berbew | 1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe
Size

45KB
MD5

854b067e76def63af2276acc43919a35
SHA1

c1d782951212e3c3bea55fee6df2c8e64bda42a1
SHA256

1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6
SHA512

894e1cbab7035e9c1cb01f8470f9d0251a8a733d99b084f271a469062b707b7af559f522bc999e93c2cc3e7b4bcf59b5ff49319f9e4b3e05c355144de4902a44
SSDEEP

768:l4ScTwSb1E9X7W9vjo5EI/zc6BRdzVgF/1H5d:l4ScESb+s72U6pkn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2276	Kdgljmcd.exe
2848	Leihbeib.exe
1152	Lmppcbjd.exe
1704	Lpnlpnih.exe
5000	Ldjhpl32.exe
3664	Lbmhlihl.exe
4788	Ligqhc32.exe
3508	Llemdo32.exe
2384	Ldleel32.exe
976	Lenamdem.exe
624	Lmdina32.exe
4084	Llgjjnlj.exe
1632	Lbabgh32.exe
512	Likjcbkc.exe
3064	Lljfpnjg.exe
1660	Lbdolh32.exe
872	Lgokmgjm.exe
904	Lingibiq.exe
1560	Lllcen32.exe
1688	Mdckfk32.exe
2120	Mbfkbhpa.exe
1476	Medgncoe.exe
4784	Mmlpoqpg.exe
2728	Mlopkm32.exe
2856	Mdehlk32.exe
3156	Mgddhf32.exe
3912	Mibpda32.exe
736	Mlampmdo.exe
2380	Mdhdajea.exe
3104	Mgfqmfde.exe
5064	Miemjaci.exe
4500	Mlcifmbl.exe
740	Mgimcebb.exe
1492	Mmbfpp32.exe
2176	Mpablkhc.exe
2144	Menjdbgj.exe
3252	Ngmgne32.exe
3196	Nilcjp32.exe
1192	Nljofl32.exe
2820	Ncdgcf32.exe
3648	Nphhmj32.exe
2864	Ncfdie32.exe
2196	Neeqea32.exe
1268	Npjebj32.exe
2980	Ngdmod32.exe
2488	Njciko32.exe
316	Npmagine.exe
1916	Ndhmhh32.exe
4364	Nnqbanmo.exe
1664	Olcbmj32.exe
2256	Ogifjcdp.exe
4636	Olfobjbg.exe
3484	Opakbi32.exe
2608	Ojjolnaq.exe
4976	Olhlhjpd.exe
3920	Ocbddc32.exe
5080	Ofqpqo32.exe
3980	Olkhmi32.exe
1228	Odapnf32.exe
3188	Ogpmjb32.exe
1276	Ofcmfodb.exe
1536	Olmeci32.exe
1900	Ofeilobp.exe
3856	Ojaelm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6252	6160	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2276	3028	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe	84
PID 3028 wrote to memory of 2276	3028	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe	84
PID 3028 wrote to memory of 2276	3028	1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe	84
PID 2276 wrote to memory of 2848	2276	Kdgljmcd.exe	85
PID 2276 wrote to memory of 2848	2276	Kdgljmcd.exe	85
PID 2276 wrote to memory of 2848	2276	Kdgljmcd.exe	85
PID 2848 wrote to memory of 1152	2848	Leihbeib.exe	86
PID 2848 wrote to memory of 1152	2848	Leihbeib.exe	86
PID 2848 wrote to memory of 1152	2848	Leihbeib.exe	86
PID 1152 wrote to memory of 1704	1152	Lmppcbjd.exe	87
PID 1152 wrote to memory of 1704	1152	Lmppcbjd.exe	87
PID 1152 wrote to memory of 1704	1152	Lmppcbjd.exe	87
PID 1704 wrote to memory of 5000	1704	Lpnlpnih.exe	88
PID 1704 wrote to memory of 5000	1704	Lpnlpnih.exe	88
PID 1704 wrote to memory of 5000	1704	Lpnlpnih.exe	88
PID 5000 wrote to memory of 3664	5000	Ldjhpl32.exe	89
PID 5000 wrote to memory of 3664	5000	Ldjhpl32.exe	89
PID 5000 wrote to memory of 3664	5000	Ldjhpl32.exe	89
PID 3664 wrote to memory of 4788	3664	Lbmhlihl.exe	90
PID 3664 wrote to memory of 4788	3664	Lbmhlihl.exe	90
PID 3664 wrote to memory of 4788	3664	Lbmhlihl.exe	90
PID 4788 wrote to memory of 3508	4788	Ligqhc32.exe	91
PID 4788 wrote to memory of 3508	4788	Ligqhc32.exe	91
PID 4788 wrote to memory of 3508	4788	Ligqhc32.exe	91
PID 3508 wrote to memory of 2384	3508	Llemdo32.exe	92
PID 3508 wrote to memory of 2384	3508	Llemdo32.exe	92
PID 3508 wrote to memory of 2384	3508	Llemdo32.exe	92
PID 2384 wrote to memory of 976	2384	Ldleel32.exe	93
PID 2384 wrote to memory of 976	2384	Ldleel32.exe	93
PID 2384 wrote to memory of 976	2384	Ldleel32.exe	93
PID 976 wrote to memory of 624	976	Lenamdem.exe	94
PID 976 wrote to memory of 624	976	Lenamdem.exe	94
PID 976 wrote to memory of 624	976	Lenamdem.exe	94
PID 624 wrote to memory of 4084	624	Lmdina32.exe	95
PID 624 wrote to memory of 4084	624	Lmdina32.exe	95
PID 624 wrote to memory of 4084	624	Lmdina32.exe	95
PID 4084 wrote to memory of 1632	4084	Llgjjnlj.exe	96
PID 4084 wrote to memory of 1632	4084	Llgjjnlj.exe	96
PID 4084 wrote to memory of 1632	4084	Llgjjnlj.exe	96
PID 1632 wrote to memory of 512	1632	Lbabgh32.exe	97
PID 1632 wrote to memory of 512	1632	Lbabgh32.exe	97
PID 1632 wrote to memory of 512	1632	Lbabgh32.exe	97
PID 512 wrote to memory of 3064	512	Likjcbkc.exe	98
PID 512 wrote to memory of 3064	512	Likjcbkc.exe	98
PID 512 wrote to memory of 3064	512	Likjcbkc.exe	98
PID 3064 wrote to memory of 1660	3064	Lljfpnjg.exe	99
PID 3064 wrote to memory of 1660	3064	Lljfpnjg.exe	99
PID 3064 wrote to memory of 1660	3064	Lljfpnjg.exe	99
PID 1660 wrote to memory of 872	1660	Lbdolh32.exe	100
PID 1660 wrote to memory of 872	1660	Lbdolh32.exe	100
PID 1660 wrote to memory of 872	1660	Lbdolh32.exe	100
PID 872 wrote to memory of 904	872	Lgokmgjm.exe	101
PID 872 wrote to memory of 904	872	Lgokmgjm.exe	101
PID 872 wrote to memory of 904	872	Lgokmgjm.exe	101
PID 904 wrote to memory of 1560	904	Lingibiq.exe	102
PID 904 wrote to memory of 1560	904	Lingibiq.exe	102
PID 904 wrote to memory of 1560	904	Lingibiq.exe	102
PID 1560 wrote to memory of 1688	1560	Lllcen32.exe	103
PID 1560 wrote to memory of 1688	1560	Lllcen32.exe	103
PID 1560 wrote to memory of 1688	1560	Lllcen32.exe	103
PID 1688 wrote to memory of 2120	1688	Mdckfk32.exe	104
PID 1688 wrote to memory of 2120	1688	Mdckfk32.exe	104
PID 1688 wrote to memory of 2120	1688	Mdckfk32.exe	104
PID 2120 wrote to memory of 1476	2120	Mbfkbhpa.exe	105

C:\Users\Admin\AppData\Local\Temp\1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe
"C:\Users\Admin\AppData\Local\Temp\1e82524f8aafb73c6b0777bddb36ce164304421765650b0cfb141744144cdde6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\Kdgljmcd.exe
  C:\Windows\system32\Kdgljmcd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\Leihbeib.exe
    C:\Windows\system32\Leihbeib.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\Lmppcbjd.exe
      C:\Windows\system32\Lmppcbjd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        23⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        25⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        55⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        57⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        64⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        65⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        66⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        67⤵
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        68⤵
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        77⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4780
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        82⤵
        
        PID:840
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        83⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        86⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4916
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        89⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        90⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        93⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        95⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        96⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        100⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        101⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        102⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        104⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        111⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        112⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        117⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        118⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        121⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        125⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        130⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        132⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        137⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        138⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        141⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        147⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        159⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 404
        160⤵
        Program crash
        
        PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6160 -ip 6160
1⤵
PID:6228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
45KB

MD5
8d6039eed23d91a83e390e6c5e71a9b2

SHA1
2892b7f1322c28634effdb8d12a7aff075c518f8

SHA256
837b23cf176c5564df0e1454ed450c0d4cc32a2ac396da3c6e2ecdf6fea866c0

SHA512
ca4694778ff149dc022b98894fb8a4c03328b70a5da99d9e91d38371d64b1eb233cd889f64b627ae26345c9d5efe035a243d9b6a9a097f740ae0d1bfec8f1335

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
45KB

MD5
16d5562fd68fb4fc605c05301d5ba861

SHA1
6c7cc57ec4f623c732a9d120231aa84d4d9a0121

SHA256
7a3d3f479426353d7e67bd4eaca7ba64d867f13b61b82f94178e126e877a3815

SHA512
08173e58293d22f32b22214229f4d95270c7629ba737bb7913e4ab903cfa0d20d7d0a2204b99c60b97a033af8959ff72ef9dc09106cae213789ec7f6eb82d935

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
45KB

MD5
698d10446e36c0780cbff9eca50baaf7

SHA1
a8065ee91ce07ae273c6aaeae70aced81f402cac

SHA256
9ad2ef65b6655fd48ef668a412134aeb27a9a537215c6ae439fa9027a4113e13

SHA512
1dafc06e32f6127edf6595255c28a364717b54528dd85826ad4f9f17eb58ec078b1e0b0a792bbd72b08e8782a60cf92f0db4d68e6b7274b7ceb25d741182a3a6

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
45KB

MD5
7b15a18d58ba6393656ea10f644a3379

SHA1
85c01784abd49f57b69a487e3161ee73e5f834ee

SHA256
091f14ee58598d6e815f6ba40ffa8dd97929022caf91bf9b3330d618998761b0

SHA512
adaab6ec56739df54fbe0abf49de537c7fac3511f3ab21c27aac3f751f059d185531d06d07145c5621576297369a0f2afbb48306bbc21e218a78f89c0da67864

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
45KB

MD5
c82ad30f79e1adc6f9ee8e337ac92844

SHA1
74ffafc42d952b537a042bf561dee5375d5ab831

SHA256
d320b6cf8432395c7e835782794e0ad51859b2a8bf3e476f7c44c563d746eeec

SHA512
55745b4ce80e990bd518eb02c22086e0089c94e44deb180ba0e30a7e528bf27010fb90371358e5037b3e458ab2a5a5c5a5c8490e81022f614753183f7287f450

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
45KB

MD5
7039775f0b1f696144868af8dd6a16ac

SHA1
916b140ac99ece6fa17931e53d8d37f0c433c3b4

SHA256
af261b782fdd529f6c6d48ac1b55d8d9fe0ff9d5da1afccff8a83e1a27010ce1

SHA512
a9e2ac382f49578774a149098677278b40ce7971886f9f3674b7c613318e01b842edb2b75dabc580df49fd1e9f4a7b6b7b6ba2dd70427dc2328511027508be62

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
45KB

MD5
4b2e65dca05783e9115d6ef7c9c25b29

SHA1
ffdd8dc73c53bb45de7f858ce6526eab4ae92aad

SHA256
7564417eb7e95144f5a6d15ab60b05e99da2933e6d5310909cc9bd955e48a8db

SHA512
f2f03cfb1531dd326c8d36f18e9a6d259e431e4fbdfb4b138b46aa60ceee567feb87590cac7a2ef8ec02c659ff656041a1b5830371076c611aab6c283e709637

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
45KB

MD5
4a2819152148dbf16e592fa30bb90142

SHA1
164eea7712b063e5fcb15af315478c1f09cee345

SHA256
20515dba6fea12145d72eb0a98f2bb7a718b1ac12f31010ff63a773a03687521

SHA512
d6b40e91b68d33659cab8938fedff333c53ecfa399bac43b8773dacb555385c71f54cc4698d9a36f0e9c40db6b5b379332b2ae67fcb5f62c8b7ffc895c3651f9

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
45KB

MD5
86be37299aacee992e39cebf7a5450ed

SHA1
de1b3d1f391fb491e6e613d963ff28fb0017a45b

SHA256
dac9bce437c354b4cf001f3140a6feb06d096fbd9f93d4c273e4d2f33c272369

SHA512
e696ed9c5b7a50746dd81d512fd669fb3e7362a385dbf49cc41473af1ebe657070c34cf6aa445a446d63b5020d08a385fa9d29bac8817662774506923ddd3047

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
45KB

MD5
8c4dbc54edc65c8209cc28059573d554

SHA1
5cde0d26e66fe0911cb95f504e35feac54fac11e

SHA256
43a9124248d0539a08da5e951e13b2939238050694c004ecbc1994890e14e887

SHA512
560ebad1c97e18a0f6ad6c50005bd989cc64b3c2b6bc871c3b6762bbe4b81e1462a04ee8018287284823cf7a83ed4a59de6286020a88abcb76c9ca844cfc8b96

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
45KB

MD5
1b1c1d147cfb1a3effc3f9c3d56fc268

SHA1
c1bebf7844e67b3de4a5617b5b2dcbcd2d444647

SHA256
9ae6a6a1704203313379ab77e5855b003cc20bbb7770b94be5936757aefb1f79

SHA512
4a09a1d424f4537a6000ad25875c83cf84c0801c0d1db786c96d2976db9bd9c82b4588a7d265d31339992ffb9ce3344044e9486ee1baf657c56abab0920b7bff

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
45KB

MD5
330c98cca0f8f90f8b94e9021ef67470

SHA1
a0b910a3a96fedd22ad86a6923ac4596d08f0171

SHA256
c8ccfbf397fc5c4f5a944c35cb432ff57c298a31d22cdd43d331bf5579523d39

SHA512
870e2d62760ec6ddcd5610e31124b3c0ba4e56aba7bf794e983202bec346d7f966adc477475820d4a07a1b18f0d972721bf174a4ad6fd4ba673aeb12534320d6

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
45KB

MD5
3a500c9510a8bd1ffffd654f32b25d20

SHA1
adbd81e6a7d0d35844290cdb331db328b1aea1c9

SHA256
28c6d2e6269be96097a05a6f68e61ac1c6b0f7b6ffebbde0b78d2dbf27c683e0

SHA512
8688b418b9ab7e70acaebc7f866e9deccdb02d4ce33ca60c92bee528bb10156756aa16294bf2a68ac71b147a10aa0e306d61c5aff53da30ba9bfb68f2e945239

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
45KB

MD5
dcdaf078612d56b3bcb1a3fd42a439b5

SHA1
82e43bce6c3785a09f7c3af73a8ac7ff30310d68

SHA256
2cb3fd8431d03ec9fe0e59c620b68119c6b3d782d47e90d59c7db848d77f16bd

SHA512
2f45e7027b1e5762ae96093990dd1ce426fa7737599ceff506d73e57fbcc8c6d85b1f77e5eecdb9469217f146ba55cf0a45540c7a8ef3fd32b3555f0423d9bc7

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
45KB

MD5
5079afe4511c20d51957bb7698e31ba8

SHA1
eef249a8cc5090559fefc1036072c246ffe91ced

SHA256
0c8458bb15065eeae800da4e65402e80e0070f194d37a1dc181c5a510236e7fd

SHA512
0d27a18a7abfc9e6d62b9e145eeeba75bceddab98df51c1ead203ee9b40807d38b7b25992f3413d2a6a00d40ed86c8cf5a388c1118999d910026b73e397e35d5

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
45KB

MD5
c9523b626187aa071e31861c5d00b50f

SHA1
7353d70bb26ca208cf63700ad62767e42ea46452

SHA256
8dd9af79581576e679d43ec2605df4902cee0ca5c9fbb912c2a997aa7f74b526

SHA512
d5d82f49826b7fa4a7b1253d86498ced5d429dd04c421a1ac59c31859e41fa28570ceebcdd779bc9dd6344e7d9a39780398214ad256a4b00a500e5ab2a5b36a4

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
45KB

MD5
821e5970f063242ab6fdc634a9b264b4

SHA1
0f5f4dd3a7c6a2269d18b3ad12d896f36277ce3c

SHA256
e32b993865c40f6e731fd32f721b9a2b43f428cfba6f0e7e450ef74e7f91761d

SHA512
e6d0d691da8891d9062e31d2e9ebc2b12dceb94495f49c18fed0cf91ab15eb1fd9691a6b16e3423fe03f66512c15f4b75abfd37a1a0e6e4d66d677dabee6d456

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
45KB

MD5
490689d18b7171f0e18821c2e674779d

SHA1
b438b4eaf88de2448881e574f583202e1b3e5b5a

SHA256
9ff17c5c9b3d622d97c1184c889f3891f02846fa1bde7d9e2a741028633bff67

SHA512
10317f36ba728ca76625b4a78688db9fda02bacfe07abb0a42dea30e336ea74dea62565762ce3d714d0911b10ff7400ee7879f13916629af071e01911c4b8abc

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
45KB

MD5
652f2153c8356b50abde16d873c2da5f

SHA1
83f6f3f463449e0427880d7b4941d40906a814ea

SHA256
0e4c03c082371b2b95743c293e98bf1330c65f66a05a2cfb36ddb425b4800b79

SHA512
13bd5a4904b1af5aaaaa4f889804d72ff749846dc8d5f7c04cf0d2050d006886677af968a4d2507807413582b5aae89ab993af69d3e0c9aa3be8d353575e2103

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
45KB

MD5
3d7407e08e44dc20e8627ef07403f579

SHA1
e56f25fa840c7a1463493f571b355e484a59b9a3

SHA256
c02028c8ec0d5419edd000b701f7b44dc0ecfb29464898501e4a37ce7e346f83

SHA512
1c876a53474dbf30f06205e0c7c7742bc44f6e46694a368fd0cf9b1a25a059bd1ab98a441d9e3c8575d3824fc91ae8313a7465b918e3ca150c02b8129c5a8dda

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
45KB

MD5
a933a9f635040c74f549a61e105dcdde

SHA1
5af3a733b7b7a255ef495b42caca1b051b303da4

SHA256
dc19ae7d38fc8b6b49321603d6d6c0132ddab2faa543be5815843e7a76958e04

SHA512
e2a500ef98725249fd6073f36b9d9ce57b5e65f76d53a41aaf3ef6188ad2261d8f5c3b71c0edb6ab339f23c3cfa4fbee87c8cb995f483799869b0cf75f386415

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
45KB

MD5
aec74be0fbfc5885fd9b078236a47424

SHA1
6c93073500025fd968ecfe683dd3eaf93f2afe12

SHA256
ce4675e90ef8274073ed03f9169dbb34238cd369e2cf82d284f7d97261a1ffe6

SHA512
e702532b01482b3203dafaa894e93e67bdcaddfcdb4f27c1e8aa6ea19e583ef4b33e96b231e2cbced2499e33f9059138ecc810b0fb3ba0488f842f82e848d956

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
45KB

MD5
2e14ce8456ebfd5afc679763b24191cf

SHA1
01bfab10dea9c24c04f79f7cfe06b3e8bdf0956a

SHA256
78eb26589cf8f08fca22bfdbac6eef6521ea276565fa355e9ed6bdd68e6930ab

SHA512
2b7748317a22416f7f3867d86c03e8443c407934faf45424587c330800e8a3903feb0a5b921dbab318bf07bc680a6f91f1ad58716db1ece2495433c5bfa9f50a

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
45KB

MD5
b05a061e05c3ea91fa2c965313623d66

SHA1
94c205bdf4207e050b1051692d1f4ff1eb7a0437

SHA256
10fc2d4c6ca93cc65dc0d1ba7f5fa833cccd88d0ab04b26c27770c21ea2e727d

SHA512
c6be79120ef6707856b240915cf9ccba322bb90843445153f4d6af4756dc7df31f597be5c4939f874fdf1dbad63ffddb3fc7fd4d2312c0028d373c424b1e3a68

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
45KB

MD5
fb17191dd41addd29d43a1e73da94f1e

SHA1
fca5faf01d379c940f5d1e591b68d77dabf08049

SHA256
a8b46181cca009cbc25481a6174ee12d53d5ca388fbcfabeda8c014bdea32da0

SHA512
ce48d8800dff58e4c4ae95669fe52523e031d602e14383c513543ee6ba239183483c9307a50b42254e4784aecdde76b24a2f3f34dcab6920825a2a8642c4bcb9

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
45KB

MD5
1661b09d68f4b1cbe774d574481f6423

SHA1
e298c719059ee49e8b532a2e11752c995669a4a6

SHA256
a3706b3df56d28247a7a85693d510e1bb6976732a77d7ad8d11c04288b088b9d

SHA512
f5e28c3d3080f0e05f41c4be4f64467403b4bf3878d669756d9434d7c95c1795e4aebd7f5903c5462b6e6f28ebb8e427578785b0b667a63d6c701cfe063f1406

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
45KB

MD5
c2e7cdd44cb180dc770fdf4c43f2bdb0

SHA1
c690129380c5eb098c3586003359b26b5a39465a

SHA256
cc54191ffaab5a0429698149638aac37927aa1cd119be5c5e0942ed80eeea6b8

SHA512
01ff13cb7e153ff2e8e1665c025291f7ad6d8a63d0864a68053905985ac71c35313d43ffc48a9bfa67c441adf66fb0707b40283d9f7cbc2ccc85f5887cac0ca8

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
45KB

MD5
00dcdb661178173a1d104d2bdfebfe55

SHA1
391f14e6460e9bd211868721d39aa59a98d41280

SHA256
90cd1309dfe8a9a457cbaf11ab98e9d905c9ccefe261bf27bcfc1ffdf037a141

SHA512
ed8180a36a7fcd32b59d557bfc34c1f230f20bdc3887490c38e2bffe5a0b29d697c07684194ece295a9db220440216d08142b53e78b064b2809f5a7e3c9b1402

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
45KB

MD5
8c0e64639897ce4b83b9e32d7f837bf1

SHA1
4203162b5922e0a0667d6b20a06e566414dbfb15

SHA256
87b34ed00af9739a077d74d7742bc6c0a534d13aa050a3b18c64ab0dc3eda1d0

SHA512
ec6772fac8d55c866f39827a4da27795378aa49828ccd0f1f0695b6c36a35e0243a4bd9bc305612975638996ef29363038e7e270df0547cc061d9f426285fa21

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
45KB

MD5
615af85824e874337d3630d4e5135186

SHA1
eb568c0feb22ac9e7229895f3323cd7ee943b22a

SHA256
a71b56282e82890d90b20a10b80aed963c38387fef0d54689c72bbf491072e05

SHA512
0d994eb07344a3206d9eb5047dad8ce0f7a03a8a3119dd076481cad6893c57af5fd268f132bcd8b54f98186307ced6622d767358a23d2f837c3586ebbcbf4b8e

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
45KB

MD5
b7255844e109f34ce5505478bdfe7060

SHA1
8c223411c3bbab0bf5739112d3678d418c51fc21

SHA256
8364db877e763b869dede9568fd5cc5ef03435ca73e0035dc6753e90a260145c

SHA512
3f38da06a257d9d0892b20deb148fe4718d01b9ea0cd88c6bfb544016460bf6b8e34dcde86743135b6eb141350da60352aaf786b5b3632d647d66684a0525699

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
45KB

MD5
9207f459f9fa8d1b52f63154ccc96b7a

SHA1
02a84d75d37b6b25dda9a688718e0cb732223b48

SHA256
bf170815197619cf9f395f67c449562870e109b0ca9c1a70b6f1b5958d1752c4

SHA512
23cc43b3db8978f3e33943b38d0fa4511d7fe634fc970e96c7adaf133d5204cd0451c7ae762a3b879f2bce13f86ff2b68c28d69813b3ddd7631029d369054b27

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
45KB

MD5
1ec16cd9251986e42e6ff5c05c1bef7c

SHA1
1e18520877ad775a37f6c56bd2b6c7ab36324c5e

SHA256
d664f87f68478d6993547c84437b5455297777392b1e80b55ddc6e081f2fed66

SHA512
30669973685403b64fa08407077c822c0a3c8a1fdd57735961399a672725804c873a0e0eb93efe532492d93d13f8aa4f49a70a230e969d271e1f67b6cc54ab04

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
45KB

MD5
134fbcdf9fc1f69624d721518c4b4cb5

SHA1
da95bb863feca74996cf596ef051c4947372b5b9

SHA256
77644c0dfc15ebb3d94ed735cb39dbbbfed643c53e27f97a8e9bf4430e99b687

SHA512
5852195b1649a252f7ea34c43aa7090ae27a2687f16a9ef0887c720f228921bce2bc1a8c7f6949d14a9a3736dfd13d3bcd8946e29f1669911ddac24fe098d58c

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
45KB

MD5
82f0473d0da62afe878dbe648ed9789c

SHA1
e730d86acd88add4fa47db2f442609fb730dd70f

SHA256
11b99ce72ef18fc6fdb23d3250d23594b67a1977d127fab8b24e1b9fe71b6a7e

SHA512
71f460940f3fd0f4c30f41c897cd15e8f6ab1a28085ac120e9f4b1ebe147f0b6915d6f43ffa6d7bda9f632a5597e4aaf6855d2fa7ac488e8c0b98bf801a16548

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
45KB

MD5
48b45fea044a648bddff187861f76e99

SHA1
659662940458930e7cbf593b4a01de491df3bd4a

SHA256
28ccea071aba3cedfdcac866e8f9f647263a87203969471ab2dc4752dd04cdee

SHA512
b9495e370201a6629f59354412dac92d21bb9fb45233a9b0004ddbdbf0d40a8d1b31a640f3eddd941c92df10e6818f6e44b291e75fc8bd6889f06154cf27a0f5

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
45KB

MD5
f221b2bbf2188ffaad64b27331f79f09

SHA1
5151b9238d147de8bc8d2a6f21f14c8dc4e264d3

SHA256
c8338be6c73b534530eb72ae028b418881c0deae80d019b52de592a0baedc812

SHA512
f584cbf8d6ef507ff3a4c205800fad3126b70d0fd65884bbf245e891be18cfb5b461e7ebe80f5ff765d909ae7849b01a3e1021efa0eeb98cb45547e53a0d396a

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
45KB

MD5
e2fa2bdb0a5f182aff0c9fca45b6d251

SHA1
80d5faf2fdcdf729a28c820a325dde613b191721

SHA256
8dc9e7c68dfcf45b80dad59b835bcb26ec1d9674987bad501ad85434fd0af049

SHA512
e2c377ae3bcba7e728ed785723b59921086e47b0904d8bc6130746090cfcbdfb0480b4195fbce38a3628f5e724cbc1febde2a1d0f64899f2852dda81e42552cb

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
45KB

MD5
7b3ac59aaa86121641e6899f64b5b74f

SHA1
7dd619394c046e90b459b3f4b1849087a217c6ef

SHA256
75e116cac32e0b3e6cb522369c0831cd8e5fa0e85198bd8615a1719bee4713e9

SHA512
d74ff30e5c0880246aba240adde6edf5a9f0f1b22e5ee3de44a98e5bf146516c618a350a0bc54eb6682f1a91d175c4c598e155642eb61c6b4448256e5b328b01

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
45KB

MD5
64cadf6e5c349795ef21506fd16a5c72

SHA1
0c58bbb7b3a4bd0e2b032e8fc8fa55c794f27549

SHA256
b3a1710b0fb0c2fc75389761b117682261062f5d6c3d403739eaf5331c4f3d57

SHA512
9106e0e9006542a13aa6916a4486ade8fa94e0b0de3f1ce247f477b9e9d4304c07d8f6a44588e55cc73efac84c875ff2c47f7f66fc6bae5e3e5560302daeae1c

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
45KB

MD5
f9b1f50948bf0ae1b79133a4b040fbee

SHA1
23cdd7d8aa4be8a19bb3649d25743104e1f25456

SHA256
7eb79445839261f90a65c726434e13e772606f48e07061bfe0777bf7f657065c

SHA512
7a593c8fa12abb0a67bab750b0e3f657423152250a6678bcd7dc00d5e00e85485281cca42d0a1213c8c7e9524f200c425f607c6e0ead683266afe30fa99b8964

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
45KB

MD5
07464576bf9e0b2642467be5f7cd2b7c

SHA1
0c14c9ad6245ce7f8c2de4da9c503c639bc283f1

SHA256
7486cf97d0174c19929afbb9137e56b584a0e7dd4371dde3f556f7373a2e7fe5

SHA512
423349e2c721497c3582e1458d11dc213e8121922fe02e6bae98d2e9483afea3e3a85c20bfe3b947a39f8370df7bfbef7d32d39ff1c7cd3301452b4a00419b74

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
45KB

MD5
44abb15ec8f9b8ccd1c5bf56fce035ac

SHA1
0bb61062fdba3c5e6facc680a516c0db4b9bc6f2

SHA256
ea66227d2390cf05e2059254b07b8996497845a69db2614020416ac026b31c6b

SHA512
f5c5907f353dd2a295df8c954e789408792012338e37beddcbe8bfdbcc8a7b319b0b729ec9f3f930376816cfe47b4c107e84f27862fb82d81085a4562a9d7e3c

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
45KB

MD5
4cea8425760ec7993ce50cb03d546962

SHA1
6b71ef5b59d4cbbadc5ac0cb52ab07add6e550ce

SHA256
e56c6a9926962d2422e04b5c2e6584a18072493b1315354558da02919cdaf75f

SHA512
8ce90f9ee24bf54ab017ea06bbb74e7504dbe148f6f7ddcec9c8c38ac2f75fbec51a07800a7d263c098d51f708a247732db7d22ffdcbf03da6ec4804f34b91b0

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
45KB

MD5
c3b58725811236b86a9b53fa4cc781a5

SHA1
daed51112cf91aa737a663df096d9c935ae71127

SHA256
447ab570bb95b7d3216c78a0aca184728906daa757678c0268c255197008683f

SHA512
0f728f0d2a4b38b7bcb17dac244ed34b84c3ada3cd3194f4617161a3cd71a040715447794d323e544c72321930c38323296d6b4504b9f468727141399de8177e

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
45KB

MD5
91520071c68f3303e1bc3ef0e31a74b7

SHA1
782e7a0765a12592d76ac79df18c5d1bb1922b94

SHA256
1def9022f47d8fe83e4317d81c02eb94063b9e271b860f70a0ccdde75fda468a

SHA512
0ca2ed79aaa04af19c8a485bfb67b85d491feb3e24cb2c050f9197c2e1b673cd6bdc90cc3bad645557edc427e20f71fa5a236c959c31b22735030dc201fb0f1c

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
45KB

MD5
503a39da6de31b5a37157d13e3ea0829

SHA1
7cc91746ca989a50679aed4ae522ac480416ad0c

SHA256
d2d6f5ea41d6313ad44af9f3c0f81e4ecce7b2d8c714a77a04172651033489f3

SHA512
7066942009787414abd7272b8a973973633460875b94de8a040bcda1c3610b96637b5307022eb9d1f7ab438b0544d5883ef771fd8a0ec3a9ca2491d78e51d473

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
45KB

MD5
046ba13026a422e6b17fd6b934295bf3

SHA1
ef065599caeddc41639369a7ffdb3da3bf34b3e4

SHA256
921e80fecbafb9ed934985dc4922b05562547ffb0253d21f5c1a992540f6b750

SHA512
6964af0a84908bac6ffbc55a507848a27943ee36b184f7eb2c66289c08e55d10f2156eeba10616f5366fbae123d01d754fdaa3b0630bbe19ba37d18246d3926d

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
45KB

MD5
f2ec4adf27ae6e918ff7dca5d27f9ce9

SHA1
4863d4a95b65031de9496887b16f3afb7e0ad4d0

SHA256
0234ef95c43d94f3017f9fa0f2c9748c593674efe0798a749da3ce97907c3d98

SHA512
f28b509193faed20daa44d67f2417ccf137e942f0fded656617edd2f7a424e10a05e8a3a786c501f1b550318c67a7dc1834d21545ea2daf0913b7202039cfae4

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
45KB

MD5
28d8928618990294f02529c855987704

SHA1
a20c04ceb0bc5985d79fa4d417274d3a4c39a035

SHA256
8633c450d7de76853b859cd386a2df7d220a52e42966fcbbb23e3fc17972fff1

SHA512
dd1235722c918856d0225068ab9b8f155328932e37ac8e9c9c6fa98858eea51b91f0a0800097ea5d911ff7011ec3fe93c88853124bd81ea4dda69ee557a37bbd

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
45KB

MD5
b5c7a2276ad1c6994a0464c8328fc077

SHA1
dcb648b3b6aa8393bd353e1e7c8ef2050abce934

SHA256
91813a8c58c3d53af5b2b4c1fc9227035bfb4eedd268d5d70212f0deedc86305

SHA512
834f3fa1e6e489249e9333fae6e582f953f32ed4d679949dccee52d6bce580e7719c52950e1335b18ae69784710147d154751e31041aa7e41eb9aed7d9380fad

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
45KB

MD5
1bd6fa3c755f14cd35a40d9f30d2ab50

SHA1
902037339b77332cb9234a52cb5a9128b60ffd49

SHA256
c1aefa22bc2225d593b1f06232d1270bc7713181017f46748f57035c9a365a12

SHA512
7709b83809d05c11a8dc62a7ba6bc1e99275497d644023971429f8d420ccfff3c9eb33592352ae20912c3e967b04969bb43da8b94280074d50b0ec2045b85926

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
45KB

MD5
de39a544b5ea596779cd63c96de817a6

SHA1
ba29bdc33d42402755a218d619452044c69301b4

SHA256
87cceb54b099673fafae2a1b09af1e1f9aa4d7b9f1e230e4a37c2a49e9a92c67

SHA512
be740b4b46aae095de3f123678e4e9ceba071c461f4322c4094744cce88d64b3e26d5788092287c886a017061db0665b6b7d044f3d7a6dd2eda4b19424a17a43

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
45KB

MD5
6e891d7e423e3959e81e023336cedc01

SHA1
0a397d2205ac133fe65f5e160b5ba36648e67ab2

SHA256
b4f99f718ef8fee5b927fd8f5e0dc0407ca36505c97cfb78aef550ddcce6ae3c

SHA512
4d26e5ab9d97c9900c026f2ba6b1517d792a0dcfd6caa8422c869f68b05f885a96482052fddb2cc391ffccdf59d62ccfefbed9942f011b4ea6f3b6efd36d86bc

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
45KB

MD5
bb7fcafc8feb5ea1655a50a5a07591e2

SHA1
83d3c6b8a7805b133ee73b1e90089cb40f171ef4

SHA256
9ee866481bbb542f01d986a1be6a8fce8a69472a1706f4c3ca4a7c5675287859

SHA512
0c9c1039ed7b0029545b432e901a9caa0ef15d506e65e6c58b54e5688743bf4a0641d239e72b12e9bde88621323d69167e4b2e7bed21efa9693d3f57269ac55a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
45KB

MD5
6f681108209c9a50c7d008e2f4d253d6

SHA1
09b0e0dfee11d5937ebe07ebafc0e3ed45e64cb2

SHA256
eed39434c8abfff6a69a3b4b40d3d25ce95970cafe14b900aa9c7bdd9c6bac55

SHA512
76b27fd07224ed31b8e299b63796d767fb7f12fcb1c97e9dc6ae4ae88a5ce966053bf75eeb2d8e97be894a67ed24d2eaa0035c678188e4d48000a2b1a2dc7377

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
45KB

MD5
46041482d6ba53e19443ab1b0e8e1e70

SHA1
a654df569d006bd25255a6aac7c2d1d794d138d4

SHA256
0e9f4300201c56b44a4ec9022f7e26f934fa48fe2d32a3fa00d76482682ed9d8

SHA512
1050e5a274841ac102949d8a2254b61eb419dbbf53c2678967f1630c1440f9fd7e74c5eaaa7e8d7e52d8bd4408938e62a35d77e677351f5385f6a1155eed0433

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
45KB

MD5
58c8f8fa9ce7f6400c63c7fdeb2faa60

SHA1
b3624a50ea1134ee2ab360659676222133b82395

SHA256
3b8656d86582f36d23ae6c2cd6a1d2fa5433644a454a39d4f19265eaafc95b10

SHA512
12a8021e194fcd50fc443115fb438dc23294438735d7c0f33578dd626c6652ba7fadbfa3a98b8673be202ad7296f3801e2e6c4181cdf8aa24bd2a9e009188d68

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
45KB

MD5
b873fe2d586187814adca34914d786e9

SHA1
f9a1aedd9afec04ee596f0976355f748e7bd141b

SHA256
8572aae6b90a4aa9ec2d7aec99032a93235128655eb0b3fcfd89d11208825832

SHA512
04951601d2b8812fcc79534b84db29effef271bd6ed0393c0829e3792548392d7e82455c6ed32edbf0df242768e90445b652cd1afeebd793ec7525c0f867057f

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
45KB

MD5
13f350b0ea16b85acd69ec781b5ad290

SHA1
978a02cb43723793c5e390164601305cdf4b5359

SHA256
f92dba5098bb3feee12cd4e5488d25298f0f3d3c9d5b91ca07b0cff7de620b24

SHA512
7267270c892ea46b2bff262b57163eb5f355c37de3a7f44643028fb4da7a5d2f72b790f67c22f90a879d744e307be61d20b790989c7fc092edda49023597d7d4

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
45KB

MD5
083013387600053da65e3551ab4fbfd8

SHA1
b2b557b42d00d015430cb6096272cd2bf772cc10

SHA256
4c517af08cd26954d351a54ee37aa127bae0625bf0a99505a670f5dd2c353189

SHA512
88021ccaea68268599a0a33a73c030b010ee5d917738943f402ae3c3bbfc77b70d561fc690cb2fe012571eecb662ede1bad2fe69786ebdc390684033621ed148

Download Submit
memory/316-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/944-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3856-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5428-1184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6072-1157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6160-1081-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads