ba7b8abfcacb40c238e2c834b1bfa7996fd3e46bbd6bed486fea5983505f70d

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
63KB

MD5
c368c6eb5b267394516cb99ddd120739

SHA1
260fa66b8b78e4fa7d389e2c4b6299a609b1100e

SHA256
7e7c48c5e0562f6ede2c66db1a102e3cab7208815ce0e42f6004835d484156c1

SHA512
4c7800dd317bf53983296f1b02b9fff6b49e4c10e1106dad3bda056e70029de30b89db0e84851532c81cab05bb1f96c43ef95ccc4c47a833007838b316670d48

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
63KB

MD5
1d0c555bd37ccc42cdae91de0a328ad0

SHA1
e47d7c0ca6645da2306f1e90e6b1e985030fa331

SHA256
ed2b6221cd5b0709d1dfa47093db70fa3830e8a883b472348165e4cdf2598834

SHA512
557ea3b81d4af4feb734277f8cb0417494ba93740edfcfaf5865c0093cf09be9358e4de7b0b6ef79d55b2369040eec2c42218ff5601d14ca06e620da902b6980

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
63KB

MD5
8700279344542fb2e7f60d6f7cf82ad7

SHA1
9907a6c54e86fe4988b3026c6b8a24e9bb81e620

SHA256
6abade70e5e469efd9d4f7a5a4813b64657b02276cf73d1e6b8c51bb3586a491

SHA512
79ca9057fc8f70931579a90349e0356edc04ec351590799fb26ca2fa600ca0aea2c053c672b3130a6e8be1a61d24bcb22e583f9cf598531b8255a252f43ac2a1

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
63KB

MD5
1e4b50cdb8963d978fa254336ae5778d

SHA1
f904e9425bafc2fa9b9b949f284018346b5026ba

SHA256
55a8f94be5ecdc9e2c1879739db598bb62eb768cd3e964ae0b6ce7d74738ccad

SHA512
43f195c01d0a6b6fbeb41668b3df2616c2da984521e03d4b5a2f5a8b5745ecfcaf4156bcb7ac2e9d9eba9af1d42f3f15891b82528783f3d7f51b5e0be9c6a9e7

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
63KB

MD5
3137ba9b26658ece820c8c58083e28ca

SHA1
40eef8870f0da7a604a97e5b6042aeb0b3f02f1c

SHA256
91b3000cdbe4f3ed486ef873ea1d7f7fa15e7fa2dd599b79eb6601382b1d627e

SHA512
6ba22474a03e56079530d8da1e903a56e8d00db9b4f3e5d86304647869dcc3ac853924b942fa4ae5ea0b9d12d9eb41fd7df53408fc26eff59b772fe511d92d71

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
63KB

MD5
b6a7cf48cdd64d511852d6b91a592807

SHA1
3f3c596d4dcbdb73823a2c578e57a00f5399fc4e

SHA256
fc43e62705cd6c1ded32eb5e47b95e2431deae6300d543327f48722e2137f8a3

SHA512
221686468bd179ccdbebaf5d43f5642fd5046dba10ffbed4c15eaa36950409bbd2db3faedacd4ae3174e4ef3175fd6bda6a8b955e42139dcbd095659264ccab4

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
63KB

MD5
f9284e5a303c5ebcda7cb9435c1e1e43

SHA1
814d85749900db996b14e232600e35791c870760

SHA256
4174466b4d9f2342575d139cf10ff86ec2fb551a775698173ccb920ddb07f86c

SHA512
5f9ace49884f3b261d237e9b0e9e71da1fa5955aa8f4ef71a8803cb642a507016524b0ee286774dd046a4ba9538014890b8e04a39c2ee8f12d1215f93bd8f05b

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
63KB

MD5
47a6acc3f7633cecb23f6829aa424708

SHA1
c5cd0271a07d1cfb3dbcb28e5ba68746cba6a4f9

SHA256
20705096909be3f91e24b560e167da881aa9cccb4536afc6c6d605090bcc0515

SHA512
d2abdfde5abe2836c1ffe9b64aa3ce8a0832bd06fc62012a79eb03295eb47bded0924e4e75f012de9103da239fdae644c78c4fb7b0fb19bbb87dec9c0427c138

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
63KB

MD5
cc80314358428c06719e2a3783a9e79f

SHA1
f85f92f5f3ee0024ac0ba680787f2531d61a1708

SHA256
f6f1d19b4526a296c01effb734812d27dfd2f8da600e1763a731eb68c67796e8

SHA512
352d94886061a5e48638c3241c7a4019fcec83a0a745c0afd55ecc106506161089f892fea7560a261bc1606d6df9f79f5a3105a33e904b9cedab3657a8c55513

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
63KB

MD5
8a72d3c150e3f9ffcd8fb7eee82f7d15

SHA1
203061b9daab7810e4ecbe5bcb5b619b99eeeb44

SHA256
3a70e5002efdaa2b97d03357787831b02415ab887b9eb37d2b5c658f2344fcd8

SHA512
95cd958332ab7cf73ca5c8648348bb856617a8cc9e64df5092fdbd160cad61e4eede13c8ae5d930fda2603f8b8e05d568dc7d01a46911f754cbf6ef030e61ab3

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
63KB

MD5
0e7804277ff03a9e11ffff3762ace81b

SHA1
64aac9073a3a5a78ad323e2d2ef93d4b8960431f

SHA256
571c7bc5d5dea7067e83c6ab357e700d632b318677efe80a26e9e62b8c5cf1e4

SHA512
8f0d488bd59e243c1110c6d63118e5e9e40f453cc91e7fae294539c8da26db09556da063dc21bd75c480029bdbd7b6177bdf5f739f06b1222b9c4451fbd82578

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
63KB

MD5
2c57cbb672690a3775e1eaad571d50e5

SHA1
27528bec1b6f236b0931a292f0d151b3cbfa3098

SHA256
60923e8c69e44c5302d0914ec5752d2e43eff230c57996b863f66cff92c4634c

SHA512
3f2aa909f9b0a7612154879363f2cf3708284b43147f5df76833368bf8d300847874516bc5f603e6a7fc0c356f755fbffe8d0d8c04de0ed30c5360a6fe5eb11a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
63KB

MD5
ba39d548509a037de61ead0d604dfe2b

SHA1
1c5b22915e0b4434ca801df9a64c0a5032ab6d17

SHA256
e1820fc9372a12baea0a0cacc5a4834cf58f31eea88fe9e8c522db3923bd5130

SHA512
03f972c4022fd4fd3c64af3d834df6b5328dfbb8c753da960452614a4f111f1f5df36d1e2d9554b2d4eb7a1af0d5592fe5942184cbdce116047d22b59c0bdeb5

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
63KB

MD5
8c8cdfcac39ca3205e29cbb464cee9a9

SHA1
67f94c89c562c439c82a60c25fcfc20aef525a4f

SHA256
3fd2165f1984728b706e43666e100e51f96a87edf627b89504bca04dd4767db6

SHA512
3eae64b6c20e5ea5f32c239f7244099c125401463f37e154cda9a38873bf6af9c93f87257e37aa72eb5174fafa920d09c783aeb636034056946fc704de159e81

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
63KB

MD5
5523bd0f07d3f97b681e3ec66b8beb62

SHA1
3aecd73ce3d15007e6aa889b9bd00e0805bb930f

SHA256
d274b5cc9b4279e9a3d3238097f7a542f54a2e781b5642173781af435f089bc0

SHA512
84ed109f8b5091c48b3b02b2d55aa76a06e30c2c20b536de47e399621a49c3fda8ed4516d195c7aa98d9ba46429ae485e412208c93c3f33f61029c5145a619be

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
63KB

MD5
17c38e528d19ff5fa91f20dd8c3bc280

SHA1
65a57a8bf2b4f07b3546ba02709dba8a0e0c1c9b

SHA256
cad91226208d2584ef28e9dabe4c0f60da3dce474cc34d5bc3a76f781a56a6fa

SHA512
d395d87efd6c3fae92fcbf68a71ff31a40b036c77184001ae91d94306ca3e297ac835f8ec4bc61f562b613f9265ae6ab81d77a40ca9338d6e672af7f14958248

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
63KB

MD5
ed322f35c2377ef73223d5d0cc95e30e

SHA1
7d091f3ea37cb094d87e5b95a27bf38108392a74

SHA256
645ae0960c65e23492a30d242bf7f3de20d8d0516acfa5d7f74edaa9dfd0b6bb

SHA512
56d13817a58bb1d2d06925d767edc4bbd354040a7cbd44335375aeac0c7be94027f8bb6f0b6bfc21a431da206c915e8a820ea8ce37b585cc05bc46e7e9ac7dc5

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
63KB

MD5
e71de4faa2180eb17bdd911c3e55c231

SHA1
0301bf21ff674e68d19adc2de907b1699ec8ff78

SHA256
6ee4286c2cf9352efc5c5da451cb16785a049ed72112551e4c244c88a14c8575

SHA512
05666a020cf42c7115770c67fb02e3ed45d32fd597e21dce3a950c15a80fa2218fd6f2b583d1da2b29d43bf82c54767ed457398096cabda66fca1af074fa0110

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
63KB

MD5
a22113637ba0405ec1f33f7f3def28a2

SHA1
d667224656983d9e5fbe5405bfd6bee1043fc105

SHA256
dc606b4bb7ddf3c0bbd16aedbdbf0169dc0868b11b093dc6e9adc7ec019fbcad

SHA512
f1f1eb13295af42ad0fb48b11c3433c55e8374a0cb8eba101708fcd88f239a1226cf5df4b0790d32a6aad7d9cc15c03a298254172c29c8b23a85c2786fc9472d

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
63KB

MD5
c66c1850ddf0300280ad6d45e420f8ab

SHA1
594d45a34c8dbf3cd4c298524ebd1be93bd3dba3

SHA256
f965f6a54f569e9f5182c2ce4b70bec884e8a5a22436ca2b697f758c5d4f0144

SHA512
d3b0aad0eca83b71f99121ae2c82c642eaa9fd93beb6061037deaf212c567d1f0f86a8d3ff12a76556220fc7af69bb28a893d4d20c5b61c0f4595c876a468d50

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
63KB

MD5
42865cd566980462ca58cb179cbc8820

SHA1
7995f8a4c343fc6369e73a70ae0f5020bd47f1e3

SHA256
ee4fb891cffb001652784826ef8aa6edb4ee7cc1dc3a5feead4da2a3cd54f836

SHA512
5c5281c2a348682631bf970c3fef1738bf265252b2a39d0e61ed7208406cc176a59c43f9ad4d63bbcce29cf1d085eeb4ea26fb3ed40958faccd17262371f272c

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
63KB

MD5
b6811758261e7db66067c1f2b81bb82e

SHA1
9d66f02c658bce45ad5cb1da73c951694d9d3167

SHA256
d5bd713a808b98b067dee2fe7ffd0b3b58941dbc6fb94071cdcdc5b0db678fbc

SHA512
df7aa2e65367531efeef9413c1965d9c7b1a054c9a0e2fbb66fbfce3b69c9d9d5ac2aeac146271e7c73a99dbf8ad6a4dfa569a3ec3fe89774247e922752e3178

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
63KB

MD5
48fe97298fa2085fab099b40539119da

SHA1
846c6d86bec6f5db47d3d86b2571ca8f52c262d3

SHA256
fb3c9308933c5c748db9f089b212785e8eb6e755d52fe601002aa1de1cff734d

SHA512
adb149aa73911b83f2d9d9d3a25f3fdaf975d2b8670b6002f8b34f81cbf464b10d00582334109dbfccfe3e5b38a184fdb758526dd416ea979022a121a014b875

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
63KB

MD5
7abfcd92d0569f55bc296d2c6694fe0c

SHA1
dd50b48e77dcc167e3e4db715577a52d77ca6c36

SHA256
59d8d27b983fc7ea41d2a3c7d57be55aa1b42666862c5a12ee383c659ce8e325

SHA512
93d02a6a594bdf4dc00e6521f8acdcb27c55b45d69114063d7e70fcd14908d57f12e0b50ced312cd78e3d8932bce04385da5228d8e888d9b000b6b3c888600cd

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
63KB

MD5
5cf7f4ac268ef20f7adbcbb7c3417f43

SHA1
7769bb54139ba54b166d333c3f67764424276e17

SHA256
ee859b16bc62aaac8f7bcec9dd47c9782e10a1812d537d255a16060e4fb36804

SHA512
15d3efdbd69a7349b45d108ea640146f5956dab47d476733ee4fd208e32c3de23d849a2994f1799aa476fa742ff753b88685b1ca2f97560ac883d34c99e8e354

Download Submit
memory/400-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/636-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/812-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1080-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1240-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1284-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1736-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/1940-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2816-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3352-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3560-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3672-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4088-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4164-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4824-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4916-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5260-1298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5704-1285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5764-1284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5876-1280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6132-1303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads