berbew | 574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801a

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe
Size

74KB
MD5

6a379fd30d4f93c3b837ccd26fcce370
SHA1

3e4025f627e04547487961c13cea6881021f43d9
SHA256

574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801a
SHA512

295941bd7316f4a8ae4943a6d3f6f9dbe06845906d059e72912b26a97707247d2d32b0a2dc83ddbe8a8949489883033a5da124fa8eb5e6ed22c43aec66c0203d
SSDEEP

1536:NGtAhm1+Zds17i/4RBb5i+3nROnu/YCk93Cye3unujS4y5:EtAQ1+Zdsdiw5i+3nROnht93Cye3unJ9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4632	Ligqhc32.exe
4264	Llemdo32.exe
4876	Ldleel32.exe
4988	Lfkaag32.exe
4164	Liimncmf.exe
2752	Lpcfkm32.exe
2936	Lbabgh32.exe
3640	Lepncd32.exe
1932	Lljfpnjg.exe
4000	Lbdolh32.exe
2228	Lingibiq.exe
2708	Lllcen32.exe
3204	Mdckfk32.exe
4256	Mgagbf32.exe
3032	Mipcob32.exe
700	Mpjlklok.exe
3340	Mgddhf32.exe
4400	Mlampmdo.exe
2824	Meiaib32.exe
4752	Mlcifmbl.exe
4468	Mgimcebb.exe
4796	Mpablkhc.exe
2108	Miifeq32.exe
3800	Npcoakfp.exe
3472	Ncbknfed.exe
4668	Nepgjaeg.exe
2644	Nljofl32.exe
3316	Npfkgjdn.exe
3044	Ngpccdlj.exe
3112	Njnpppkn.exe
4072	Nlmllkja.exe
4248	Ndcdmikd.exe
920	Ngbpidjh.exe
2956	Neeqea32.exe
4524	Ndfqbhia.exe
3176	Ncianepl.exe
4788	Njciko32.exe
2576	Ndhmhh32.exe
2224	Nggjdc32.exe
3552	Njefqo32.exe
3716	Odkjng32.exe
1460	Ojgbfocc.exe
4200	Opakbi32.exe
792	Ocpgod32.exe
3484	Ofnckp32.exe
4048	Olhlhjpd.exe
4040	Ocbddc32.exe
4024	Ofqpqo32.exe
3440	Ojllan32.exe
4836	Olkhmi32.exe
3120	Odapnf32.exe
1976	Ofcmfodb.exe
1924	Ojoign32.exe
2072	Oqhacgdh.exe
396	Oddmdf32.exe
4008	Ogbipa32.exe
2080	Pnlaml32.exe
3056	Pdfjifjo.exe
2884	Pcijeb32.exe
2268	Pdifoehl.exe
880	Pclgkb32.exe
5100	Pfjcgn32.exe
2332	Pqpgdfnp.exe
3216	Pgioqq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5308	5932	WerFault.exe	232

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4632	2416	574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe	82
PID 2416 wrote to memory of 4632	2416	574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe	82
PID 2416 wrote to memory of 4632	2416	574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe	82
PID 4632 wrote to memory of 4264	4632	Ligqhc32.exe	83
PID 4632 wrote to memory of 4264	4632	Ligqhc32.exe	83
PID 4632 wrote to memory of 4264	4632	Ligqhc32.exe	83
PID 4264 wrote to memory of 4876	4264	Llemdo32.exe	84
PID 4264 wrote to memory of 4876	4264	Llemdo32.exe	84
PID 4264 wrote to memory of 4876	4264	Llemdo32.exe	84
PID 4876 wrote to memory of 4988	4876	Ldleel32.exe	85
PID 4876 wrote to memory of 4988	4876	Ldleel32.exe	85
PID 4876 wrote to memory of 4988	4876	Ldleel32.exe	85
PID 4988 wrote to memory of 4164	4988	Lfkaag32.exe	86
PID 4988 wrote to memory of 4164	4988	Lfkaag32.exe	86
PID 4988 wrote to memory of 4164	4988	Lfkaag32.exe	86
PID 4164 wrote to memory of 2752	4164	Liimncmf.exe	87
PID 4164 wrote to memory of 2752	4164	Liimncmf.exe	87
PID 4164 wrote to memory of 2752	4164	Liimncmf.exe	87
PID 2752 wrote to memory of 2936	2752	Lpcfkm32.exe	88
PID 2752 wrote to memory of 2936	2752	Lpcfkm32.exe	88
PID 2752 wrote to memory of 2936	2752	Lpcfkm32.exe	88
PID 2936 wrote to memory of 3640	2936	Lbabgh32.exe	89
PID 2936 wrote to memory of 3640	2936	Lbabgh32.exe	89
PID 2936 wrote to memory of 3640	2936	Lbabgh32.exe	89
PID 3640 wrote to memory of 1932	3640	Lepncd32.exe	90
PID 3640 wrote to memory of 1932	3640	Lepncd32.exe	90
PID 3640 wrote to memory of 1932	3640	Lepncd32.exe	90
PID 1932 wrote to memory of 4000	1932	Lljfpnjg.exe	91
PID 1932 wrote to memory of 4000	1932	Lljfpnjg.exe	91
PID 1932 wrote to memory of 4000	1932	Lljfpnjg.exe	91
PID 4000 wrote to memory of 2228	4000	Lbdolh32.exe	92
PID 4000 wrote to memory of 2228	4000	Lbdolh32.exe	92
PID 4000 wrote to memory of 2228	4000	Lbdolh32.exe	92
PID 2228 wrote to memory of 2708	2228	Lingibiq.exe	93
PID 2228 wrote to memory of 2708	2228	Lingibiq.exe	93
PID 2228 wrote to memory of 2708	2228	Lingibiq.exe	93
PID 2708 wrote to memory of 3204	2708	Lllcen32.exe	94
PID 2708 wrote to memory of 3204	2708	Lllcen32.exe	94
PID 2708 wrote to memory of 3204	2708	Lllcen32.exe	94
PID 3204 wrote to memory of 4256	3204	Mdckfk32.exe	95
PID 3204 wrote to memory of 4256	3204	Mdckfk32.exe	95
PID 3204 wrote to memory of 4256	3204	Mdckfk32.exe	95
PID 4256 wrote to memory of 3032	4256	Mgagbf32.exe	96
PID 4256 wrote to memory of 3032	4256	Mgagbf32.exe	96
PID 4256 wrote to memory of 3032	4256	Mgagbf32.exe	96
PID 3032 wrote to memory of 700	3032	Mipcob32.exe	97
PID 3032 wrote to memory of 700	3032	Mipcob32.exe	97
PID 3032 wrote to memory of 700	3032	Mipcob32.exe	97
PID 700 wrote to memory of 3340	700	Mpjlklok.exe	98
PID 700 wrote to memory of 3340	700	Mpjlklok.exe	98
PID 700 wrote to memory of 3340	700	Mpjlklok.exe	98
PID 3340 wrote to memory of 4400	3340	Mgddhf32.exe	99
PID 3340 wrote to memory of 4400	3340	Mgddhf32.exe	99
PID 3340 wrote to memory of 4400	3340	Mgddhf32.exe	99
PID 4400 wrote to memory of 2824	4400	Mlampmdo.exe	100
PID 4400 wrote to memory of 2824	4400	Mlampmdo.exe	100
PID 4400 wrote to memory of 2824	4400	Mlampmdo.exe	100
PID 2824 wrote to memory of 4752	2824	Meiaib32.exe	101
PID 2824 wrote to memory of 4752	2824	Meiaib32.exe	101
PID 2824 wrote to memory of 4752	2824	Meiaib32.exe	101
PID 4752 wrote to memory of 4468	4752	Mlcifmbl.exe	102
PID 4752 wrote to memory of 4468	4752	Mlcifmbl.exe	102
PID 4752 wrote to memory of 4468	4752	Mlcifmbl.exe	102
PID 4468 wrote to memory of 4796	4468	Mgimcebb.exe	103

C:\Users\Admin\AppData\Local\Temp\574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe
"C:\Users\Admin\AppData\Local\Temp\574f311b7ddbe89ef3365f301cd03c6deedc2a67448258c01a4ebd8fa9c8801aN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\Ligqhc32.exe
  C:\Windows\system32\Ligqhc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\Llemdo32.exe
    C:\Windows\system32\Llemdo32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\Ldleel32.exe
      C:\Windows\system32\Ldleel32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        25⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        27⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        28⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        33⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        37⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        38⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        46⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        48⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        56⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        60⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        65⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        69⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        73⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        77⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        80⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        86⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        89⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        91⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        92⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        94⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        95⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        104⤵
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        105⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        107⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        115⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        119⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        121⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        125⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        129⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        133⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        136⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        137⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        139⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        141⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        143⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        152⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 220
        153⤵
        Program crash
        
        PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5932 -ip 5932
1⤵
PID:5216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
74KB

MD5
7a98af67738e8d1055f4f9d1ff0736b4

SHA1
9b8f3206f3425df5a14f510ebe3dd2b03a1fb7e9

SHA256
2fa5595c5e2a7944aa119bf736cf5bf44b29b60ebf0f6c5267d8c7591084e2df

SHA512
cadbddc736891acdc22ae292499366fc082ae681c0bb066035c30e3b692c4b82a0700e392f8505d53d4132a0d9e5852e004f3ff93ac0135a7a7c41e9ecd17165

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
74KB

MD5
faaa333059869c8a731e73a1801346fe

SHA1
60b4b5f272a3fcad2641195b22013d65d8ff5b74

SHA256
bfb72c1a1aae4bb578e7caadb3293d1153668bb573b541610a15580a99f095eb

SHA512
70fa65c3c3e312f257018a3e182de9f84ee65181bc798adb50a2c0f0dd7ba06fc226d2c6de74bfc15a5c82864149958f015e2b1b32b8befe26882f38479d293b

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
74KB

MD5
3e2886efd0c9a683a766d2f4e602504e

SHA1
7b5911ec39d671400610742b1bbc4ac6c1babf29

SHA256
29ed6577893ed3e6232e4fc688d103b20d62ae4e57593c93183044515f5949b6

SHA512
0ad469e119398affc1a2f32872b875517d7ca710ca816c9f9f861b71eca3485ccf8d13dfdefbc6f43786911c8390782068d6e0e7eb5702113f0b5804e27bb7bf

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
74KB

MD5
7b37e2b1bee68f660f9bb1e797e6d797

SHA1
bc65445474c3c9f18a07d3814fe5d860191e0e2b

SHA256
d9f9e0323ceb8b7f75e49b8f565c9f21f9683dac372699a8710c66f22ace6725

SHA512
536b5ef9fffc4021219fe47045014fc6a725f78626db42c5f3c2f96f5c25c5f08ba19ffb444c76b5475191386165db1c5a41043473e4f61797e986c18951435c

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
74KB

MD5
43090458492229d98a0afc91f141f5fc

SHA1
edd0e7ea808c296fc6fd985249c1280ad8da6459

SHA256
8b4216732e4806f796713684cc2cfaac2c0e3b73fd3eb5e6c04b1ee5123d9ea4

SHA512
8b20883fd6df644ad4bad4ca4c893b4405fd92c4411e058049bec6211367bb56118661ffb97a550d8293135eb96e0f4e16858e0f9ab10adb02d78be6e04370ac

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
74KB

MD5
6264a1fbeff9395579b4ffe2bf438af3

SHA1
ee8f9fc688548f8d997009d6f641a7b7dd9b8acb

SHA256
6a0b8a7e3574220e08aec203015eeaeaea48e2e2d0f793f57ffb45728a7a8ac5

SHA512
64784a1953824225321e465d9792218f2a427108bb3432d5ea287876cfabcf2c82bd741ca77d47f2f757158753933f04be8497b9553826a752b20ce7d9dfcef1

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
74KB

MD5
4ff07a6c205d0f5edebcc6db6992b62f

SHA1
3082d951ec86de4e00143018a3a275b5a5f84c3a

SHA256
b99ccbd3f5cc9c8568cfd79f400103c07185ded977984a6a360f8cb8ba6c2aaa

SHA512
5a67b3c02ff54eeecf3f917a896f1be6dbb66bdae3b8d97a31fc8f8eea245c5566682514446c5e37e9debecdf53840a9c72944f1287fc82ac67567a38fbd4384

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
74KB

MD5
4c78e177aec073109935d40eed87e5fc

SHA1
79056273945ac7a37772b57780d02e278596a3a2

SHA256
66b0dd50c969377c777ca6feb47e3b95cf3eb49ebc4ba22b40f3c0589694e077

SHA512
4902dcfe65e41f61bd4e67c283e6d6a5483c87c828fffd8c628d76c1c6a4f3be77ea11fd826123af0fc9ca510253ea2af4d5a1e051b58221bebad43205615c2b

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
74KB

MD5
b2f03a22c20f6b6d5bbbe0fbbd65856c

SHA1
d3e69677b47ac3f81663e3903ee15d50f24256ac

SHA256
a8f770051fa08a98cc107859decce00ee7322b494b97a6298ffd3e52933dba9a

SHA512
1a7d150e069ef9d736c09a3c8e90a50454270851869a1c37d8c0cf38cd5e405589044e3c542722113e7e1429e29e69d08ca33d10042456b97753cb41f75e2c05

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
b137e5cfe18aaa66555f6f6886b8fe8b

SHA1
3642d9ab2705ce347f878774da2c405f8a5fad14

SHA256
9e73affcaa603ce37cd61b8cbbe2941490c0dbfff241566f3815937a13414823

SHA512
43de038606b691e89aa994ad1eece499318daea225a576a2ab96180a9ac06a8da8f55971bec5976345394890c47e0376f9dafce9a9f74d0dbab8a6c1f63a6e7d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
74KB

MD5
b3ee4033294e2c7db65d03766c767652

SHA1
f7d4a00e610ff2d71bd44df04f6ed80a5a200978

SHA256
1fc44a09048dee8a46530c8363148cf9f564366a9048863ddc02d950315ccea3

SHA512
b6e051edd219446652f28a9fb4f3a32986767bc49083c1d2cc4f9e4e443e61c08c1d9915c869c5b0ae127575868523bde8d812b803f7281a19150b8fc1383270

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
74KB

MD5
721f992ed472043cba3da85d26c24a7c

SHA1
f71fc68e77dc5c2b26b55d49ea9f3c9d77ba56cd

SHA256
acdbb07ca8db4b1d8ac194f9233c3361e7d58a98e26eaf7a142b0276ac1891eb

SHA512
9c784052ff347d8c840c950577e2ce8df3a97cd215db3c07de9dc5cb826a042f7066236ccebc352d293fcf7dbefe2489b288c9442c55b99f0591a0f530d9cf2f

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
74KB

MD5
c77921d12eff2bf9a609d962370842c5

SHA1
964d0280d11d87d023e904d9bc46f010ff09ee17

SHA256
c9a5015b270b6fa72b77899cf0ce8cb194b2bc71162702ef3b243b115d5893db

SHA512
31344031a1554ca867ce1f905535bc9b64204644fa4b93213961fa00681a2a87855df02270e8f065a0dfa99f4db9fcd0a9ae013fd1a3d9796a57fe3030fe15c3

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
74KB

MD5
69d5842c54c3fcfee59b424ac1da7a21

SHA1
482bd0918984b87e92b732dabd453714f1b49a20

SHA256
7399d348db2c86c573800148394149281067fc81edf2cd23a590f295a0d0b652

SHA512
fe1e714c829048a4f02124ae2aea1aebd59c697b5d8cd3c90fa1e009f6cbf47876d9c064f4d9aad46dc7aedf6d2d6213fdabbca83238fa2effe320809fc696a8

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
74KB

MD5
4ce4b43e6f584aebd6a497a7d4e4b4b7

SHA1
7495907a9b00e65ef2403df03bc1cba55db434eb

SHA256
14cfb62efe05447ef843aea43ba3e13b27632925c7293f168e8ff4813e262f3b

SHA512
2101145024f216eb2b445ad315a38d6cb10262db6079217ac766269d067acf0d938505740587c76b291489e4c98d638138786c990261253a222733ab4672ed92

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
74KB

MD5
1f95c598bc5a03d265b06a29e030a2df

SHA1
a37d855763f58634b98c90f131a09f569a6492ca

SHA256
d4c0516b8df3efc1605df36ae2e8bea3065d795e36b101a204223315f685900e

SHA512
f19a2e0815247caf13274e41d6bd713bc8408a650c9f2d8f1307dabe905fce419044304aa8082449366ad5684dbcc4a0ea20fe129463c1e14497d85b1c97dd11

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
74KB

MD5
0fb0129be87214a3bfad82195795f5ad

SHA1
6f309b23fa2efaee54bb75bd4d7027e8ba013857

SHA256
1099ae463530d0321729dd61e9915cc02a9be4271ed1e778f1f69e7dc68afde5

SHA512
774470ea09b00795cf71dc99a30db8f50c12830f9f42a85469956ae53962a91865498ca670dd8c09317d0330a8382edfe703db36957c45eb782b8e348e5f2160

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
de653209ecf7fd381c3bcfe3498bf265

SHA1
2c74a06047a6336a979394a9be34101f7807250a

SHA256
9929e776c983dfdcc77f8b1ce50b94c1481baf15d12c174888c5702ede927169

SHA512
cfd492ffd7922ab6f956c302b5e58e17f137d3bcb797defb5cc6cf519291d69cce2ce7c9a0baf6f4d9ea53224547882c984df7e2876e69f30110bda9386858a7

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
74KB

MD5
5a28cb8cff4f053cf4ce7f7884750e59

SHA1
2d54677411ae587fad52f021082770680df77f4a

SHA256
861ce13e44c40c086d2956c8082cce0aa00b8413bfca7f00f32349fed0be7c06

SHA512
54c159a3c053da75442699368aba671d624a6a1e04007b4270592d37137e8b8e6c424950432772fdfe478f45a5355838888b7ecc5f2b682a92857b30ad06f01d

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
74KB

MD5
e24bba1be5f844414991a9edd099377d

SHA1
21fd65202910cc9e19be6b6cfe4212fae4f0a1cc

SHA256
c73addfbe7056f70cb940cce6e295dd80c162b422a0a99c6c069475396a6d214

SHA512
5aaac1d91cc58aedc1cf2526468861cf0b1de814902d55efe0506d90ce0970b88b4e83dc50eb205d7353d94fc08fe08833035710e4340c1c94d88f9caf1927a0

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
74KB

MD5
7d8b20b485a436eaaf687fbd1fd0a866

SHA1
32120bb506c4b3b7a5867b81c76e0a78a01dada8

SHA256
e88aba8d0960653eab5a7fffdbf84bc399b29cb7a91299d33b2a4d1056def57c

SHA512
10e8d50ce10ccc4ad820ea46fe79906a841c15a938be3a3f9e517aa0c262cf2eae39b67c486a3f8bf680d07722cfaccde91c5c8739f7473c4a53014657345415

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
74KB

MD5
3daab3b642b0b934214eeda6478ef933

SHA1
03a68d83aa917ecca000befa27c6ef9f9474c21f

SHA256
d641f33ad51f7bd741de37339b040422177cfeaa80d00b01f01cbb5fb7018e46

SHA512
d1a85e4fa326aa87f37d90eb84aa5c7b11f51076881862b9d7d830874ad5c2bc8eebd3aee5ffb1a7cc9b2e77ecae3fcf5a542070da8929bd31fe0c759e3dba57

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
74KB

MD5
4f470bf887aaabcd48fd8c5ffef7b4f5

SHA1
8c63f86fdf5a912ca618d6c1c86aa402744b0aa7

SHA256
5144c46e2d770dd430da331446bd56d30e5ac8400c569bf9a02543b314419ff1

SHA512
26c3dfb645cc996867045d33e654085c49dda66f167a8b696863fb150c3ad7b6bb772e26fa7a2d4abe4caea4f722dae999b231678750fddeb41b6ca3d68a065a

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
74KB

MD5
183afe2cbac247046be8f23d3be06d04

SHA1
fdf9f86a887fcb56819a928e4cea55d9fab7cb11

SHA256
d604bb08f16130c3cc95e35bc3fc4933e29f549c4b802df2480a12c356d19558

SHA512
8ff9c462c871bcb81d656ffc6bdd6b33e2f78cc81a45ae8556baffd06a60fea4a0319ec45c54e3e3c1728aa0783e2ccc183cb992dd454b00b8e67c1bba421701

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
74KB

MD5
e740a03ac16343000fc7b4e0fe780805

SHA1
c63681e4e92bffc64b1f367849c51b0a3905b210

SHA256
950ee7e15180f09ed9759fd862bd8a8fda30c6962f87415436ccb0c997562835

SHA512
a5b018f8d053c04b61ac16aa01f6cf5f03782ce9825e44d6019f1ff99b061ed8dae9ae5da96522c81702e61741813b828264f541e2752c237f377e5f009ab4c5

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
74KB

MD5
bda1b7a4962f5237b38dc9b042052223

SHA1
9fcbc535041c9dfba840551edc98bbc8cd2eda6c

SHA256
151a222c017f4149aaf8b57cc3d0f588f04a8b9110f1d64075064c395f4429e3

SHA512
1d7a8a7cce36d903705920f2eed817583509f93390f90c71c701188dd438bf15cf46b650a590d506a1adbbf9c89ea3f43d6d7e9bb1b7bc7770c857677b0a1689

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
74KB

MD5
56db835d20950aa99d279dbd149865d6

SHA1
8847f4cf15ee639b33dfbea9f496d59492035d4c

SHA256
89ee3ce8d47e6f455a184f3d1e5dd7d402b3297eab72d5002f5f186f8dcbdb1c

SHA512
94593adb9077c42037a93b714d804be6b764584b5085b6ec62972bd752dddfabf1a8aa66c486bd0d9d496311c6722f7a219bfd162bc987fb7a11bcc9810686e2

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
74KB

MD5
bd881a79b5ca0306c3a04344b39146a7

SHA1
ed09baa18e95f3f44473ea4ce41d988622a33b2c

SHA256
8dd6831d95c81066dff83def604f1c36aba2f5099b57666dc886c3f773eb915d

SHA512
b5338473f20214267aa4e8531dd99915943fe1faaa7b0e6f9b7be7bf600505923741a3ba97d70fc40fd0db486d93f84544cfde34ae62c2f5d95f31a986230403

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
74KB

MD5
56f39fe62fea18a2403fd6aaea049c54

SHA1
b8ab5166ebecfb7ae20300fa3eaa74c23dd3b010

SHA256
37306d518a6421dfc124e8732b786967d7f62878c8ea6f2a2c3653e26f933d9e

SHA512
20cb1c485a878273c5e0480ea79dad0dd87e91b0e881fa6d320f29168110282eb4b410927d2ea3149568ce7c995ce4c4d4912853f46deabdda0718b827946a18

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
74KB

MD5
34acdef0e1326266318093fb4df8e9fd

SHA1
679f876ec7879a2a2955de1e639c9f53a1a6b6e7

SHA256
42ad1439d27e0a82b6942911ab449f21018aaa61a77add66fb0ece6fcf783dec

SHA512
0e204cd7f7ec2344e9cdc63b0108e17d88348cbdc2b40ad470b540e58709b5fd360bfe59fe0382c27d6db59548a1cacf31341debcc4a515b474caf6dccc2b0ee

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
74KB

MD5
49e0c1c07e264add93efb365db7a243d

SHA1
73b0ab5f4a48cb0e69940468c6d9ee162f7a8711

SHA256
d971ef6d6bc8bee2d31c75613220400057dc77c72b56eb7518e5909005cbcb51

SHA512
00c1215b56a8b4d09cf7484bf3b25e82a99fa4e3fc01573e247e7e846787bcba2abe510c968fc2f38a79e7d23f435b6e0a191218221d5d1126944619089ed237

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
74KB

MD5
169bdadbc88d7d134c1016cdde79ae0f

SHA1
d2ae62159fe38c011747becd741949cbc2b150fd

SHA256
1031a3f9899a59228b7cbd8c688b42c1b47798e26b281507f5ed13bca185ceff

SHA512
ca4adfbf600bc58de7170b878c4c5ce84b1b5fc11c2546df95c7b762249c96bfa88284cc8722255f3cb49f713bed5d4b3852e8b8988ac02fba21af8b2f101d00

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
74KB

MD5
ddee1060febd612acad9b1f7b7b2e8f2

SHA1
746ab258a4100371e92989a26b54880f49df8f35

SHA256
084daed1febd615840f4754e8db427d23eefe6b0a0a4a79d2c4409a7c83f9da2

SHA512
45fb07086d6e112fe8807e3c13f706af5efe9b3fe41328e76830142854182452108541ba554151171f3d0810298872416ef51963ee0a17a6e3254e9f357304d5

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
74KB

MD5
8c3ca0e7911c9cb07a011468f0978af1

SHA1
84907e396d093725e2af625fb1023775b6ec8699

SHA256
aa6264e730ec5159514dac97b17b81b49bc4d34e11ac9cf5889878f4d83c591c

SHA512
ccbdbfcc6616553c9111f234ae517f0bd5cf4b211bcea200e73d730b6dc03c84553348e34bae175816e22acb37571d11e00d6c6bcc58a2a92d1c9d154fec30d2

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
74KB

MD5
7e1afaad7922ee332201152ccff57242

SHA1
231405901f5ef916121929996ce4e26933679756

SHA256
b98585829cd7605bb023d1aa361741ed2a282e669cfc1d4e0743854e425bbfca

SHA512
99767acc900f8895ebd63ab817d866faa87cda6a3075ea9778301bd633ae90b0eb59a2ea195fe45a6d108cccffbcc27e6868b426e90b93f0ccb8f5408001e542

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
74KB

MD5
e9e48987d0246c00e85bf94bfee24f03

SHA1
be358a0c006c01faf630733d31a3b68250f8cb09

SHA256
92411b6d43799ebc253cb3cc10a6a2a832594c0548a83d81dd46799841a4ff7c

SHA512
eaa8a31a8a865956d1858d2008dd4b3c1266c824f29e8e83870a27b96920b652575ace20b556a6fd9457adb616d423af98b9e906eef85e734eb591dbf34f8166

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
74KB

MD5
68a3390c0f9ef9c70b5921f9f3a46a32

SHA1
92bf9764169d773a8deacaae07a4c755f948dd21

SHA256
3bf9710f0019ff8ee27c743730315eee77d467f16b7de712e6e71a3cec5b2fc3

SHA512
a92a663fe9883a60a7cd9d1350ee9975cbfebe3a999a605f024e3d2a960b7e0a758d8bb3c911b3f20034f4523f1dfe55cb15695dca9d425d4bb0169423b5ac5f

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
74KB

MD5
6093ae30ba29c7d82d5415046cbf9163

SHA1
ba157d550d593d28be63d0de50b81920fcba49fd

SHA256
e8084274b78ff668235e038b49ce86932f391637e1d5b5319773cd0154027d11

SHA512
455f6295a42cddf0c8b429f033b348c8b8b267c0639c663a6b03d97078e3656a4616905abacd3cfb85a28f6c90f36d0689a5dcd9fcfb49f0456b6947788697ce

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
74KB

MD5
e857258a150f4e968ca7f7d6f3c0011d

SHA1
7acf88388457d158f4b3e343a2bbfad8e1c188c9

SHA256
970a68482f224279b79c8ce07659f945d8742bcc538f2ace1d851664672ff79b

SHA512
b00bc4dd32895ef42966b56b56f6e637a6c3efe75ecb78c09bd3ffff136b31d587334416f2e95ae179e344c9b6a211c145e13d4f18f2d3bd5d9e78e65cdf46db

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
74KB

MD5
0c7230bc49caa8e9dffe49b0125e17ab

SHA1
926a76a5e2412b902f05428bd8273123c67e5f5f

SHA256
ebe2801a4184c08c87958d054b88981a8263f0a13706238ed84ce34738e54844

SHA512
abf4a5630b23a653373736c06b07e1711f8c7bc9c584cc191a3803d193e41cdb00e18d3f22740b0b817214f95cc9b2e45cd3e7276a967bc27496f910ee1c1389

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
74KB

MD5
fe943b07051d2776000883967d1c762e

SHA1
d4a39110d94c43500d531a7ea34825ba6bdc047b

SHA256
ba5e8d1f181e2ba442fd9c55d51520fb2c851c382a3c9a50c02e4cb7f4e9370d

SHA512
0ba67e445a0a366ce7d431efa6c58314f4e41326df7c6aad5f53a57cf22e7533ca6ff8465eb7e98961ebbd3fd56cc82b31da6277e0e08f025b14161d9b83425f

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
74KB

MD5
8bc0a52dc27299096260b7d46c628526

SHA1
658ea9b99bc2c0afff64731348f6ab53f574e4de

SHA256
79b227141414fac2cb0018dd34086a814770e1b8f991b984be66bbcc5db6cc94

SHA512
4be83ea090490d3e2d045d41f6f83876cfbc1c427752174456db4d1d2a562825c4c510c98ac5cc8406d9a448b3581cfc5fc22174e6e1af233bf24ada4440f60f

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
74KB

MD5
55a3f1041a5841309777023cd9eec702

SHA1
3394e7125996ffeb95b0382bf1876e341202030d

SHA256
d9bbd8214c174ad9fa73992fe24f7a939ed4e51ee8d27d8f004c65b9c5b46430

SHA512
264bc84ffe99656c12b473c679cbfd3819d12d7885cd91c36656a840bd8fa29f5edc1239f4393881dd7e0a49ee4b0b2d8360615d94e77910f84a03233ad5b57c

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
74KB

MD5
03222be941ba120004209c09b3b24c7d

SHA1
fe647d2a003ba55d5e1ee290b1c60283fd6bfbd2

SHA256
52c5cc4dd1be61019f28379987b10025440ee8a30e7f108ac477ff2539e2eb9e

SHA512
321bc44f4a6c3a5c158b664fb472632da821f03b1edbeb69af7e0d9eb849472a2c784e87403bd11a0b6ee6dd484984c5a2dcfb0bfd103001e9b4196c12f872d2

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
74KB

MD5
df6b0c28f4a7a14fa3a1d8a38e9baf92

SHA1
baddf7cc6d89d5352114c66b4a3d3b2b22051f59

SHA256
644a130bfad0480f4edcf9b76211e14b5085a5c5968cc87bd3ac06e0354d6c66

SHA512
c4e406ce86b5f6f8f622695cb17b84747e130445129ea09fcfb8414e0066601407394a2915bc266289ec50ef48595e3f177197714c5dcc7f721af832a9f7ca81

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
74KB

MD5
5322db9625e0c5fd4d3cfc2e0099a65e

SHA1
7b24e68e81bd028b2243eafd2921be56b76f628e

SHA256
4230bedc9edfa0b4f5096aa61f23d587eb7ca7192c5d688ad13ebfb374b075aa

SHA512
2f38eca0d2abf0d5a64948d8889199eb8efb380e69708a034db2680cfbcd2801390e1787a8c5e695a9ec2debc56ca99428f3591a7c6ee4eb8bd0940664e70b40

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
74KB

MD5
d4fd5816181f10f42531edcb9934eafa

SHA1
c08ad8484065ed5e667c19d6c183624ef0d905e3

SHA256
14ea501eccb6387bc7b298ce040b079c27d5b32e8fbc6704a63501b66780cee7

SHA512
4bd8adc72982e2441a702fb141cf4d7ff2cade0d3cdebf55dc6d5ff5265c626af6ef6c0c521e94eae6251afa053b57aab8b6ef8c3e3162199dd53383e3e313c0

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
74KB

MD5
b61ba7ebc82d2e341802812c4e2a5ca3

SHA1
0c95d27c1b7b9d5d052b383d3149a727848dfd1e

SHA256
862b8d633445134578a607991a25bdf6de42c672ed6e22bdd45731fb3efdb32e

SHA512
62cd569ab2c5622ee7e227503cf250f422ff3e8ebce46c87f9c7c568e962b01c58b5528c064c90eab62aa870da24036f2792cbc110f20fe870b79fc852cc371a

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
74KB

MD5
455b83925df642c4e9c2afac1ab608c8

SHA1
9b72d9429436cd8884cd7fc3c7095a7f0316e911

SHA256
d70a7f7ed1d0001671ff61966f9acbb560fa04cb8a98cb4e9f9a2d2310b51b03

SHA512
15e989c51eacfc8cdce853a4f17e6a818e4613b4a7228b2eefd3213c896640aa0df3c42f9602da694e8b7694561b9001fbbee28238ad9eff3fca3af7de53c710

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
74KB

MD5
c6aea4903671855a881159d3447df007

SHA1
04a5fe4d758604be5439042ee291a1d0e994a1e5

SHA256
1413f73825cf86d51da56be7cbac4c63214f537b021f15731f4a9e7f4051b417

SHA512
f57e79cbaf5b9adb4de676de3b89f3e7e14b3d0dca65584521e9d721ea2f4e159efb194737b50da2d2033ac1bb777f326a1d0dd8b86ebd46c447994a7a2ec736

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
74KB

MD5
bbe451bd8fab7fd41a0d7593f7427c71

SHA1
ca8bfa5b835bad3e76f3605d5fd1f41d2a076d54

SHA256
a510b7089c159f41a13fc118720360b566cabcd78073ff201d1394e49864c4b8

SHA512
d85d2dd319ba162d1b11d62e4bd2838a058770ce58ef1cbc8e3867100de6e9eb381e7f202b5d6bfb527cbf4d8a1627bb131ded0d90346fe35ad94c9990220195

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
74KB

MD5
5a1f853eed9ff4958e73f9350c454651

SHA1
c4ee98e71401535cdf7f9c1721e754b076077d42

SHA256
457d30be9885c2c135869a21789a8f1c72ec7b6be4b996bd9e55976be36c04f2

SHA512
a496e31ec685208e5f89249bc39a723f2c0a36c4fa518ee44131ffbd93783109b1fa12e776710b80baf9e2ccf2c027e6f9ea7ac38449459ab413f314c8187d9b

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
74KB

MD5
82ae6be9d3949f42ddeb0836b73e8e81

SHA1
9b41d3d49a27fcc799ff24619bd79fcd57f652cd

SHA256
3712ea97ae61c70b1d2a34b50164dee99b079fcd1ec0a950d958ba791195ee60

SHA512
d5419430e2952d15e77eec41e4eb9da3d0f4a1d10473b68ab216fd525f2ba2ab50ac1638857df8973edca59d6b72f99059e318e35dc152e8d23a70197ee2aee4

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
74KB

MD5
fad1fb0c0958446fabb8eb925e2a53a5

SHA1
a51708976d467e680b50a25eabc687ce4057523b

SHA256
4b33d76a56b33af2c1e0db839037c499e0e9a8e366219ceae42089c9716681a5

SHA512
c2e5f63cef074ecd08b6b8e9de60c5756154df51d4a5e05c148e78c9b46133c56b773a9066015fac037c9fa71bdd347409c9fe7ab8c37d9cd70f2ce57d7eefcb

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
09c569b3206cf2742dacd8a6765f7c03

SHA1
b9ee64e6046118bfa4b3f7d2bfcbb7bc4641d3e7

SHA256
66388c933ea928965a9b623da2d35b8d51262ffedc09428fec3fe2e30901b1b3

SHA512
151e625c5696bd6216cc991d853eb55d13b1997ac42ff16304c0521dd0af8d3b1700af3c9ab81d9db75d236fe565fff75043c383dc0d5a4d6401341eea60b016

Download Submit
C:\Windows\SysWOW64\Oolpjdob.dll

Filesize
7KB

MD5
1d30957483533aff0dcf2b2a806a05c3

SHA1
12706b06491def90cf1a4c63c52a3c3f788a9dfe

SHA256
b8c8a4f06c292df14b6372a4519fc5d54964dc81007294f35afefea3297a71ee

SHA512
5efa638b906cc4178350ec6c47fd43b787dd4749946e6b5cb089446f90b8351729345ea72118b57a02d9fe052d2fcd56ebf32db3370354c6a9f8edbc8852f410

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
74KB

MD5
20c6a0baf558f4a7d303376931d73d50

SHA1
60fd610bbd124fc261d4c728bd7b1caac4097f14

SHA256
0088632ad999d09578cdf7c920db6acf783047fe46e09738e893899477b03301

SHA512
16a34cd92a254ee6b85c875d9f076170bbc58a38d5c34fe8712053dfac7c2c7fe9533071532792b22f1d57b13b2ac3dbe3f1276c75048de64659f72206194a27

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
64KB

MD5
4afd6be8d8900f4e0c75f3f8b6064001

SHA1
7661364b01347494cac454ec964805245f818608

SHA256
312a8afe285791309933d1c310b0cc31165d3a33f76107a05bce0cecd176f007

SHA512
1f3ec8c9fc312f239b87b2f5d0a25bfe61e9153ca499a6263e2f0394e96657cdb6a1a1587dd5c7636bb138d750002067f47d3e989a58483fe5e7e9c24753072c

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
c55715c0a9d70f8c99a52be2f3461f3e

SHA1
31137228226ca127dc0fde75e812645858d40b50

SHA256
e9920335a326b23319b7f43564deda025292a32a1ef53a7f9bdb8b1f96fb9079

SHA512
ec08d83ade027c547e3bff7d57cba7b75c6a2224e8f7b7d6122ae4d13ee39311209adbf99a5b535e1c5dbb8a12d5244be5a14d87370f4cb2030ad9f98a8dc4bd

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
6683dcd1cff92255a60376749d63c85a

SHA1
7427ba7b4445429f0a7fcdd077dbc9544f5eda19

SHA256
59d517735791f2346af7f04b1a17a0c9492913726a4823f331fe875b5ab0e953

SHA512
3762588f3af97498a2d4d67b47cd76c47d21c8f265ec013b3211ce2dc6a04348428ff924274b5b0d6793e5eee3b059d2e72ff2dfe0325918df1c354b11550ef8

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
64KB

MD5
3554751e841f94b68d6a6a4defc249ee

SHA1
772c1afbce5b986832cde98f17b3818cdc74ce62

SHA256
1fabe73e1d24b23369f96e59677c8f1bc8a4d75db3dc5e5bd473066c1e216340

SHA512
95884bc64c08b1483c25da44c30d6c7657878a0816e624a0221edb93492d25998c97fc54213b9892e31f2ef67e68809f1d1917f9248e3690f5d42cc816facdc3

Download Submit
memory/392-575-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/396-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/700-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/792-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/880-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/920-267-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1000-509-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1416-521-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1444-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1460-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1552-455-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1924-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1976-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1984-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2072-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2080-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2108-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2228-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2268-428-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2332-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2352-533-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2416-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2416-539-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-561-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2644-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2708-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2752-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2752-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2800-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2824-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2884-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2956-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3032-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3044-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3056-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3112-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3120-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3140-477-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3176-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3204-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3216-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3240-568-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3312-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3316-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3340-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-547-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3440-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3472-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3484-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3552-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3640-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3716-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3772-467-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3800-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3884-515-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4000-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4008-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4040-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4048-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4072-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-574-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4164-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4200-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4248-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4256-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4264-553-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4264-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4272-497-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4416-540-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4468-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4500-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4524-278-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4544-485-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4556-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4624-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4632-546-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4632-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4668-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4752-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4768-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4788-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4796-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4876-560-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4876-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4892-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-567-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5100-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads