berbew | 6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768

Analysis

max time kernel
78s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
Size

448KB
MD5

cc2861a802e80cd7099c267068311e40
SHA1

c5a45280a6bb38c34b49b89af512235238dbdcfb
SHA256

6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768
SHA512

bac3c9d33f66eb67d5e75a803d16c7068f85e4d5b23c50f482ba29654594a45e2cab83ede7e8e1a44ade03e71bcd3108ad5b98abe33ca25fc60b49b125b8eb94
SSDEEP

12288:HJ2u04LGfY/GyXu1jGG1ws5iETdqvZNemWrsiLk6mqgt:F04LGfY/GyXsGG1ws5ipt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjfnomde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklcadfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmlcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjjma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nidmfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjfnomde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ompefj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooabmbbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mclebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mklcadfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooabmbbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompefj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mclebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nidmfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcifi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 46 IoCs

pid	Process
2340	Lkjjma32.exe
768	Lnhgim32.exe
2784	Mqklqhpg.exe
2796	Mclebc32.exe
2672	Mjfnomde.exe
2756	Mklcadfn.exe
2712	Nnmlcp32.exe
2500	Nidmfh32.exe
3036	Nlefhcnc.exe
2008	Oadkej32.exe
380	Ohncbdbd.exe
1336	Ompefj32.exe
2284	Ooabmbbe.exe
1712	Pofkha32.exe
424	Padhdm32.exe
1044	Pdgmlhha.exe
1224	Pghfnc32.exe
872	Pifbjn32.exe
2236	Qgjccb32.exe
2156	Qpbglhjq.exe
2120	Qcachc32.exe
2016	Qnghel32.exe
588	Accqnc32.exe
972	Afdiondb.exe
876	Ahbekjcf.exe
2496	Ahebaiac.exe
2732	Abmgjo32.exe
2752	Aoagccfn.exe
2848	Andgop32.exe
2188	Adnpkjde.exe
2992	Bdqlajbb.exe
2988	Bmlael32.exe
2688	Bdcifi32.exe
2504	Bchfhfeh.exe
1780	Boogmgkl.exe
2708	Bmbgfkje.exe
2276	Coacbfii.exe
2152	Cnfqccna.exe
2320	Cfmhdpnc.exe
1716	Cagienkb.exe
528	Cinafkkd.exe
1760	Cgaaah32.exe
672	Cjakccop.exe
1000	Calcpm32.exe
1160	Cfhkhd32.exe
1736	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2292	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
2292	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
2340	Lkjjma32.exe
2340	Lkjjma32.exe
768	Lnhgim32.exe
768	Lnhgim32.exe
2784	Mqklqhpg.exe
2784	Mqklqhpg.exe
2796	Mclebc32.exe
2796	Mclebc32.exe
2672	Mjfnomde.exe
2672	Mjfnomde.exe
2756	Mklcadfn.exe
2756	Mklcadfn.exe
2712	Nnmlcp32.exe
2712	Nnmlcp32.exe
2500	Nidmfh32.exe
2500	Nidmfh32.exe
3036	Nlefhcnc.exe
3036	Nlefhcnc.exe
2008	Oadkej32.exe
2008	Oadkej32.exe
380	Ohncbdbd.exe
380	Ohncbdbd.exe
1336	Ompefj32.exe
1336	Ompefj32.exe
2284	Ooabmbbe.exe
2284	Ooabmbbe.exe
1712	Pofkha32.exe
1712	Pofkha32.exe
424	Padhdm32.exe
424	Padhdm32.exe
1044	Pdgmlhha.exe
1044	Pdgmlhha.exe
1224	Pghfnc32.exe
1224	Pghfnc32.exe
872	Pifbjn32.exe
872	Pifbjn32.exe
2236	Qgjccb32.exe
2236	Qgjccb32.exe
2156	Qpbglhjq.exe
2156	Qpbglhjq.exe
2120	Qcachc32.exe
2120	Qcachc32.exe
2016	Qnghel32.exe
2016	Qnghel32.exe
588	Accqnc32.exe
588	Accqnc32.exe
972	Afdiondb.exe
972	Afdiondb.exe
876	Ahbekjcf.exe
876	Ahbekjcf.exe
2496	Ahebaiac.exe
2496	Ahebaiac.exe
2732	Abmgjo32.exe
2732	Abmgjo32.exe
2752	Aoagccfn.exe
2752	Aoagccfn.exe
2848	Andgop32.exe
2848	Andgop32.exe
2188	Adnpkjde.exe
2188	Adnpkjde.exe
2992	Bdqlajbb.exe
2992	Bdqlajbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ompefj32.exe	Ohncbdbd.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Nidmfh32.exe	Nnmlcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bpdokkbh.dll	Mclebc32.exe
File created	C:\Windows\SysWOW64\Pifbjn32.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Nlcgpm32.dll	Lnhgim32.exe
File opened for modification	C:\Windows\SysWOW64\Ompefj32.exe	Ohncbdbd.exe
File created	C:\Windows\SysWOW64\Ffeganon.dll	Pofkha32.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Lkjjma32.exe	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
File opened for modification	C:\Windows\SysWOW64\Mjfnomde.exe	Mclebc32.exe
File opened for modification	C:\Windows\SysWOW64\Qgjccb32.exe	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Nlefhcnc.exe	Nidmfh32.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	Ooabmbbe.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qcachc32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Jmiacp32.dll	Mqklqhpg.exe
File created	C:\Windows\SysWOW64\Leblqb32.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Goembl32.dll	Nlefhcnc.exe
File created	C:\Windows\SysWOW64\Dpdidmdg.dll	Nnmlcp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdgmlhha.exe	Padhdm32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Mklcadfn.exe	Mjfnomde.exe
File created	C:\Windows\SysWOW64\Nidmfh32.exe	Nnmlcp32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhgim32.exe	Lkjjma32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmlcp32.exe	Mklcadfn.exe
File opened for modification	C:\Windows\SysWOW64\Ohncbdbd.exe	Oadkej32.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Nnmlcp32.exe	Mklcadfn.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Padhdm32.exe	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Ljlmgnqj.dll	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
File created	C:\Windows\SysWOW64\Fljiqocb.dll	Mjfnomde.exe
File opened for modification	C:\Windows\SysWOW64\Padhdm32.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1056	1736	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompefj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnhgim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqklqhpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oadkej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjfnomde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklcadfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefhcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooabmbbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjjma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnmlcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncbdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll"	Ompefj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiapeffl.dll"	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oadkej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll"	Nidmfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll"	Lnhgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdokkbh.dll"	Mclebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goembl32.dll"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll"	Ohncbdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll"	Nnmlcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ompefj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjfnomde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohncbdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljiqocb.dll"	Mjfnomde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oadkej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mclebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2340	2292	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe	31
PID 2292 wrote to memory of 2340	2292	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe	31
PID 2292 wrote to memory of 2340	2292	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe	31
PID 2292 wrote to memory of 2340	2292	6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe	31
PID 2340 wrote to memory of 768	2340	Lkjjma32.exe	32
PID 2340 wrote to memory of 768	2340	Lkjjma32.exe	32
PID 2340 wrote to memory of 768	2340	Lkjjma32.exe	32
PID 2340 wrote to memory of 768	2340	Lkjjma32.exe	32
PID 768 wrote to memory of 2784	768	Lnhgim32.exe	33
PID 768 wrote to memory of 2784	768	Lnhgim32.exe	33
PID 768 wrote to memory of 2784	768	Lnhgim32.exe	33
PID 768 wrote to memory of 2784	768	Lnhgim32.exe	33
PID 2784 wrote to memory of 2796	2784	Mqklqhpg.exe	34
PID 2784 wrote to memory of 2796	2784	Mqklqhpg.exe	34
PID 2784 wrote to memory of 2796	2784	Mqklqhpg.exe	34
PID 2784 wrote to memory of 2796	2784	Mqklqhpg.exe	34
PID 2796 wrote to memory of 2672	2796	Mclebc32.exe	35
PID 2796 wrote to memory of 2672	2796	Mclebc32.exe	35
PID 2796 wrote to memory of 2672	2796	Mclebc32.exe	35
PID 2796 wrote to memory of 2672	2796	Mclebc32.exe	35
PID 2672 wrote to memory of 2756	2672	Mjfnomde.exe	36
PID 2672 wrote to memory of 2756	2672	Mjfnomde.exe	36
PID 2672 wrote to memory of 2756	2672	Mjfnomde.exe	36
PID 2672 wrote to memory of 2756	2672	Mjfnomde.exe	36
PID 2756 wrote to memory of 2712	2756	Mklcadfn.exe	37
PID 2756 wrote to memory of 2712	2756	Mklcadfn.exe	37
PID 2756 wrote to memory of 2712	2756	Mklcadfn.exe	37
PID 2756 wrote to memory of 2712	2756	Mklcadfn.exe	37
PID 2712 wrote to memory of 2500	2712	Nnmlcp32.exe	38
PID 2712 wrote to memory of 2500	2712	Nnmlcp32.exe	38
PID 2712 wrote to memory of 2500	2712	Nnmlcp32.exe	38
PID 2712 wrote to memory of 2500	2712	Nnmlcp32.exe	38
PID 2500 wrote to memory of 3036	2500	Nidmfh32.exe	39
PID 2500 wrote to memory of 3036	2500	Nidmfh32.exe	39
PID 2500 wrote to memory of 3036	2500	Nidmfh32.exe	39
PID 2500 wrote to memory of 3036	2500	Nidmfh32.exe	39
PID 3036 wrote to memory of 2008	3036	Nlefhcnc.exe	40
PID 3036 wrote to memory of 2008	3036	Nlefhcnc.exe	40
PID 3036 wrote to memory of 2008	3036	Nlefhcnc.exe	40
PID 3036 wrote to memory of 2008	3036	Nlefhcnc.exe	40
PID 2008 wrote to memory of 380	2008	Oadkej32.exe	41
PID 2008 wrote to memory of 380	2008	Oadkej32.exe	41
PID 2008 wrote to memory of 380	2008	Oadkej32.exe	41
PID 2008 wrote to memory of 380	2008	Oadkej32.exe	41
PID 380 wrote to memory of 1336	380	Ohncbdbd.exe	42
PID 380 wrote to memory of 1336	380	Ohncbdbd.exe	42
PID 380 wrote to memory of 1336	380	Ohncbdbd.exe	42
PID 380 wrote to memory of 1336	380	Ohncbdbd.exe	42
PID 1336 wrote to memory of 2284	1336	Ompefj32.exe	43
PID 1336 wrote to memory of 2284	1336	Ompefj32.exe	43
PID 1336 wrote to memory of 2284	1336	Ompefj32.exe	43
PID 1336 wrote to memory of 2284	1336	Ompefj32.exe	43
PID 2284 wrote to memory of 1712	2284	Ooabmbbe.exe	44
PID 2284 wrote to memory of 1712	2284	Ooabmbbe.exe	44
PID 2284 wrote to memory of 1712	2284	Ooabmbbe.exe	44
PID 2284 wrote to memory of 1712	2284	Ooabmbbe.exe	44
PID 1712 wrote to memory of 424	1712	Pofkha32.exe	45
PID 1712 wrote to memory of 424	1712	Pofkha32.exe	45
PID 1712 wrote to memory of 424	1712	Pofkha32.exe	45
PID 1712 wrote to memory of 424	1712	Pofkha32.exe	45
PID 424 wrote to memory of 1044	424	Padhdm32.exe	46
PID 424 wrote to memory of 1044	424	Padhdm32.exe	46
PID 424 wrote to memory of 1044	424	Padhdm32.exe	46
PID 424 wrote to memory of 1044	424	Padhdm32.exe	46

C:\Users\Admin\AppData\Local\Temp\6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe
"C:\Users\Admin\AppData\Local\Temp\6aea90acf5d885d1a10b525cdfe393e3f7a5315ca2419ddf069db74440be7768N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\Lkjjma32.exe
  C:\Windows\system32\Lkjjma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Lnhgim32.exe
    C:\Windows\system32\Lnhgim32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\Mqklqhpg.exe
      C:\Windows\system32\Mqklqhpg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Mclebc32.exe
        
        C:\Windows\system32\Mclebc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\Mjfnomde.exe
        
        C:\Windows\system32\Mjfnomde.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Mklcadfn.exe
        
        C:\Windows\system32\Mklcadfn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Nnmlcp32.exe
        
        C:\Windows\system32\Nnmlcp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Nidmfh32.exe
        
        C:\Windows\system32\Nidmfh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Nlefhcnc.exe
        
        C:\Windows\system32\Nlefhcnc.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Oadkej32.exe
        
        C:\Windows\system32\Oadkej32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ohncbdbd.exe
        
        C:\Windows\system32\Ohncbdbd.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ompefj32.exe
        
        C:\Windows\system32\Ompefj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ooabmbbe.exe
        
        C:\Windows\system32\Ooabmbbe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Padhdm32.exe
        
        C:\Windows\system32\Padhdm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 144
        48⤵
        Program crash
        
        PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
448KB

MD5
1ec9decba967e6e11da6996a670e92b5

SHA1
36bdf1d11cdda4f0406ac39baad3233126898447

SHA256
9269272be65027ab9527059e3379ba160d84ad8e0de528b106f3ebe492a512e8

SHA512
53ec349c1b4d06b1a025e7df753776bbd2ac808247b39ba97adaa88a7aef9f749e9907387d0876bd587205c1fc2fbd79e938629139f5c88fb0ae06693ae1aa4d

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
448KB

MD5
41ed376754fbe51367af82d1374daa0f

SHA1
34c1165691f762df3a14c78bbc7a0132da12c8d4

SHA256
c414ce5b399fb230eb69320e914ca09170c2f403d3a9fd794cee3c0fcbe5ce7b

SHA512
c09f48daf03aeca0f82cd0df1e73eef7c4735036dbe7bf8ebd88d7571b334d3f47a53b4886cb56f95df02cd80faece5a0e1a1232e914cb7402c30fa18c50293c

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
448KB

MD5
913d89963ddbc5b884d93d039a102731

SHA1
c3e8d9a66d28c106d910c7266338b5e99611152f

SHA256
4cfe875fc4cc679268b58e9117444ff64223dfbd064b5e69eb2e0653cd45d045

SHA512
84517a88da82c2855a2c9f2d7f7a6db01a419b2f93f1905ad19d1b844edcc2f0b59256b0e8930dc3d14915b6dbd1fb28203bd35b43b0fa0fc980750ee530d520

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
448KB

MD5
0488dace1fed18e282a53d0db61ccc59

SHA1
33433ea78674ada5c1e855389bf7e8ff0f73dfda

SHA256
1774a2b0bf6ed488417baf9049d833cf2affe89fad17b827220d6ad549de70a1

SHA512
e261050decba062663ce60e37c1ab0d6312e8afbedc83181511cc90f4e891f31c2901227b799c4e4f8a12e954d6e6119af8b456f1cd82d428a8e082a20160f99

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
448KB

MD5
9a05ee4035368510f985aab41625565b

SHA1
0843180a29f85360d92be39dc8d2ed286f370ea4

SHA256
300d51d03458ca2d51b086e4c060e782b4fa789cc26ce2d210aec11006824bf9

SHA512
1ed0846f44b5b24aca13f70101f2eb021e41a911b157a9451a9c900b33aff650c182e9f84f8aef3da77088ac1c2b386e71f633788ed9ee0c1047adc9170138b7

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
448KB

MD5
265032de0ed5d43ecb6a7e4098338694

SHA1
ae30fe7a83e2f35587b300fc8941213de73f0117

SHA256
4d27a2720f55eac768a8c709ff06b595326e4ba01e65089504ab43c27f53c94d

SHA512
f33948d9497413b3109f4f6e1f6f1b68c578d988eb7d0bf24b7bfcb4bde0f241ea943d0dc64b772e8e52714c361fdab0dbdabd950ca92c2319c427a65d2a3c69

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
448KB

MD5
e485e12b89a1a6e5f15b3fb7be1465b2

SHA1
590e8f894c750ba554248a92a95cd24ddd99d5da

SHA256
9327b8470553824ba3a0e24d286f819020c0c3338242bda2bb5c2f998ce84235

SHA512
13976f045a57f797955fb28792c440e52abf3fdc7825d4b1d4f21883a6b4927457d8e7702fb9b6a3c04bad18a1a7fa0b2b5b4b46ec9cd4ca0718314ccd8667e3

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
448KB

MD5
b4ee76d7add7a3051d207889770d500d

SHA1
2a18bddf8610a8f9171524a0dc523b22bbc1b267

SHA256
6776f032069108573521c54f93b4ee3e1559a53f5fad86bc277cb0516adfb8dd

SHA512
b68b45f0f0114a5fc17af09e2af2bba9b5f61da793752d95dbfab3c908e255e2d2f2399d209502d943e9defe6694db2d48a5a1ccecf75742234b9158903784f8

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
448KB

MD5
c3de8ccb0bffc3e017c9e93bdfa20f21

SHA1
68025ce676ea46b773c39c6597bf1c091a1bf605

SHA256
0bba815c7ea6c928d0f4ebad65e7af6350af3636470a18cdc6d7cff5bf68aa14

SHA512
7c4f1b9c388d0d9fff006cdbae6a438fb4dcd06ee2a4bf33fce07071c5257bdb0d66edf3d5f7375025e4cb9d9e70ca842d62c32f86e79b916ae236f2fd1bb706

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
448KB

MD5
f33e35b8cad9956f0e6e439e8c44909f

SHA1
406364118080b1a9c07a1329fae67520e5342e7d

SHA256
75b684eb47ae39f01eb502573a24652d6b737433d2458d00c21d9ab5374b116d

SHA512
c6cab7380c192cff2df05ac44d774392dbe4deadb692f2a17b60982c786017f33ff66a756790629aae5ade28e9ac7de516f74d5c86964fa040b192dcf3d618ac

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
448KB

MD5
718cdf7198122aa96e8171a30f124a47

SHA1
e2496d39e77f1a94b9a4b52afba54d7c812c8ee6

SHA256
19a0529e59be7aa5c9685fff5749139b7c15014a7cc8dabfb44952387509aa41

SHA512
c27781b27dba262230bd2d6d8eb0b54f97aad7f7533ed9e02148a6a2cdc5f9935ce88a5924075435e40057388c3d537eb3b4bdc2c5e987b0db1e6a36779ac78a

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
448KB

MD5
5d3b2d1c8829e918751424af47da3b1e

SHA1
8e1a6ac9cbce28465b83ae2ef895ebdb45d5706a

SHA256
e655790b7dbd9cd4e06f52ecc5418ab3b57f41f89ee1f9a8d676e52c76d23fcc

SHA512
817f7963e2cf3eb6588deea5c1481ddc93cfd9265a78739ecffe874ae27b525347d285f038d51252885fa7302e64922e560af140866c110ce8beea469bd1177d

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
448KB

MD5
4960444be143aca7d9732f558f93ab96

SHA1
dd3be174ac9e1f1ea0e8d7c1f62668a1438838ea

SHA256
8a4776f9006d8fc5f272c43955cf7a0d5a5ce8fcaacc12e431ff0f19e9c19a87

SHA512
a9273212be18958086d0967a27011059c872a469fc8120f56a2508aadc554921589b67f2efcc8560c5b16a26d2c28da7f19bcdd6a70eb2cac849306c499ce9fa

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
448KB

MD5
e40868825784e03f4a2b6764743d0976

SHA1
fcd457f1f74fd387067191c3f0b5284e27b34de4

SHA256
901532882cd3ec2a0fde6d97ee256e7e5f7fa644068f5ce6222d88bbf7127cf9

SHA512
e9fc82c62a189f7e56777adb336afb6bce312ccce8ed61c013204eb628337cebc12e5120158eb37d83d1158f6864437b0c553383ca1509c6ef86ee3180b9ed29

Download Submit
C:\Windows\SysWOW64\Bpdokkbh.dll

Filesize
7KB

MD5
782e95487522f3d78868e75305c56464

SHA1
3fd7ed9fe4ffcc5e04bab55484362e0e41fa3fd4

SHA256
4f871b4ff0aa7d2d858ab6dbfee5b3f20357c8a2552f96cf04111bb33b02a62c

SHA512
2158f9070f1f58cc55f84c8d793da9a80d19c17677f0321921daa793b75e62dba0c75130c45dc779e2774f291c9764956825f76d83b1531c1b8635f1d1fcccf0

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
448KB

MD5
07783b826ec99b3fdcbce93cb003f816

SHA1
57200a22f59921e828302c977fec3971c187f02c

SHA256
d069d3742a6ed4c4e3af09e8f2376dd482e21e1e074e2fc68a6bb8a7d653a8ea

SHA512
00484b27523262022142e23e1d5cf55426cecf83adc9d5d3e80d4b919e96bc9d6c6c45ce4e37de066271015086cf1002d422ad57e6605ad2be08ace92e02929f

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
448KB

MD5
531bd0c26e0916386d958371d6beb08b

SHA1
6f4fc2940e46209e7ba27558d73a4fba3d2b5440

SHA256
fd35e0a2878004f9857139c8156654f994819aa3b8d1eda24750931ad4c46508

SHA512
0cdb18eda288c929044a847bcb2fc7f2516958c4a9d1c69ac4b054c6366eb5f8ed87b18c971e97bc62bdf5c188c9c1c586bc459448e25ddae604400877a8bbca

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
448KB

MD5
06d38944aed8d4acbb3488509283d778

SHA1
a687e81927a04f545236633f1db76b5dbe1a547d

SHA256
f770b1c14fcfc3e7a9ba125e82eeaf990c4376dfbe4ae5c26b9848b055961ab0

SHA512
f4875e3e7b0633f09751181aeb6507976f90a7ed605161a1e843ef92ff32278baea6184d4111d45d7097c4e1522d47e31457ec9c3581e95ac00fbd9f153bfe83

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
448KB

MD5
b5d79f5def8e107c94ca34cd8a8a5e10

SHA1
84589d98b2fa80744b1d32eeb08354e4b9122dde

SHA256
b1696aa41a683298ac4fd172592d2f68d656a96e61e1dab4b1aed6750a827162

SHA512
36335095d4afc68172c81c1a2b1308a2de98b606194490e4b26ccc498dc6c0f53e5ddac42f267117fb2a166727c63477e752b9be4663f15be8978cdfebb6f6bc

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
448KB

MD5
ee1f7fbe70ef43a19a2d3fb04d31fabf

SHA1
b9865b95f4d50b348a9e08c15e7b817ef437b3e3

SHA256
6e05c36c43cc00734c29637c55a9238d4dc8e59c5f0d0e9d0694c21e490b596c

SHA512
9548a70f81189e20e0dfa92cd244dfcadc9d0a78ff08fbb327ea9dce13cbd25daa107833bb05c326683f97812474539e28a1eb30a71b3f6ff40aac9499cea6a2

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
448KB

MD5
246ba77dbd44504c0689b8f16aeb776b

SHA1
702e1c95ae06fa948f6060f5383eac897ad68562

SHA256
f3f00e6a7ad3ba7a6f19c726007b5f6aa13cea5fe70f6555da5b2d1d6afe8b2b

SHA512
396957dcfb269e0478f48cde8a12d9145e707ac5570babb3ad7dd300a6ece476bd8b300ee9694774900e899137f8544d1874a1e3f86a67090ff16b0e134e8c89

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
448KB

MD5
59676f9486f40ef6223f16ae38b12ed0

SHA1
6137b0aa3692143881a1235fc8d8c5c603ae4e2e

SHA256
3dc4ad84c1bec3cd63784034da4ae80a8346d1ade5f32c8c44e2c4f9e32c0b51

SHA512
39d9b50c70af7086203c06b3e5536f65b00054727b6a5035186c3f4df8d7fc9ce8e9cf6004ca7f370b53deb5c09c19c0ba4fe579221bc016c296c2c6ca6f7341

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
448KB

MD5
99df9c83df5ab63a708ca0113de0f0a4

SHA1
2afde52d37b606ccf4903ad45c216d0ec4df4dd8

SHA256
dd58994726a9e9db79f21af0a5db677a4134f6d8a66615e857a24103c2d73e2a

SHA512
8b82902a5c3863e385c9d5974ff60977afcac796a7614dd8b9699410870954cea2d4fd8aa0608c426451c38180e498d12cfd4efaabef74c95f5620443d27636c

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
448KB

MD5
344579a56f157bccf7db0532bdbb2b32

SHA1
a1ab733042b055a7cb37ce00ccc2c49269e5d673

SHA256
aa07f93b34a74610ca485e3f1e657a640443be910707100458e7f98833603ca7

SHA512
65efe28a423b783604a377f971a387e8dafe460f64b77de73e213fdfc5d388b933825486e1e1f756d52a5ec7c2cd4aa6bbc345a81fd7da189e8b84a88e7c745e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
448KB

MD5
ffa457cf30ad41cdd819ad32988d741b

SHA1
075edc9332bda1c8115ee8e2654b003faa20d7a9

SHA256
eedeee08b7d6a0ea00ccfc0d052a91260d6590201a9ac52ad437f12ec7001f44

SHA512
3b8b6d2490af1f924ebe2c4c1c8b97259c8269ebaa6b234e926f799b4d88cd83005df61e1eb3697070fc8efdfa2b2f562dd4f41798976684c2793a50c8438e07

Download Submit
C:\Windows\SysWOW64\Lnhgim32.exe

Filesize
448KB

MD5
b84f2822b335527ca7c73a91c84e1f9d

SHA1
0b82313075456cfa395e244ffa199f6a543cd876

SHA256
d7b57ebc30bb2e3055e3ba2fe110313fbecb6d03f325541e5b503a19ba26a42f

SHA512
f04cb5030d8b3c8ed61492886ca89c04271e4c3ae5323f208bdf7f7c21c361a91aebd407728619cd5c385a8c35d15cf7f8ffb69c13ccdee124eed46c9bbdaa82

Download Submit
C:\Windows\SysWOW64\Nlefhcnc.exe

Filesize
448KB

MD5
65ee3fb4ad47257c7fdf113a23f68907

SHA1
e812f75e3043a156b59fa3010d30df4b9272e62d

SHA256
646734fc6490b155586b0b804b89f0193b4872e955211b82c87cef4fd3ec1f1d

SHA512
48d6a574aca4636af1617c7efffa36af70d2abffd7e1efaa8fb938abb051f716a45b7b2ca2680f84f1fe63af83737806f0a32d65bbe0d7c8189b256b5404061c

Download Submit
C:\Windows\SysWOW64\Padhdm32.exe

Filesize
448KB

MD5
477959cb969876c3ff1f081a7d1e9a25

SHA1
2028ec45f4251451a17e4a1023d3697c0408c04c

SHA256
78721652efef006ff39a266485ed86b048b8201acb67dac55bcd651f7620efcc

SHA512
d6378a084995308288c5ada70888c83de721e6a91a7e69f2dda0f2e15cf676864d8b8169a947238a57519ea440ab0e92484b42d8ad406d0b91e48db5b7a929fd

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
448KB

MD5
3a9cec6e6e6d3835b97b1437ecc87414

SHA1
badbd17b586197f0054b956fbc763a76919f7153

SHA256
e1e7983847dcbded655322d734228ba1a56d7f5cd4f0f528ab6bc4748704ca1a

SHA512
10e74abc91ba8e4ef0d19289536311fb9803fd2ccc22dda904ef10b8bbbaf5f60f4d30b3655c1001b42aa92fc786e7abe864afc584ba7a95ade74b4a2c056310

Download Submit
C:\Windows\SysWOW64\Pifbjn32.exe

Filesize
448KB

MD5
31fa853422149386258ebeab0bec92a1

SHA1
70238fce583c515fe1609b04fad2c3c7800bad3c

SHA256
3358aa0d269591e3202c6e23cdea1ebd60270410c4652d0fddfd2449f234870a

SHA512
5d79c599ef7770c90472845db4978f4029d88eb2db5a872bf138df58a7b3976eb5ed0f99db660dc58b7e6f00bec6aefa1e4dc2444d5d55c96e8128d1a7a4d43e

Download Submit
C:\Windows\SysWOW64\Pofkha32.exe

Filesize
448KB

MD5
0d9ad54decf3c8f17fc3901859a89343

SHA1
e0acbb0c5d004c996b6d4af8e987b2704d7f6281

SHA256
d425401483fb6d1ea60ed0302334876bea6e1192dccae71553553c986c669216

SHA512
6986e04d76f843baee4ad8ff3da19a9e6c1f43f206dc4e3ab367c9fb2cea7658b7d7453f4009d1d8f40037d1be08ed6a331ec2a9e53225ffbf9ede8ca5972890

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
448KB

MD5
c2c38133feeef03feae15873c1ec4d03

SHA1
0a1307b29d1a7ad4c00eaf434a68aa2cb108d2d4

SHA256
dd4f1e759f35926f3c9f240866fb0d1510736ac4459655c201129195c7a6c962

SHA512
53e5c88f487e0b08bf82ad51e666d1a45c49f429cb2a917bc9db617bd5f437d8d84c646b4c37f9f619256d12c094ddd11f70cb115d0c41463e06ea4ee8065dce

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
448KB

MD5
be5c3e8c85c1dad43e758705d8f6e0f8

SHA1
e401c12af97cc66da9221b2458d1fdd32510bd34

SHA256
5e887591eacab8b1c24ac2590d5d8205bf34d4fd3067e2a38205ab755955e1a3

SHA512
6d132c479d047e7e140a707dd53c915675838be1113994afe81353bd72df43dc5082361bf79b27f7a9ee2ee9a1de1fdeb6502b8e69123e6c2fb24a975488a90f

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
448KB

MD5
7e218303e7a3181eea60c1053c0a9326

SHA1
c5cb452d77ec5440d5706b5beebe821a19d44b84

SHA256
b67f89d618dce8e8cb30a05f3e2413404d3b21b13df17bc8236ab5079ea49dc4

SHA512
5ef2edb47a30c34f47cfe93bc72f892c0dd525a863468ecbd6210f41ada7ecaf20c35156573859a38aa70c781598ab586120ab27b83d9727dbe2716f53c5ceaf

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
448KB

MD5
1d7227aaaa304ad3c97aba705fb82607

SHA1
bfab5f91f3d2285ec2aae13bcb50e57cbf42e7af

SHA256
d5df574f1ff179688cc2a6e337dc1c6721746df34cde21b8dbe12d0604bd57c9

SHA512
dc1ff63ad9de046ae5c1c54a76c8c80268dad6249c9698e9074c12e1985b1cfedacb844e427a1e26774362ce2a373d972ca1fe74d8021d807c0af30df5d6ea84

Download Submit
\Windows\SysWOW64\Lkjjma32.exe

Filesize
448KB

MD5
45ac5dfe57505f8e37ac76ed15d3310f

SHA1
147cdfc8a5fac60473e363825ad20aa42ba278ae

SHA256
4e897dc6aabee7089562586ffeefcaa41d5dcfabb748c940be801834584a5fac

SHA512
fdb9de962a1d724588631c2b40373f166e43e3f03669815aa2149321da4e146d3b2b6a7ccba87ccba7e8f3ca3e3df5da14b636bffac27b175b30907bb7b54c99

Download Submit
\Windows\SysWOW64\Mclebc32.exe

Filesize
448KB

MD5
a828aadc55b993ddfaba2616834e697b

SHA1
232e64431c39c89f97f00fc93f6c3ac02023dd81

SHA256
6a7b1541060269ac9a9b7758031e398b79b1d76f74199cd90c9a33027d3fbd08

SHA512
b0f3af954aad402d3162a5c26fe04380d4351ef1bdc790c3cb84083e54abd982e033cf4bd2b8fdd02963344c82365bd96396b6177a6e8671be42190c148facfd

Download Submit
\Windows\SysWOW64\Mjfnomde.exe

Filesize
448KB

MD5
6952e5af2e329435ee62174e5604a115

SHA1
6d641666864f2bd3f7da7a2d345cc4787918d73c

SHA256
87529d7ccebd8134aafc6be24368907f58e430b70ed7d313e36b4a669dce6a1d

SHA512
a29eb78779159d10fe213563d2c34188ce2371f7d1113c9253f54bec2d263820c2baac74d16db3cc592b341a24c9dd8f8fa80d312b9529dcf7bacfa2309e3a10

Download Submit
\Windows\SysWOW64\Mklcadfn.exe

Filesize
448KB

MD5
3228bdb8a64e526bc17e6e1484221682

SHA1
8de03d95399945e60c93233dbaaed7d257d46acd

SHA256
9877e8e2e9c3461cac0d80498a51bf2eab57ab5bc5a0eccbaf506d4a99df76f4

SHA512
22630a9be8264b9f36f5a0f3be5de5e7b7c9656e2dfd7ee93011ffe99aefbb0b7cad5093158b24dd4f25f4b9327fb3c83f077e6db180c178903a145a3f27fee4

Download Submit
\Windows\SysWOW64\Mqklqhpg.exe

Filesize
448KB

MD5
75d4c0aabd00eec14e908648fc0643dc

SHA1
379fa2117495bd7e2a0db7fa0c227b1bb6dadd6b

SHA256
62365234c01cf3e9216a28fa001a9affae95b1705aba424f3e9b914e2e95ec5e

SHA512
11db4973f424806fd9ea5982afab37a088d865cf1c76f51ca1c43e83ed159effb846d2770210fd3f2d6df00623547c44c72d4fc24186ff16407805ce79a949e9

Download Submit
\Windows\SysWOW64\Nidmfh32.exe

Filesize
448KB

MD5
817f8365abd5f7be2161d5cc172e2a11

SHA1
64f67d89f9e1eac3fef4d65ddeaaaed7f7e1a9c5

SHA256
22adb702d91b9d2a1896719e46e50558aa8e11c9db9f9d14fd9cb530f9f078af

SHA512
a9d246e1a6f8cf19f81a62dcb3d5252d00c826e591fdb133c7ab43b1345261a39bb14a4dccd3a83259b1efc670af7d7d5adb9ccd4d463632647f46f5876e9c54

Download Submit
\Windows\SysWOW64\Nnmlcp32.exe

Filesize
448KB

MD5
8bcdbab8c3c66e88d20db067498fed49

SHA1
b62ffafb849f3f02f7aef733d991269d73dc79fa

SHA256
133ec5661b21e174d20844a374403a928fc396124c2af3d64af9ed5c9a9b84dd

SHA512
b3baea7d1c21e862b3b19e3d8d0493ab1e7cff03f765975ce5c62b7968923792725a4548b66efdf1c4153d4c7842f6f7f58974fd502b54a974f305e4a893413d

Download Submit
\Windows\SysWOW64\Oadkej32.exe

Filesize
448KB

MD5
f8a8c262e0333ea28ec3a375fa0895b9

SHA1
5345b71ae4359ffc44d241e26ba45ee55c8d641f

SHA256
10ed5b400c164f17e2092e2c31902be40b1aa4105d500d2e0b6d5bb75b68c1f4

SHA512
740a7de6459536f3e34211723bcf49f6c2b773cdc89ccc4da1bb00d7de333b81c953064a7632b78103244846dd5207da43e7ddbfab250daa17ed8c271a07e3a0

Download Submit
\Windows\SysWOW64\Ohncbdbd.exe

Filesize
448KB

MD5
526d303b5f3c5fca639d0d254f2a5a1b

SHA1
e013acaf9b72ff82eb4c70b017606b92a08f9e01

SHA256
3506c4b2793508fb0610f8e6f44513ffcd80bb658b1bc92b58367f83e6157e7c

SHA512
47713806aa7a271b4acdc024190670b4c280e169cbe5e60a34661acd1a28d631508fd6157fe912f018a32c81a71ed199c204e45b365ed6ac1a7e0431766e3475

Download Submit
\Windows\SysWOW64\Ompefj32.exe

Filesize
448KB

MD5
be228f7f97c1776982ca665fb8598912

SHA1
9fe60a5bcbaffa434a0e792483d211b5d37a2345

SHA256
21622879bc522a4317fcd41a3bd701ccc6dfe5663d6716b858f20358ffdd0ad2

SHA512
6193b3d50e0a03a75932a180ce616d89675f40696a65ba9358591470e364461925268c58e285cd6e08a39dc2b794a9a672874c17f6b230ccf962a04d54aad2c7

Download Submit
\Windows\SysWOW64\Ooabmbbe.exe

Filesize
448KB

MD5
f30f48360d29e31b45b06ad5c20fe94e

SHA1
bab8efcf50cf21b603dcc23b4198d5663c78dcf2

SHA256
b408e06e8ba08cf6211d267a4b71b5554ec649e81b88fd248acdaaae5e4645eb

SHA512
4a659d3b760ff15593b7eba3a0fe46bda038747c4f22cc421d5d2a2051127f6bca05f484459bbe0e294597a205ceae64ed585d107bc7d3e22e1f9222d48fa20b

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
448KB

MD5
ed8ac7ff44af268308deb106fdd9cbac

SHA1
3c540e586e5afdc5f3089f17b8c6be0dc27763eb

SHA256
3e4b74c1ead938e708f0449ab63acadf388cc9ab5fafe2bc8bed5d43541136f9

SHA512
f6257d54132b548e815a5af962f8d4f7c97965e3bc6980344adf9a0a4116ae0bfa831bfbb02b4be2649617c71589d60e9f2bea9d37d3651127b1e44652fff748

Download Submit
memory/380-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-154-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/380-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/424-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-487-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/588-291-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/588-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-401-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/768-402-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/768-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-312-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/876-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-313-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/972-302-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/972-301-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/972-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-223-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1044-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-237-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1224-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-171-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1336-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-478-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1760-498-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1780-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-426-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2008-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-280-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2016-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-281-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2120-269-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2120-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-457-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2152-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-366-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2188-362-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2236-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-444-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2284-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-185-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-13-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2292-12-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2292-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-388-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2292-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-323-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2496-324-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2496-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-414-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2504-415-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2504-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-80-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2672-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-400-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2688-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-334-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2732-335-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2732-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-350-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2752-355-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2756-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-409-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2784-52-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2784-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-53-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2796-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-425-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2848-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-377-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2992-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-376-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/3036-485-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3036-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads