berbew | 4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c

Analysis

max time kernel
96s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe
Size

80KB
MD5

44e20f2ed8c8572ae4960f6aacdfc293
SHA1

60290bda3ce051c3e18655560db4c8492ff9e108
SHA256

4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c
SHA512

40818b72818e9324b265b3db9a92c5dfac877ab4eabbafdc697713a9dc77988dd8e1c9b82e180ee58cd70a528bc542b96001b3ae4862559925bbdf5818ebff36
SSDEEP

1536:0vkvT4mx6LDeIhZMoTRyABHCkii6g/2LlS5DUHRbPa9b6i+sIk:0cT4mkLdZTRXi7i6ZlS5DSCopsIk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3828	Lpqiemge.exe
4540	Lfkaag32.exe
3216	Lenamdem.exe
60	Llgjjnlj.exe
1208	Ldoaklml.exe
2716	Lepncd32.exe
4436	Likjcbkc.exe
4316	Ldanqkki.exe
1220	Lgokmgjm.exe
452	Lmiciaaj.exe
1352	Lphoelqn.exe
760	Mbfkbhpa.exe
1276	Medgncoe.exe
2372	Mpjlklok.exe
2964	Megdccmb.exe
1412	Mckemg32.exe
1028	Mmpijp32.exe
4712	Mcmabg32.exe
3120	Melnob32.exe
1496	Mlefklpj.exe
4376	Mcpnhfhf.exe
1924	Miifeq32.exe
4776	Mlhbal32.exe
2348	Ncbknfed.exe
1728	Nilcjp32.exe
2484	Npfkgjdn.exe
1436	Nebdoa32.exe
4596	Nlmllkja.exe
2600	Ndcdmikd.exe
3668	Neeqea32.exe
4684	Nloiakho.exe
4128	Ncianepl.exe
3188	Njciko32.exe
428	Nnneknob.exe
1072	Ndhmhh32.exe
4368	Nfjjppmm.exe
2896	Olcbmj32.exe
4876	Odkjng32.exe
4628	Oflgep32.exe
3428	Olfobjbg.exe
2936	Odmgcgbi.exe
2836	Ogkcpbam.exe
332	Ojjolnaq.exe
1856	Opdghh32.exe
3940	Ocbddc32.exe
3900	Ojllan32.exe
3208	Oqfdnhfk.exe
940	Ocdqjceo.exe
3136	Ogpmjb32.exe
1980	Onjegled.exe
1516	Oqhacgdh.exe
1016	Ogbipa32.exe
2156	Pnlaml32.exe
2020	Pqknig32.exe
1600	Pgefeajb.exe
2948	Pclgkb32.exe
2908	Pfjcgn32.exe
4312	Pnakhkol.exe
3288	Pdkcde32.exe
4120	Pflplnlg.exe
968	Pmfhig32.exe
2036	Pcppfaka.exe
5064	Pjjhbl32.exe
3404	Pmidog32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	6012	WerFault.exe	226

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3828	2396	4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe	82
PID 2396 wrote to memory of 3828	2396	4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe	82
PID 2396 wrote to memory of 3828	2396	4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe	82
PID 3828 wrote to memory of 4540	3828	Lpqiemge.exe	83
PID 3828 wrote to memory of 4540	3828	Lpqiemge.exe	83
PID 3828 wrote to memory of 4540	3828	Lpqiemge.exe	83
PID 4540 wrote to memory of 3216	4540	Lfkaag32.exe	84
PID 4540 wrote to memory of 3216	4540	Lfkaag32.exe	84
PID 4540 wrote to memory of 3216	4540	Lfkaag32.exe	84
PID 3216 wrote to memory of 60	3216	Lenamdem.exe	85
PID 3216 wrote to memory of 60	3216	Lenamdem.exe	85
PID 3216 wrote to memory of 60	3216	Lenamdem.exe	85
PID 60 wrote to memory of 1208	60	Llgjjnlj.exe	86
PID 60 wrote to memory of 1208	60	Llgjjnlj.exe	86
PID 60 wrote to memory of 1208	60	Llgjjnlj.exe	86
PID 1208 wrote to memory of 2716	1208	Ldoaklml.exe	87
PID 1208 wrote to memory of 2716	1208	Ldoaklml.exe	87
PID 1208 wrote to memory of 2716	1208	Ldoaklml.exe	87
PID 2716 wrote to memory of 4436	2716	Lepncd32.exe	88
PID 2716 wrote to memory of 4436	2716	Lepncd32.exe	88
PID 2716 wrote to memory of 4436	2716	Lepncd32.exe	88
PID 4436 wrote to memory of 4316	4436	Likjcbkc.exe	89
PID 4436 wrote to memory of 4316	4436	Likjcbkc.exe	89
PID 4436 wrote to memory of 4316	4436	Likjcbkc.exe	89
PID 4316 wrote to memory of 1220	4316	Ldanqkki.exe	90
PID 4316 wrote to memory of 1220	4316	Ldanqkki.exe	90
PID 4316 wrote to memory of 1220	4316	Ldanqkki.exe	90
PID 1220 wrote to memory of 452	1220	Lgokmgjm.exe	91
PID 1220 wrote to memory of 452	1220	Lgokmgjm.exe	91
PID 1220 wrote to memory of 452	1220	Lgokmgjm.exe	91
PID 452 wrote to memory of 1352	452	Lmiciaaj.exe	92
PID 452 wrote to memory of 1352	452	Lmiciaaj.exe	92
PID 452 wrote to memory of 1352	452	Lmiciaaj.exe	92
PID 1352 wrote to memory of 760	1352	Lphoelqn.exe	93
PID 1352 wrote to memory of 760	1352	Lphoelqn.exe	93
PID 1352 wrote to memory of 760	1352	Lphoelqn.exe	93
PID 760 wrote to memory of 1276	760	Mbfkbhpa.exe	94
PID 760 wrote to memory of 1276	760	Mbfkbhpa.exe	94
PID 760 wrote to memory of 1276	760	Mbfkbhpa.exe	94
PID 1276 wrote to memory of 2372	1276	Medgncoe.exe	95
PID 1276 wrote to memory of 2372	1276	Medgncoe.exe	95
PID 1276 wrote to memory of 2372	1276	Medgncoe.exe	95
PID 2372 wrote to memory of 2964	2372	Mpjlklok.exe	96
PID 2372 wrote to memory of 2964	2372	Mpjlklok.exe	96
PID 2372 wrote to memory of 2964	2372	Mpjlklok.exe	96
PID 2964 wrote to memory of 1412	2964	Megdccmb.exe	97
PID 2964 wrote to memory of 1412	2964	Megdccmb.exe	97
PID 2964 wrote to memory of 1412	2964	Megdccmb.exe	97
PID 1412 wrote to memory of 1028	1412	Mckemg32.exe	98
PID 1412 wrote to memory of 1028	1412	Mckemg32.exe	98
PID 1412 wrote to memory of 1028	1412	Mckemg32.exe	98
PID 1028 wrote to memory of 4712	1028	Mmpijp32.exe	99
PID 1028 wrote to memory of 4712	1028	Mmpijp32.exe	99
PID 1028 wrote to memory of 4712	1028	Mmpijp32.exe	99
PID 4712 wrote to memory of 3120	4712	Mcmabg32.exe	100
PID 4712 wrote to memory of 3120	4712	Mcmabg32.exe	100
PID 4712 wrote to memory of 3120	4712	Mcmabg32.exe	100
PID 3120 wrote to memory of 1496	3120	Melnob32.exe	101
PID 3120 wrote to memory of 1496	3120	Melnob32.exe	101
PID 3120 wrote to memory of 1496	3120	Melnob32.exe	101
PID 1496 wrote to memory of 4376	1496	Mlefklpj.exe	102
PID 1496 wrote to memory of 4376	1496	Mlefklpj.exe	102
PID 1496 wrote to memory of 4376	1496	Mlefklpj.exe	102
PID 4376 wrote to memory of 1924	4376	Mcpnhfhf.exe	103

C:\Users\Admin\AppData\Local\Temp\4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe
"C:\Users\Admin\AppData\Local\Temp\4c037afd1b4e12cef63a24d91226ad401df7650dc5cbed32315662eed133037c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\Lpqiemge.exe
  C:\Windows\system32\Lpqiemge.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\Lfkaag32.exe
    C:\Windows\system32\Lfkaag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\Lenamdem.exe
      C:\Windows\system32\Lenamdem.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
      - C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        51⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        58⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        62⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        70⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        71⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        72⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1064
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        76⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        79⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2576
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        85⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        89⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        94⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4184
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2884
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2160
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        101⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        103⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        106⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3024
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        111⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        114⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        121⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        126⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        127⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        131⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        133⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        139⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        146⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6012 -s 212
        147⤵
        Program crash
        
        PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6012 -ip 6012
1⤵
PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
80KB

MD5
eb6072ed123224d8bdf38757a7b445fa

SHA1
0936eaffa9d9577dfc4cd79ee609a0cd70c66575

SHA256
0f000818662f3d845a00125cb5ce452da43f0b1d2fd5422ec838a40354068f82

SHA512
4637778d8dce8531b5a594a98156258ac90b4b8f7351a9ba41bc52f67521883b251f5dbfd18e202cc04470394597e5ee058db8635df27e5f23f40d761f392387

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
80KB

MD5
ce454e14f2a54a5478e15659ebdbb265

SHA1
be02f15f1fb02872bdc6ff688795b5ee0f9d88ed

SHA256
3af1a47ca63994080a2e8bd9f69cd31fc3cde1ffb8395c5bb910e85841582a9e

SHA512
7831e8c0507f54cac1d6c1bff59ca8202c31d6f61841ad39c82a3d1d7cc813101e305752e5523c240d15fe8adad00bf22ef71282ff4202391b4e5f3fe5275613

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
80KB

MD5
39868d6b458484071d9393887bb47c3d

SHA1
72dc5c97dc4787fda1c54f48d83f27a71224d269

SHA256
92b55e2b4b4c32dcb34fbaea1f11cc2d860671a9baae520e8644912f446a09af

SHA512
9ed4dafc97bffd869096cf0a49dfba39dbe9bb1d127a323264b98a91d1f7a270f4ddbf160caaab917b6d19fbf0b9b09f459279b252894966c33631fe61b54add

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
80KB

MD5
c816dac52e5556e74e1355cef62f598c

SHA1
584aa7d7bfbc2ffde196ebb24ef24315cf681cbb

SHA256
8d182c8905efede3f64d3bc4783edb41c01409fc9e0b5160cf635a6c12bf64f3

SHA512
02fef8bcd42f3c41ddbfce581cc1b51486a33b656885765961aa87d6abee6b8d58901583f79af7a412bfb2721d372be67d50da73bc092c1f291da646e1e02986

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
753794d20ca5e7c3e7cac3b4a11b2a6e

SHA1
bec02dbc12334a211efd897be98b956d2f508d3f

SHA256
382faccd3a76a1138368fa0a07575b6552320f1566bf43499bdbb98855bb3135

SHA512
8463c1faa1bd59dab472b613789b0a81248d188821fa17ee072ceed09481f76fabd30f7cb7fef5fee3cf7c934ef4325e836722b374b59c3373be3fc3e9fc06c5

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
80KB

MD5
98eb54cdf6df373ded688aa1b9da15df

SHA1
d8377da7a6baaa0afc8ef27c3bfaac11061f5635

SHA256
f84974b82d7e9096f7c78297c703f1811c7a604512dbb914fd8911da75461e72

SHA512
a8072145020626b54634519de3512f8a2d704fbfca057e63f72cdfd14c69c76910a160031a81351f944ee68fa089e8ca0806d50beac1abc302ee3aa0a5902a16

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
f62be8a400d2d778a459dfafb1388137

SHA1
9db264c9826b632e54b48d021258c6aa46454aaf

SHA256
e4be055df18433d511ece77ef8f86005db90275312289ec82775ef3fafa407f6

SHA512
1170b45bafe050360906fe730e7466d15bfc4bf2d7ce6e1285d7805682055c43a94d2623812b4f73c803af3ebc819d512419ec60e4bbe4efb02eb563c8d783b1

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
80KB

MD5
b7357637c5612e2f4432c05b1271c3b0

SHA1
d877f5d4524eabdcce7bfc9a5b4210ca2261431f

SHA256
157bc652ea99556e784228e19f9ef7db636fa8460ef8d2cda032f45383dac3e2

SHA512
75c1439ef7ae3a57c7ec6acc56ee243b9a21c7947129c817e02802c32343bcc0443131ce5970ae998fb32d1ca781c0ddf73ae074a507fc8638c38e46e4a238b8

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
80KB

MD5
a01e4012fef25d599481f9c193681943

SHA1
5e2eb7e1481385de2b805b624eabfc2dd494a84f

SHA256
e7c5677580ddec928494670f0f0e061bcb0e0cd26cc31f41e95a4b548bbb2955

SHA512
326954ddf881a499539a06f22321f4a9e30c00770f0f620a4ad2c2c1e0cf00cdb6c655196269b1184bf42ccd2d1d180d0d75947fd85f8efc840eac11e4aaacdb

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
80KB

MD5
0bc43e6f411a8ebb649a25f0d5fbb393

SHA1
a19f2a2cf9f809233ba73669cd1bd43234c3205c

SHA256
9aa25e0e7a1e0ae47fdb84bb3443c20d401cd9ff06faef3e9f768561d5ce80fa

SHA512
2bce6d61b5ea0fef6b3dece6b2f013b4c8a23f7e4cc8580b980ba000ab7fd3efb09e0796c690fd78014f5a03e77f3f7dffa8bfbc5e637c3da55d089583c17ce2

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
80KB

MD5
eed7fc3b42c9eff966372902f184c22e

SHA1
190a951c77d6fd80ab22b4a814f382587623df8d

SHA256
aa9f772fe51e40746b6eed0b55e81224f3526ea03dff1fa52bb91ab7f3b463cd

SHA512
8f131c27e9d3f71c3ee660148856e4543333d83599dc76820c48f0dba4f6388f9f41d3305b3c600dde67661bb6a77a58f342f466823417fe9fba811ca6fdcb10

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
80KB

MD5
0923adae4b1abc6aad0e701be22ada08

SHA1
5c5c728f02de7b65a28424fedfebe29437b1be52

SHA256
d87bd92c2599d1411a743672003f5c0b861f547563c03e601805cecda21b37ca

SHA512
172390255fdde9a8a8f35cf4d877775c0dd26266c7232f5278e918a0f1be65bb83f9259de6216d519df91a7cbf63a83b5e57369894a2189b18931894d3154bb8

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
80KB

MD5
077c54b29b94c3c7000ca305353ec0bb

SHA1
bb3c58a2b10354eaaed5ddb947f0db3d4cd1fd4f

SHA256
51133712997ceb742c24cbcf5e19d1ce49fe86f19bf447e4fc1266f10f945fc0

SHA512
13c22e40820279929e165a2ea65692115bbc73699d11645ad84690f4dc1a6689979885d240d8cf242816570c3b9bac0888b954400199302845df99355438c555

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
3b779b6868943459df2ab8f5e83a5720

SHA1
01c9e336659d00bd1fcfce15cd8ad15b1e5200e7

SHA256
20574510ee16df85cc4bd4a1aa4fb20a1a43edca137b2e006154361229557942

SHA512
81dba3cd69753d0eecc414ad26d98bb4cb11a5d598651c1b73d5a99e9d8e44400b43954e8e3e24eac6a019629c44a4f3711062f9cc0f5ac9d798d2c60d263019

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
80KB

MD5
4c7c89816046aac2d394b46beed96b4b

SHA1
ea602578a02fd128d27aae90e5b39804cb5a1844

SHA256
220c06be7236abceb86fd428ff2700dc3d9a529e526af493ff62980febd2c883

SHA512
eb86deac4a0637fdeab08a6976e010db504b65b5b4fa97231f3ed3a3d403a9605a3b3f17450143c191c645f5a29d61d38071ec2d8e5583aba0e82105f31c3183

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
80KB

MD5
e58e62aa1cfaa6783be1b9ba6b38099a

SHA1
1209359ee01418b9cb28c277fd3f58b02c4c268f

SHA256
aa40df5bb5e82c737977abecaeb19a68bd84be3540ae42781978f8d888e6a1e7

SHA512
1da9258c10c86bfd45a15a95474081129602d69737d329e3f5ac6b18dfce289c6e48b77f76da41281d467641dc406f8a59b0b6b59644446128b72f0f605f92e5

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
80KB

MD5
30ae79e1f6cbef86c6ec1cc749d204d6

SHA1
e472dee66437853f5fc6b5fe9f42858befb87d03

SHA256
93830212d1a2142b005420bbcb3b0307fe414bbffe6c6b5a94c8a5dc60474dd2

SHA512
ac0cb96c9d0548ce2a804725455906c7e597364aa8d7922945c35700f4924cb4aa1f091ed388908ce8e2b0682a451bdc18ec6227e8b2cf12998663d09d9d3466

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
80KB

MD5
d3998331f33d8edd8893c0d7acf03461

SHA1
4c591f46e93672f2d4028b5237a872b143c2286f

SHA256
d27d13b47bde7df58b1c52aae07f8cafdadbba88bce563db3448e9e62ed67c7b

SHA512
124ec2d52547f3bebabac1bd8a6d21ec6f0431dbe70ae9a26656e0bf445d7f7cefb929dd816cc0e2a8e34b2fed062638943a5750805742fdec22aac8090f9fab

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
80KB

MD5
f88e49ffc2176ec28ba515cf2de52b5b

SHA1
7c833a73a1112e2c7e4f44ff0c78907744d287eb

SHA256
06a05635bc8bb23be0a57ba0ea95e5dac7084604c6575d2785130a6b663b1673

SHA512
52e8383f9c7f755f4dc3d0eeef81866da5c2dc4ba1481040431a3ed6a503706ed1a3234cecf627c85e2def926c03fc1ea2c461a87baf68e5fc1b64deadfcd422

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
80KB

MD5
277817309159f1b79548cc678d27f469

SHA1
25152724292a2a38baca7a3e2f6cad831d9a109f

SHA256
d7378d87920cdbb282b6dc4e43e2bed5111d8c672fc08481e97f406fff74d448

SHA512
7a442284150db7e91751bca649fee5a497e97dfba9880c61ad6b62ad3950bf37c6ad19c9cd2c4b13f2eaebd4344ba1c7a135b8f0264f7cacc5ba17f95f0ec9a1

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
80KB

MD5
3dd7a7229520ebe25df694b12c422eb5

SHA1
2487533efa4079b69cb088e9933a3e6035a296ff

SHA256
48e59e07d27e55271a409da6ab710b09ffce41a6b48e9f11d028a3cdd92272b9

SHA512
d5bba75cc6a83133764169837aced91529ce4cfd4e096052722413d59c260765bcc08f2c845aa190b8387c5dd95c12930f79bafbd0b275d9a12c8bd47a03ca64

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
80KB

MD5
25b43de5a5165316a4e74134666164ae

SHA1
c291daba6fd4ff27f246837ea39dc6b1dc3f682f

SHA256
bc62893348bc1c9d649776e0ef5328d34a45df156f0cfd165efc186d5692e1ef

SHA512
c22d95524d90c5ae07592c8ba69a9b36f544921618752991ca7188badadb6bbab70d487e98e720b96ce8a8bbf2ff710f72325edfad18d85941da9a551c501248

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
80KB

MD5
87744696e746cd8ff88a4900ff563ce2

SHA1
2b0616b566bb394762ca1f182ae6dab031515336

SHA256
a2894ebc3b294b229e31ba4d8a08c6a4ede9712e43b203d984b277ac2e073432

SHA512
7896a651e410bbb2e90956f4bee263a854aeb4cc4aefcd106b64faf0b25dc58bf5cac2ae5aa5e24406aec7922b3ca21c7e1c94a30067c8725bfda585f088fa4d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
80KB

MD5
86070f1e4a3df557266fa9a28b452e8a

SHA1
dfa982818cb5a0699ec319b30fb96e6517d3f81c

SHA256
949d99a5fcaacb8f56415dc3c084bfffef162441a5f9c466105e5574e25926b5

SHA512
1b4ed078ae62110d5074fbc429e365bf61cb3c1e18ba3eb46fc3111afa781dfc677f07a9547725a6ccabedfb6a93b7146fce914d09f7d59c554ef9f77c0db7d7

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
80KB

MD5
2d9f59f2c872709917ba31a180e4577f

SHA1
8f2ddfc380d1f5ff8914325ebf5d7ec42655ce2a

SHA256
197d43b680d9ae51c32308ebac31dcc69882406193d843741ca22df849b8c04a

SHA512
d2d103b23bc4f705882d09d7449062d30aee961e27d1eb43d00c9e6461ae71d113a81d49555ff36908c643da469691df4cee44cba38e954e19d4d5eca773f574

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
80KB

MD5
c26c809d783e6301003063be21769a99

SHA1
980f90a1b3d5014ac03372235cb37f75b63cc348

SHA256
ba7adc4ada17c4a776790d8d9ebbb4b921f5b045de4245dda134ec26f1376ba6

SHA512
d48f7271da813a4ec9cd1622db1a1ea22cfa360f4f87e0bc48df5dba5400b72a2711e69dc0422b04ba710e9520a5c890dd5a814464e5f8762849cfc733e3907c

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
80KB

MD5
959cb8bbe1ba7107384d00eb0b157abf

SHA1
9f57357e9e1afb6640c6b830e96b47af4a48b5ab

SHA256
c0431b523733e4e69dff396ed5f784a76c71d70cb6ae164fa4190030092b3464

SHA512
3023a2d5d96ff1f5fd701b6a72c58c23cd40f3d0902b6a430e8e77c65466d537b94cd1db9c9439894ac97922a8ec5a61edcf1716e6eb5a94bb56d9e1eedc4b09

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
80KB

MD5
20aa980cbf718f5e05a5b33bb6e29369

SHA1
3e9c2729bd5824a621aefe5b1b8090ee2bded848

SHA256
3c1988df8886ae3e1c4cce576e6d6122ebe08ee3d08cb153ec1807e37289166d

SHA512
01c925f7139bf579eb825aa4e0c191743ed67682fff0f219ac40675c71f23818123750f73da8442a387f06897d4293a6ce9e8fdcbc9caefe7d7563dc86bad3b6

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
80KB

MD5
07bbe5963e150f09ad07597afb852377

SHA1
74049abf7644daae4d6b0e5ccba35e31645bb372

SHA256
bd0c9e68c54a69bed61c05ba3a80a9791ed13b464cdb90e80f7a44625d56fa2b

SHA512
dc981f41c7845a12d0f99830a304bd6d00fceca334b040604cb42ba1e9270c4ef84b8bc9a40cff1a5906610c895fba71c6b845532c085268afce2b0818f9cb6b

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
80KB

MD5
6091677f85ed915775e15a89421285fd

SHA1
85b88c3b0acf3d153bb8cf7bc5088780ede57589

SHA256
3d58c759886007a6029dc855262ab40e69242a3f6de9257a449ad5c4cc27829f

SHA512
90692e1318cd3e8d9d7cf0b91949d68f34372948190273e6b1acf49f01f6bf9a659406169f89ec7182915f840270103a7ab1bead0e919d21e6ac545ffe6d43ca

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
80KB

MD5
c1b169a6566f3a8a53f67c52ae93748b

SHA1
fc3a3fc92455115fa1a2c56fa1d2400b131f0423

SHA256
a828cfdb82fe1a217eaee69399cd743331457c57c7cf39f49e45e21eb5385d74

SHA512
0c56a89b7fa093fb57af45a3862a6f898b071880c2074b3600ffc5e699d1fc6fdb7a43de723584954a1321399acee0f07a9b0c9447b48549867130dba81cac30

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
80KB

MD5
930c7847f95db97b4ace344780da60ec

SHA1
566e8fa70fd18d0b84966d263b099f9c8564718f

SHA256
c91de99b99ffcd31ab9c09f21d9c1d01d4e0ec3368c383ab2563637b7d03072c

SHA512
f637c7b76ca9eb4d448de5610542a0423539c036a368e09df8febf9d16ac21b6f6748e28ff1071a3ce903254280dacddfbaec437fa0e4c8bd382a8ffe2217aaa

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
80KB

MD5
97229a8f8226b2dd427f507425a4816c

SHA1
4f05650c5f4785bea84ae0dec79e25d9adb802fd

SHA256
7733d7ccbec5b4db27f46ead459c5a295860b59d2553a4985c0949f61ee227ae

SHA512
d2e61b3ad105622968f7ac07f10c07daf11ddca520a4d4f16f3f5dc67eb4783727890aa184835f9bc5caef6900c7c04b34150ea0cb112b0f871243e538d62a60

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
80KB

MD5
1f3812b7c41493d31d3d5b94e3de856b

SHA1
a5b4853fe4c7133a7dd8bf42a683e457047dd256

SHA256
35a43628b4bc5d041e024785a26807d98df0f5d2f9df4b873777258c4a40e275

SHA512
6e9c43f3634fa77f06afb3957e84b4abfb03d7fb443b983530d8c45cb654f349b7d034c5df243f12ae377c877ba8088e0cbabc86c348a0f43232e0b4df3c0561

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
80KB

MD5
6cf76db27127788b862371fc928afc27

SHA1
a34b0e7a737b1ed36fcfb334dd2b5c739f057508

SHA256
c2826ae83cc8c9da3b52062fa379ad72c639b1d70734bdbde094d93057c2bfea

SHA512
a61e12018ed1095e521ab79aeb7734cfe7ca53418aa908190b316fd2f861beeea8f9e347eaf5f011775496bf99568d5400072cacee0c91e031a836486c56fc37

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
80KB

MD5
7ca5e2b38cb7b20ae617499bf65eaef9

SHA1
3a896bfaf29408a8a598f7caf6698ae4d355d40b

SHA256
5f7636c288820e500bc866b476599bf07ef0b69a6f6ca9fa4bccfe7b4c74cbb3

SHA512
457cd3bb065217c86a1e9539175e683bf86bb2474dfd82158ca49aa454a1282c04e6f85d679d7335c03664dea7703ed52a8e43cbb2e9423324650dd08c284aa9

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
80KB

MD5
69e92cea86df52f9434c9c2cec18304c

SHA1
005fb3d0982f8ceb88e9c63d619bba87b86e9e50

SHA256
e696f5df36ce1aa46e8809965a33a095d9ea2dbedcaf857bc4cd32a00808faba

SHA512
36dd57783437a22f47e6028b4f45bb3dea62525abe86cad547a11201ea9f6a1db00e1cd5c70fc07853c637dfd4e864d98f00f85e50dcc3c429da286eb9389201

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
80KB

MD5
d11ff1e539377a032d20521e16068ea5

SHA1
17654efae5c1267c8964e47ddf1654af915a3053

SHA256
9c2181f28a47872e9abb73ff8e4c24829139259bf9cfd9ef3cd1d0936dc76664

SHA512
2d2c18444bcad16298396a8b5039848a647b3fe2e04c83dda04ff1cf77784ff1b9197092bc8da62225b51b3d0f075d3691d3ad6d017c4b76097e2d6db65ceaa4

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
80KB

MD5
e71fa6d5901a37ea6f26b27781c0386a

SHA1
becb762d0c2a9171ef7a3d0d9c9641d92ce235f1

SHA256
a285145c390d41e7014c8d39998219cf04e6c2ece074a8ade3fedb3a49c00632

SHA512
a6bb0c9bf97cf68e2bc48e45959369427ed249a5adac3959660f8d9093dafc89e4e47a34f8e59d47804c9975bbb8188f9bebf82c4cb32a7daddfb9059b7a53d7

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
80KB

MD5
451154466941e4d40c61261ef19cc3b5

SHA1
f5dde76596d85db7cdbd600365a401835f035837

SHA256
ca959c12331410506377b68bfff1feae041fd4fbc4c5684303e053bc247e6e50

SHA512
a5d4881941b89137564af1d17b6b26c1ecf8a233dabbbec62ef6b23449093c2119eb66e249587dead321901382c689184f726c56452e93596c67deb2c966d713

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
80KB

MD5
9856241a9dbb1d1c4ba3568c5f93a224

SHA1
02fac619b077356130566167e1cd938dfab58c7c

SHA256
fd8f2d9b06b176a68b570d4516202daede4173358c130b105078f5d6e7a3a37e

SHA512
ddd8c90f58af5b192526dc57694c0b2b45c16d16bdcd8788e501c23ae67bee0e5ed2dbb4d9dee1cfac4b9d6a159accf1944d04dc1e1adcc48762f5273be015b9

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
80KB

MD5
0550276e59ee6fa78ff0c7c962597034

SHA1
b51ba2c388e7eb03662efc7b8e6b659fdf081fd5

SHA256
5067d532b35778ca83fc3d958c6aa96bf6106665140dcb9c55eec4f53ab675e1

SHA512
7f0ef0ffc4071703911e76f5d7597ab9f7d013abeeb57a4dced3231dd5cd6bbdebd4402993bdffc478c4c4d73b944b8e89f99812b32c253e8c00ec3822573839

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
80KB

MD5
ed46a424d9f6132062319326090bd752

SHA1
6acd0aefcda61b5700328fcc94b0d0d82438fcb6

SHA256
74475e406381f55ad380671d1a146e9da0ec4ca8c70376098e4e96fdac80d8ab

SHA512
65d7c84262f0505ddfac5c6225c3c0a510b23d0cfe3482825ab81246abc70e78e9f36329113e107bc1fb326903461e6997659009ca46b63c20f77effbedbe2cd

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
80KB

MD5
7385224e5b5d6860f8a998938f65c9ea

SHA1
74008c5a2dade1727ba7d6c13215bbc1ae8dbfa6

SHA256
c3bf5b934e7c0c02308af5a7bf3e54699f371c9398f250c470a3106c7e409a56

SHA512
8825d7b7e89f867f1668af628cc1344d5b73f3c29de1bd694b7973ee05341fe39de207b279179cf7211bd63ed74e514f0d10cd714138a11814b5618a7faf475a

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
80KB

MD5
8d99f4757ae2d4ca9804e977b2148930

SHA1
61fd53f37105eac34d5dd38a21a7e23b9ad3f301

SHA256
59f3f122047902be80b5aca3ac0f65924441f409e1c91c887d06df8cda41538e

SHA512
630055a1bb7e543192e909417e7825d529ce3e55c44815024bc10dd75fa975c2e43abf53cb688f7af2baf64d1df438c6dba95de0c7349f143270d06efc8af08a

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
80KB

MD5
49b069e55ab69bdd83ae15a9fe1427f5

SHA1
b91505f9ca1c2bea507df73472deacc08b04ae1e

SHA256
ddb65e9fa7fefd600c02a910d5e5e6bb0f59f3c5025c10931d869bf39b1b5a68

SHA512
0aa6a5e1a0aebeee1060a631c5319f98ac5fcc5ad26d0f3a6de81b454d5f0e7ff87a8c6282907fc36133ffd035dff4a6c172cd4f9f5ac932600d5f6c58d00c26

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
80KB

MD5
a692721fa755b96690b7f6d3450f6315

SHA1
211519e6c6fa89f6bdc675baeee05ecb6927f290

SHA256
d3c5f0bad6e0eecf8a8e816f8b2251ce70c1f1509632b2fa92d24cbccb45f814

SHA512
52a12d547758fd94ef37765771a92e5ba2b4e5a332509a102eb45cf9cc7f4f10cabf6988b17da362840f1241e23936cbc0c8ea98f530a73cb343740e1bfb8fe3

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
80KB

MD5
610ac7511431b0580765bead1cfa2657

SHA1
2d89b5203bcf138e729d71deaf5ae69279401db2

SHA256
f672cc4dd8f4bd94ecb347a5169de891a2e879581aee32a6bd7333d76ec28e03

SHA512
9e338641ff0de976cfe76c228413796906ee94eaef3b769777d55333b5a8f622635227661dd15a13d170747afb4d655c0b72d6f2ab7e0578be042da97ea33cd8

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
80KB

MD5
3f43e6a6987262946d149f1e62ea46b2

SHA1
c95f30de25db5f69ae18cc32c8c307e84d8451b6

SHA256
42a2d16eb85ba06ff3372ca4cc70cea19d2e0471387b846c1e6507614e721b85

SHA512
2fd12508618d2c71545ae119dba923e9d896db410fdd0484fc4d860252e34ebb18b298e34cdf68dcb285f10ff4a87448d6670931c0fc8fcd0e5466ddc0699d8f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
80KB

MD5
2e14862244175894d5cea75358fdce56

SHA1
2088a7c65fc3cdd214dd9b80c9b2b7b8338638f4

SHA256
006658e9e8ca442faa25b5cb77d4769660bb42ce55a0431054fbcea10164572a

SHA512
3ccad7b340336d878e29a62cb58492e3b80ac5b4a92f7373a276c3d6238e6553eff5456be8748bccd9088f702fa17c5d785fb12c3e6013a9b52e3f9754ab4d5e

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
80KB

MD5
21c7cee8d46a15d95eec5d12acfed5ef

SHA1
491e2f83480e0f2e3f1b214e6a44ae53c3efeea8

SHA256
59941c203cc14ca24d4019102ae7edaf745b90034e2668ad88daa3cdccc683c0

SHA512
0ae7cd5a4d39f25543bfc7932aa0ab1e043d83fbc1c6db0c7298e7c6e4af74dd9fbe2052b55d1518d8437717c6a3d5329abaf48b5273b22a02acbf3d5c22a0fd

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
80KB

MD5
6df2e6b564449910f24eb576b61910c5

SHA1
c38a01770835ec2518e8bb10f3e9c77d55b6f7c8

SHA256
b121db8a9ac7d9b6eec2fc7078bf9fe3fe38d242f852e56ff796aed8841acf19

SHA512
22b2a1aa4aef1445f71dc99dbff7400f43c6c6817cf685892c1c20d83e0f4c2bec7f12cb3dfaa881ac34b1102651df5361cae088fd1a30d6b20525e4f4d8b07f

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
80KB

MD5
fbdc31417e6f56019099cf78b10f61b3

SHA1
11d6e96a421efe29d33a313c447a011da805732e

SHA256
1c39efffcd4337d9f19bfab71ff57d55fb7cbc4a15b7273fdf4d7aa3046c5333

SHA512
7b7cb6490afad2a6295ab0c15507160aee0fd2aec535d849bc5396556b14bb3ad21451b464fb709878a0663ef91c14837a43328d7139f78e90ea83a874b1fd5e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
80KB

MD5
955961ccfd101fadb220183e1f1bcd78

SHA1
d251def5bc7ceefb2c4c595a88d3f98b7a0c987b

SHA256
b5c3e19c3a5f85ca839303ef3350a852c20066eacbfe7d73e83566d524d0e80a

SHA512
8480cac1b403b2ba925b85a26c96593212b0c6f47ebf97a950b884b7f41abb379584fb126d75b092782962a8af8851a19c1d71c3f149a84287a3f6b512e5542b

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
80KB

MD5
7cf96d78844f21592ae08ab4cd63e431

SHA1
c7ca18c773fafc766e33f942f76af747a86487e0

SHA256
b7ab312c868a410056a70168440cc3ff23e944564c21f872429bfa9c2303fe3e

SHA512
c3b58f6194956eb3be9a0f5e9538f43dfec47d5c446dffc7d9a969d87ba4a6344a03fd7fca0d9fdeafdf5c4952a63c6c00b7071f1be57fc86426314686808bbb

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
80KB

MD5
be53cd2847e6d4008bcf9f483abd85d2

SHA1
f4a3425c45638bb2e038729f08db833feb711d64

SHA256
6cda862ea56a1b0c6e4c6a41ad827438a31f843449ebf8eb73e7043ebd3cd1cc

SHA512
69a601b9da66b77813cab04d9a91ea0646f894dca5a33222cb9afa8d77e01b35f07e0282c754d8ecdc6830bd68d28641170dc32eaeac7a8f3fda8ea861effae6

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
80KB

MD5
f91137422423e89df22ae7431873029d

SHA1
daac945567a1f48a9b227e254553c86b0c55df3f

SHA256
eb50a5bfd23974b68f7957ab9e951aa9b678bcec1289467db203fb2b6f8f503c

SHA512
43509c12feed32b7b017efd37594f5cc67173e79c3347885d0832268d9723d9c8dcad90168df09bbf26152777c25a6f2d8c69dd617eadd714b2060ed1ff1290f

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
80KB

MD5
e5e692886d04d57a7d41a9cc493b5d8a

SHA1
bee29fb8f9a9be9f57c8a36691779bfe5a43b23e

SHA256
c8d8a3134ac5d7be64ecdd195adcbb64f787913620b594558e0a79d05dc05d44

SHA512
21d4c60430b640163d08be3684d139162bd9223d8a514ef306f35b16a380154bab093c7894ce28bc7c899c04e778dd5824c797eff28156adb73d222e3b3cee3e

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
d594d674507b1d791a19c97bd61070fa

SHA1
ae8a368a2f81600c37b39125e6693ab6c0c7a9e6

SHA256
f00986734a622322cd61401a7fbc2e828f10465cb85510072ac4178deb613ae6

SHA512
b1ff11a456b98c82098e0db8eae2ff756fbf8857537c6350d7d2de6bbe720321795969ecb4ec2bf1e19eeb5f05d83d2e3175594cb95b100e041dd1aaad05629b

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
80KB

MD5
f54a4a226f75ebfcdd0dbf58474f73a1

SHA1
87b469889b183682bad601311f73c2f6bd585d4c

SHA256
bb4dbfbfeea8c5888c0cc90048a9031eea67a43e8493cd9123a1b811f17155d7

SHA512
00f523dcdc7b47f0c6bacc5f50d103e8559a658144ee3ccc006dff325c6bc40d85e7df70fa8fb1948a6f3a9debeee40d30300be468283ce54ec6bf7a58d9e70f

Download Submit
memory/60-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/60-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/332-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/428-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/940-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1072-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1208-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1208-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1496-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2036-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2396-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2628-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3192-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3288-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3428-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3900-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads