berbew | fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe
Size

187KB
MD5

77c6debec665134e0f910b011cfb3700
SHA1

0e3400f4119a7051dfc522e5365c6a1a00d0ead3
SHA256

fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7
SHA512

c1ead83c0e32c80a085a6db8a5ab24a30b2fc3a4ed60435c8557effe9fad07cdc30a6df4635f1bc3ffab50ee0e1ad69767b2230952469f3677f57fec0962366d
SSDEEP

3072:S2aQsxf2hbqjAh6eKPB/VgtRQ2c+tlB5xpWJLM77OkeCK2+hDueHi:SBQSmqjG6p/V+tbFOLM77OLLtC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2744	Kdgljmcd.exe
4936	Liddbc32.exe
3956	Lpnlpnih.exe
4588	Lfhdlh32.exe
4488	Lmbmibhb.exe
4220	Ldleel32.exe
1820	Lenamdem.exe
4332	Llgjjnlj.exe
1348	Ldoaklml.exe
5092	Likjcbkc.exe
3968	Lljfpnjg.exe
3312	Lbdolh32.exe
1932	Lingibiq.exe
3308	Mdckfk32.exe
5016	Medgncoe.exe
2700	Mpjlklok.exe
3196	Mgddhf32.exe
1824	Mmnldp32.exe
4876	Mdhdajea.exe
3188	Meiaib32.exe
3388	Mmpijp32.exe
4344	Mdjagjco.exe
4952	Melnob32.exe
3856	Mlefklpj.exe
4668	Mcpnhfhf.exe
3420	Mnebeogl.exe
4292	Npcoakfp.exe
2532	Nljofl32.exe
2500	Npfkgjdn.exe
2920	Ncdgcf32.exe
4676	Nebdoa32.exe
448	Nphhmj32.exe
1520	Njqmepik.exe
3848	Ndfqbhia.exe
1816	Ngdmod32.exe
4992	Nnneknob.exe
2624	Ndhmhh32.exe
2708	Njefqo32.exe
2576	Oponmilc.exe
4228	Oflgep32.exe
1392	Opakbi32.exe
4928	Ogkcpbam.exe
2408	Ojjolnaq.exe
1840	Odocigqg.exe
4320	Ojllan32.exe
464	Olkhmi32.exe
1960	Ocdqjceo.exe
3808	Oqhacgdh.exe
5012	Ocgmpccl.exe
2960	Ojaelm32.exe
452	Pmoahijl.exe
1628	Pcijeb32.exe
2988	Pfhfan32.exe
3912	Pnonbk32.exe
2036	Pqmjog32.exe
4052	Pdifoehl.exe
4932	Pfjcgn32.exe
2444	Pnakhkol.exe
3816	Pdkcde32.exe
4124	Pgioqq32.exe
4444	Pjhlml32.exe
3812	Pqbdjfln.exe
1536	Pcppfaka.exe
4212	Pfolbmje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6116	5916	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2744	1644	fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe	83
PID 1644 wrote to memory of 2744	1644	fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe	83
PID 1644 wrote to memory of 2744	1644	fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe	83
PID 2744 wrote to memory of 4936	2744	Kdgljmcd.exe	84
PID 2744 wrote to memory of 4936	2744	Kdgljmcd.exe	84
PID 2744 wrote to memory of 4936	2744	Kdgljmcd.exe	84
PID 4936 wrote to memory of 3956	4936	Liddbc32.exe	85
PID 4936 wrote to memory of 3956	4936	Liddbc32.exe	85
PID 4936 wrote to memory of 3956	4936	Liddbc32.exe	85
PID 3956 wrote to memory of 4588	3956	Lpnlpnih.exe	86
PID 3956 wrote to memory of 4588	3956	Lpnlpnih.exe	86
PID 3956 wrote to memory of 4588	3956	Lpnlpnih.exe	86
PID 4588 wrote to memory of 4488	4588	Lfhdlh32.exe	87
PID 4588 wrote to memory of 4488	4588	Lfhdlh32.exe	87
PID 4588 wrote to memory of 4488	4588	Lfhdlh32.exe	87
PID 4488 wrote to memory of 4220	4488	Lmbmibhb.exe	88
PID 4488 wrote to memory of 4220	4488	Lmbmibhb.exe	88
PID 4488 wrote to memory of 4220	4488	Lmbmibhb.exe	88
PID 4220 wrote to memory of 1820	4220	Ldleel32.exe	89
PID 4220 wrote to memory of 1820	4220	Ldleel32.exe	89
PID 4220 wrote to memory of 1820	4220	Ldleel32.exe	89
PID 1820 wrote to memory of 4332	1820	Lenamdem.exe	90
PID 1820 wrote to memory of 4332	1820	Lenamdem.exe	90
PID 1820 wrote to memory of 4332	1820	Lenamdem.exe	90
PID 4332 wrote to memory of 1348	4332	Llgjjnlj.exe	91
PID 4332 wrote to memory of 1348	4332	Llgjjnlj.exe	91
PID 4332 wrote to memory of 1348	4332	Llgjjnlj.exe	91
PID 1348 wrote to memory of 5092	1348	Ldoaklml.exe	92
PID 1348 wrote to memory of 5092	1348	Ldoaklml.exe	92
PID 1348 wrote to memory of 5092	1348	Ldoaklml.exe	92
PID 5092 wrote to memory of 3968	5092	Likjcbkc.exe	93
PID 5092 wrote to memory of 3968	5092	Likjcbkc.exe	93
PID 5092 wrote to memory of 3968	5092	Likjcbkc.exe	93
PID 3968 wrote to memory of 3312	3968	Lljfpnjg.exe	94
PID 3968 wrote to memory of 3312	3968	Lljfpnjg.exe	94
PID 3968 wrote to memory of 3312	3968	Lljfpnjg.exe	94
PID 3312 wrote to memory of 1932	3312	Lbdolh32.exe	95
PID 3312 wrote to memory of 1932	3312	Lbdolh32.exe	95
PID 3312 wrote to memory of 1932	3312	Lbdolh32.exe	95
PID 1932 wrote to memory of 3308	1932	Lingibiq.exe	96
PID 1932 wrote to memory of 3308	1932	Lingibiq.exe	96
PID 1932 wrote to memory of 3308	1932	Lingibiq.exe	96
PID 3308 wrote to memory of 5016	3308	Mdckfk32.exe	97
PID 3308 wrote to memory of 5016	3308	Mdckfk32.exe	97
PID 3308 wrote to memory of 5016	3308	Mdckfk32.exe	97
PID 5016 wrote to memory of 2700	5016	Medgncoe.exe	98
PID 5016 wrote to memory of 2700	5016	Medgncoe.exe	98
PID 5016 wrote to memory of 2700	5016	Medgncoe.exe	98
PID 2700 wrote to memory of 3196	2700	Mpjlklok.exe	99
PID 2700 wrote to memory of 3196	2700	Mpjlklok.exe	99
PID 2700 wrote to memory of 3196	2700	Mpjlklok.exe	99
PID 3196 wrote to memory of 1824	3196	Mgddhf32.exe	100
PID 3196 wrote to memory of 1824	3196	Mgddhf32.exe	100
PID 3196 wrote to memory of 1824	3196	Mgddhf32.exe	100
PID 1824 wrote to memory of 4876	1824	Mmnldp32.exe	101
PID 1824 wrote to memory of 4876	1824	Mmnldp32.exe	101
PID 1824 wrote to memory of 4876	1824	Mmnldp32.exe	101
PID 4876 wrote to memory of 3188	4876	Mdhdajea.exe	102
PID 4876 wrote to memory of 3188	4876	Mdhdajea.exe	102
PID 4876 wrote to memory of 3188	4876	Mdhdajea.exe	102
PID 3188 wrote to memory of 3388	3188	Meiaib32.exe	103
PID 3188 wrote to memory of 3388	3188	Meiaib32.exe	103
PID 3188 wrote to memory of 3388	3188	Meiaib32.exe	103
PID 3388 wrote to memory of 4344	3388	Mmpijp32.exe	104

C:\Users\Admin\AppData\Local\Temp\fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe
"C:\Users\Admin\AppData\Local\Temp\fecb363a06930c1818b00e636b3d7488e0172725686e4ec7b03fe8ef58dd2ca7N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\Kdgljmcd.exe
  C:\Windows\system32\Kdgljmcd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\Liddbc32.exe
    C:\Windows\system32\Liddbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\Lpnlpnih.exe
      C:\Windows\system32\Lpnlpnih.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        23⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        33⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        37⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        54⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        55⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        60⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        63⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        68⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3092
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        73⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5008
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        77⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        78⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        81⤵
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        84⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        89⤵
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        90⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        91⤵
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        98⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        101⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        102⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        107⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        109⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        112⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        113⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        115⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        117⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        118⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        121⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        122⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        125⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        128⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        130⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        138⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        140⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 424
        141⤵
        Program crash
        
        PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5916 -ip 5916
1⤵
PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
187KB

MD5
45a61497448a3c1d69149a05f2b3c7fa

SHA1
cd0bcd79de9a80d5070ee23ec0e3b134fd287e6b

SHA256
7a0d5efb280170170243162eed76107c65c865c91cfa2dd5d4b344d01cb9a8ea

SHA512
244947c01aa41057060f89eb5491b84b77c7f50e2eb28ba6e22e7e17927da0acaff6db689a017dc7bd90adb2df068c17c58ba513895416667ba0c670bf15642d

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
187KB

MD5
680d86bf01f91aca34b6b032ee7d70c4

SHA1
d51c54daa0d4b207dfe27351f8a07fecd23d3d10

SHA256
7aa00db437a34518dc86b51a44d6b7bdd1c7c9779210efad124e6c6d0712e5e2

SHA512
26d4542482b070eb31c224b9a8f063cc6427e865f12e801e5ff5dd5f63d557c691910c47c7e11a04b7ef7711bece60f58b7a55240bf319764b1ea6de75f073cf

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
187KB

MD5
63c6e58b486de3ce431672573f4c3cf5

SHA1
2617a22f4294bdd8d4f35b17f7e3706ff714bb0d

SHA256
bf3bfe8fc487a8b5beab5d140726e8ad19e1afec83d1c39c00eaeb48b9ef2073

SHA512
f16cc1922a6676cc1a0efe5f50db95601b1212c183e0de6105d9403419c00f20609190522117f527ee00beb7985e0c7b97c67d1bab38690e8d61473cf3b99833

Download Submit
C:\Windows\SysWOW64\Allebf32.dll

Filesize
7KB

MD5
ba6079879e5472f74ea29a96c98db0fc

SHA1
1c609e328379e7b19ae46f964800fc0287943ce4

SHA256
3df56f8c42f726aac409daed76a643cef5f951581f95d02cc0c5a7a0274bd352

SHA512
c3e4e3f802c32a1e55992199330cb7beeff0bf4f0730d92040291acd31a0adb868709ce61cc63dcbca3ebf4fe15b80954067f3f8d16506deaacba264ab2ade6e

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
187KB

MD5
89f146947e5d7ddd9250929d869b6828

SHA1
ecdef744e7a0f0a1f264498b5baa29fb2166d5fd

SHA256
a0ff8995dc7e934f9b5c5b1b4845883b0a6126ae6465857f909eaf13d1c5ff10

SHA512
fc102a1257e6f0f04808c18ffce85d5576390cababfb4316a22f6604d86d56b289072fb60ba400b2ae5566d031caf10758fdbb43f67d230121be50ee49a31b62

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
187KB

MD5
345a340fe798d3670c8cd747442a6290

SHA1
f50e39a6d2f3c99f6febda00f90e16a2acdd6262

SHA256
a7f618d9f997d2a08f81b0201d90406a0b84f201d5c4ff78ab769707e66ed2c6

SHA512
cafcec33df7d28ede2dee790fea7f704523e03053847f8a2a131cfdacdfff2ceae5f84a6d47f931d45eb3afe78a844fb0be8de7224e0b959fce6a38727ae3212

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
187KB

MD5
64dd568c7f7f74cfb1c5f8c37a52fd65

SHA1
20c2c16d9dd171f9135d361dc9e49de8a879560d

SHA256
06340ed0829992af361ce01c14b588ca8c5cd2f2ded018339b65d441a4ce0876

SHA512
9eb706a1126053dc879acc9aa74c1f684cde4be265cb66b56a77db2913998d0aaee3e8684a4ba7b5cc80645eadd81e817e5e4080d53faf4627a318f23601749c

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
187KB

MD5
4cf6a2b1783816cfe777a5e566e8561c

SHA1
5f77357894dd0fcb9043862906ca78a01943c8c6

SHA256
e6614bbbd887725fced74b68c9c644de5fe908b582292b9be1184b893572eef5

SHA512
3afe0891c4340540b658f265d8c5fde682f8453858df68cce81716a0d560c862d873cc670cf4de90a58389ed20e8d26e12b0098fe1938fba9ee59a61e9688606

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
187KB

MD5
dab66bcd065238d8f162d3be218a081e

SHA1
1fb346e7a5c719a898490dbf2bfaab528d9e1f7b

SHA256
191404c66823c5e91616326a386d5a483f769e8da1989a2c1e2d67bbdfaa4606

SHA512
d17797c72bc8721149cc73c29c4dfa5a3c001deef3926bccbb275d6118dd0fec8e2145fb72105dc98f195a010158025432c2760d76a6ec23583d20263e6a7572

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
187KB

MD5
3ba674bd11a9599846a178cffcf8a8d7

SHA1
1b990f684bd41715f41a323464aa88e1443985d1

SHA256
3b6a80a52d82cc4c74c8360cfdae312199313d9fe4871bc3e2a0f28cdfe4cd18

SHA512
a0389ca0578154b5cf26081dc9294d76aea17922151c0df38112c1c080a7ba3d9b8b3034d4e83df74e024469c412d0743de6ebf48a3c51d2abcdce34af402137

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
187KB

MD5
b4a1f0d6c31cd073f9486e0707817b1d

SHA1
f5f0409d396af7135b54b10a8968e5545d43cd30

SHA256
d721145b87d5c8713987799e47e4e8ee4b9ab2e220b6c8397566533835b5bf85

SHA512
f47100b076d3c150dab01414496f7dbfa8f20a1d55f8f9c19c813db6eac38a1c1c6878f832caddc99a357237f53f83e70ea221466d28b92e27e7b952a3d99e96

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
187KB

MD5
22335d0ec531561f31ad930fd88e37cc

SHA1
86391dd4f82c5dfdbc7fd437f446cc4de60e1d9a

SHA256
1188fd56af350af6ac38fa33652d507b3bc4ac9db70749b533f1b506463ccaf3

SHA512
c46467f5de8a4c39ee42947dc22a9d6654a33dc2d2082e27fa661cf39dc6ff6a4738e23f05199f76ea6ceb74300029c9a7c422278f9315d0cfb63fc034ad0c0a

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
187KB

MD5
70d5515d1d838472c357f236a83eb22f

SHA1
21953d460c9d695c36d4400cdeae08424bd967f5

SHA256
cccc22333021175e28f3071b97ec0b1fa18bb9001954f79e1ef22c93dcaf4907

SHA512
e90119d6edb6deffb28988942c48f6c1099fa4c53994a690973a01de809eb1da4885e827b25d4afaf4d239070bd99212f91ce4720727ee6e084b4d786a79f5e9

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
187KB

MD5
8656367b8b5a5ede6acbd7e8b3046ae6

SHA1
df02514d12a0041d8eb3a275c7c4a09d9bcdcb17

SHA256
6037ccb0642a2e6934959d70680c2e55590344c3c615bad8a762717cfc34feff

SHA512
1b2201fcbf931fd492df1065cf88b93792f4b05249c65e10f6f684e0b7d9affdf641bf341fd1e3904464af2cc916ff9e95ad7a4fc75199cfbe2fcf88c87a2611

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
187KB

MD5
93f8b41258c5d43cd28f842e80516412

SHA1
1a382b1f902a1ed0472956490d148e1ce273ca47

SHA256
93789796f1fdf84e462c7b680b1898c85596292b8b3a1360c6c774b0304ab313

SHA512
c6f68dfe3d6a0311498da7d44512a5f049304081dce05bfb8d3d10702a09804b246412624645f2919160a121afdf7d0d6dfbb9032d2d70deb18e6db8c97ee2d4

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
187KB

MD5
10dbcd929e1bb3abf99c90e71cb8dcb3

SHA1
e4bc97e17f2330611511217856e1941455ccb943

SHA256
e765edeada2b70fad009313e8961c37e71393f62327748d2cfc4982435d5677b

SHA512
a47e38a82017fc20f4aa0557d779d7ac364fe11657a26832526870b7b57dd2803d05c87ed7758c9ed36e5e558035abefddfb7ccbc9e042518b1992184810b9d2

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
187KB

MD5
2147e7a2142319db1d3750018272fdcf

SHA1
89f2357e93daab1d3bea0ff6e5ef4c4f78662aa3

SHA256
26157bd7b99e1c1690ed3957eb433ceceae169f057e6ae272eca58131c12fda9

SHA512
0615e20e40b3812d5ae363e266a2f574f153652cf91bac6efbedba5220d42a988213c9f6df48b231ad338f0e7cf981ca233dfad0ed2aa88bf6ef135bd8418281

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
187KB

MD5
efb2a827be58465999cd4a7cce715d47

SHA1
563b34ab0727c2704cc849369b3a765964b432bc

SHA256
781768ef0338eb3d0f674384087e9304e69edc301689863d8bb82b11d1cd5bc0

SHA512
6ea53f925b4d03e4d88db309c9452491f578ed5f381159c99f54cf7876c0665c158f90f75faa77c7b3ec1c0a30eaf5ef13c8f57962bab8d218380675d0f0c70a

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
187KB

MD5
479b64c44e138b050bda50a1a44374fd

SHA1
51bce5d9de728a49afaada16db7bfc14aafd7466

SHA256
1f4ecaf9f356ccf1ae3ad73a3ddcec66fdf80e7a4414da19734ad2132b9de33c

SHA512
6865da1c972eb3faaf837818ddf63d9522d6eeff6f103cf7e406791742e4a5e2e2dd2530ac27d3c563b52b2cf0531bbd49f896f57806d4d71c04e43a74723298

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
187KB

MD5
605ececacd9ca7a1cdfa16fcf69e87bc

SHA1
2a6a366475dd34e72ef8ac6c946aebf5271db4be

SHA256
a0a8e83752ad0d6cc7721120cc416aff4c7f34c2e203e05c221299a1887b185d

SHA512
22700a40441e198e36d8152991601d764253aea2d7d17ead4f1f22e7f211e197c05ff2255644b40fadc029e31927ecae4af17633d42a5d09945743126e9978ba

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
187KB

MD5
09b1457fa07bbb08f13351de851a3d6a

SHA1
4b98d2faef50dc830fddb764a4ea4cd50bdc6f04

SHA256
17ab32df6d51a6eed3c7a2b0816ab2cf0b7b18d5158eee7e9d8fdd252978ea1c

SHA512
bc19dd57bb425bfa478bb78e7f0b70a87623eeb1614d3b0133966cb1d386793e1bc2ed0c1b57a740fff033ba399984f42acc312f1b6db4e73e21792a4bf972b3

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
187KB

MD5
ed394c2e5db9630749fc4a77596e03ad

SHA1
cfbcb1909c71ef429d3762eff99c7b62768a8d94

SHA256
940eea138ffdcf7232ab195e7922fe3977794fa99640181ac5a3b4bd98206fcf

SHA512
087d2529c4223003057a37236f15bcdc574f26cf1a7c7a3dc56ddc8ff9adc9765ec98fa872dca31eb88c8c6f8e48c2eaba7a0c20fc982cb163e7b65346fe17d6

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
187KB

MD5
59fd55d1ce7f713ab4f4b4b23f9887a3

SHA1
b46228d15df229882fdfff072cbe0b49c967b837

SHA256
3cbad0de1ee58b59eb40006d9d061a4686135e381c078bcba92d647dbfeca65d

SHA512
4087c17bdb9ecfaf286c252bd776d528922d76561426f27f31ca5e6f7d4e92ec802683f3b09cdfa022cf19bf065651d88fe863a9000b9ee6b2d8731ead924ec4

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
187KB

MD5
f586da2f13aa8346cfe8626534e53844

SHA1
5dc7cd94cfcce0793f03422c6bd7f5267f203d9a

SHA256
1aa673d9734f9338f9f20ccf8b58b2899402021285f9739b113112a828c2cfbc

SHA512
872165879e71b82cd0f2054e4d85add06dadcf9bcc5e1214ea1d4bcabea1d955c44e93feeecbca892d2bb8075eb25084d465a44841402f500479a2443c68aeb1

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
187KB

MD5
0fd513ee081d25fcf44a814b45f1f7ed

SHA1
d8f9222122700aa9601621598ee071ce4ae0ac4e

SHA256
af01d247cf23b9ad887897e2fa99952952778c516ccbad114d21da529c2fcf43

SHA512
8b8d63c47c1b7418ac199780f5e21138c29411d448121c5da93ab52d7347545cfdc5638bcb66b3fab2664a5c38a855bdecdcee723dc08f410541f468ebc4de84

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
187KB

MD5
bff82072d731669e9e0326209b514bda

SHA1
a027c0c8a00a644033e885fce57113c7b40ecb55

SHA256
5bd49fd40ee246f5437cc45a47d1aab5935ae91d4c3ff642988424b493725ed9

SHA512
0f400fd243a02a2f0b8c257b5eaa62239cbb8915f3a0cfc9f7a8ddd6ac84a0cfb8467f43a6d09640bcf0a73e4ac4d85e24edbf1912a2a84edea947aaaba9edd9

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
187KB

MD5
ba8b09c14db4604c208da73b6ce9a023

SHA1
2c309f7b245a66a8c2f4d73617c92fbc73886685

SHA256
cd23b99ce77236679767f45ac9314f79bf0e52a3dbe930153e33c248e78617ac

SHA512
af9928e916713c42ddff719ba923bc3142b360d574fea6f80c012ae8b5cc29dbc22d04698e6a586b3ed5792023bf264f2ca0d615bac182a46bd848fcc6427bd1

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
187KB

MD5
8ab6186d7920df32ea75026cd40869c6

SHA1
c80779c8f3a55c5dc75cdbbecdf52b76b3ad6bcd

SHA256
2f8e5211d6c32c4cf8ec09b6871b0e6d5cb132a1f581a4ebbfbcac673015c2b6

SHA512
a9f7448bdc42130216ac9878d4ee5857f868554eadf817801a144b4955c71561441997823fe2cb813cdbd03595f9e6a234a84912cece46b8e2c7a051641dbdda

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
187KB

MD5
9b630f41a1d9781f1fb257aaf3e5ca88

SHA1
260ee2eb5a51d9b12fafbfd3157a203be7d5cd36

SHA256
7baa6e63c2ccd0572373612efc1d46ec65d25734f9f6654475ac87b7b35ad617

SHA512
23938b21ceea8690a617d2c8660d35c84371a6355dfc1605cc3519a6288214127547dcf39a675630479034ebc53550ff63f562a5d3b524941e01b37913ff7665

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
187KB

MD5
43fa2253110290e00e04f835171d9dae

SHA1
c1647edca725175fe0c1b2c314e4634df58abe05

SHA256
99b7fc895e0784fb83da8be72d53565dcbf2fb59384792e1287f5132f450774b

SHA512
7a21cc2c4ef874ff674debbc9fe3949bd15a07872fef15902cc19f12664be51b60292c216e933631ef8a81861a5c4601cfd8fa589d746d00f939e09b55ed0c46

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
187KB

MD5
965651d364684082827726f1f405b4d9

SHA1
69dc7428659606e479b3a9ea1ba7dd08423fe4d0

SHA256
2412bd72c35e327f354051556fe17056fc0594d2f7e2c4a92429ccbea6379dd9

SHA512
b1adcfec347e687eec697c4e0f3fc238a3b86681f0b5cdfd6835b0845e0e87b625a94a0b2486a53e724472441a1ca42ad05a30e058492a0a771761fb87b33130

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
187KB

MD5
770fdf91f1ca89291815da88732fa522

SHA1
51f88069e842bf8a0d0c94cd2cd83e60def4bdc6

SHA256
466380c25a423de28f43710a62db69038b4a882feed6225f11a6bcf6eff803b1

SHA512
610031f4e6a07e9ccee2067f5492613cf6d159f595382980f58abd29384d7880d9fbc8e4de99b37458a6bfacab53f1b81c5a36d5bcc71070686a8ba66b3745f9

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
187KB

MD5
4e38f1376f6fc99bedf0c80971792ca1

SHA1
e3dcbedde0da7c15e4b894533bdb1710d71a53d4

SHA256
a19258155b39000ff14df18c511906b31b0736f5fd35cbc6d745508c2e7733b8

SHA512
2b4a589cefda54fafbfda961489d36adc0add8e06a0450f8b2bb4eed3e93075e17759e47eb9782b9675d12c2584fa009455d122e25c40c4949a053538449a833

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
187KB

MD5
113a33b697d4bca1036fb144326b97ec

SHA1
45a8235a4df24ef2a5d81e6adbc25455b833d47c

SHA256
9ac955de4cacad6732fc6617e15974e73f408cffb6b56df88ef388825493194f

SHA512
17a3fc1d615e37526034e92d754e8186d2312ee323c5c1ba8e9727a8cd12e590b069714ad15ab310a3c8ebeff33ceced79ba66ab07f88a26e025c6148abffae3

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
187KB

MD5
de3445cfda2b172c761b55c69291ac6a

SHA1
cab0290d6df07c34834d6f2cf21c2245b1cfb8b1

SHA256
f6e31b0e3659464c41147a76c2b015ec43394ae0d96840c89c08070a672a9ae9

SHA512
955d871ebc227e3a3756655f6980b50223b0bb338d0cd259f88d76a3248b669b0e45ef6fd201df406d2a57c25905689d5ebeab7278f487073867a8863fe9eea8

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
187KB

MD5
5ae1dfa56c26c53d2862a186269492c9

SHA1
fe049dde22fef133f50d1b6295e61895e458246d

SHA256
cef5e9089f0a5d0871f5bf4de94219a3e6c7012f88a97c56e73d2296e8c02398

SHA512
ff39fcc4659101e971cdef49ba4918a203db4e8599439b5979475e2cc67068a1869e3163d4fbbd0647a8e56a465386bf9dd7a95287b0ae67069798a32fc6da58

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
187KB

MD5
3024f70539af4d0c92b3269a6ed114b0

SHA1
1c006e685f4320dceec75f167258dabb90e27c7d

SHA256
f731d139d92536e66c5ad9184b7764a242712ea2b76b2c5f6394833d57d855a7

SHA512
06a5a7c4d61876fc8d661853d977aaaff9663e39537b428616c417c18cf46ca343e1de306d634409f86d4b9b95e90f3d2cbde64dea2a264ce148b6e30e882139

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
187KB

MD5
a46e55d2afaebe5aeea34cf6d8a259d9

SHA1
eada50c9dbbee1b69ff89af76e41d0c330126f75

SHA256
1929e85851d4faa788216a3ed023aa76859568cb87f62687bedaadd2530dd5be

SHA512
2f56cca858af922866fb97eb392e072057c1315741fadae523b91c01bbed971f6a2f4df1e725741ca03924c8878fbab4ad11c12616feaba4f1c7c832011989f8

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
187KB

MD5
57f0292ac180d015e0ef679d1acbd644

SHA1
f93e2f86ee8afb1c8e90a383620d51fd40d54d25

SHA256
7d3e3b61576d13ab8da5b89e5a72468675807593528326043c8f67a03c28de0d

SHA512
d6735fd973a059d1cd3ab127a4003eb09f783b096d99d56a73f8bc315d91d12392fc3b42a090116174288bf6833a6d2ea9637098a6c54960f810a341562d1f35

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
187KB

MD5
fcf8959301794216eba035ad593f2af7

SHA1
912cb4944d9ea052bc096d52cdce7f68300d0dbe

SHA256
09fdf85ff5ed12312be6f0c2174fa010afdcedf31d5477763612ebf04ff4d26b

SHA512
0e4cd6c38d04c1afba60a700925c1e26f755afc5f47905635853ba9d2e15254df1f4eb4f72d1c4fdd59b1488459e1197e63fe0df6b148b27f4bfaf483194c4e2

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
187KB

MD5
bd3fa7aac42ea6ff0fae37d32a0d47de

SHA1
f74732d5a6655e45fca4a8cbeecbbda6065725f0

SHA256
dc55c07ae3d95c555527da589a43215226cc0d5f3f32b494429b72135ccf22f6

SHA512
8657f2ab514e93a80db585cb8aea0dab884b92ff57f18a0d20e9f6d3e6c9bfee497853cf8ef3419ae5e26d672d146c0c3e086082b0d3f4787c9cf6b2df15a7a7

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
187KB

MD5
2e22c880828b2efcd7000b2bddbb82e9

SHA1
bb61fc3e3f60b6b9c5cb484a075f3bf0c49148e4

SHA256
86e310618a7d34066523fec2074ddac10dc53c27b52e058f5bad97287165c8f9

SHA512
52dffe1e5eb5e65f83c7dbefdad1108d805a40f543512e3c53aa6c37949c5b22b0bef865cb0460cf7bf583ae18a1ec47839437f58ab1eb774e50241c57550a69

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
187KB

MD5
1a32fb2a3cea508dbd75077251752d8e

SHA1
db8948f750080fb89d85c355ab5fb5bce16ed079

SHA256
4eabbdd9e844e093f51e021f002b6ec2b4a68b59468b03a57f497d3c98949f89

SHA512
7a7518ff612c1b46d6fa5d676ae2b8eb22e1ef3c9b44f344fe6a918243e6a4f0a76dad3e37dace4b496451ca771a6282109282e54b6e3807f348c69ba0f83b8d

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
187KB

MD5
acfa84d61d2394e81572a9ec987e7b87

SHA1
6e3dc7f5242e2c3e74e6b05cc70ef533c833ddd0

SHA256
29fde3dd7970ff08f078778e000cbca60a617457c8aef30517c6ee2d5f08f972

SHA512
3d622de4f2fd5173a1e329f30a5fcfc3c24b2048f3122d774bbcd3bf349887b0037c49715731c1e6e44108e3ea9e4e55a8f16e5099b98fb227d7e269f4052998

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
187KB

MD5
5ea20fb62f462231701dae28eb48b4f9

SHA1
b4d6dbfe57e562865688b42eeb37a35ff3c60691

SHA256
ef5d43bbafce0e4a968bcbb81b234356b00e14fab6a8e65a90a1cfd0545d7db0

SHA512
31fdbb9fa13b7b79d0f1e9fd0bfed2be2f24515a3044d555fd3f6aaee292332bf59290a831df301cf4798b1537ea843d669accd9f0fef4353fbf232bc9e10d27

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
187KB

MD5
d97d4af6f1583b333f07c91511a60528

SHA1
60be20764b265ceeab6340e6be6bb4c86c8e6c7b

SHA256
d007c3e8e4284ee6da99feb22b30cf1eedcecc8d8c2cbbc3a86d9e0ca30c5556

SHA512
738aad0123837021f0e9a13044667d70c118224d58cfdea3a6a4626b2f1acd2dbae5fb5f3998ced1cd6509b2fe44a54f69b07f77483f02df24258a2dcd5c6908

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
187KB

MD5
63e9bc0e251d8274eeb61b438263a7f2

SHA1
256bb0a90c22d8653d552fd8e988a40f0532b21b

SHA256
ecee11803aa69dbd30e871ab5e1044abd9996b672760e462b0f322b20c3dd47d

SHA512
e663a44e5c867b6b4b4e9bb6868041d5a4d26a0dc2c10b8f5b2a1b45cf377b6e36dbf1467c42c99542de570e3cbc8d3024b6e14cb02c55f9252a7061374884d4

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
187KB

MD5
29b8d958119d122885553c754b53fb6f

SHA1
e21e4302575cb97e38361e09687798bc3eb69a95

SHA256
e5f67ac18a8dc57084ced9d94bb6bee1c1a8f9744ba8b905f77d13ccbe8531b5

SHA512
7c02df007ada730445ebf3d5ead9a0632edc4f2bd26080450534bb3bf06b65785001355f4c6b22a8f88ed533ee09335bfb114ae16796d8f56cb9a1dbdf44da5c

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
187KB

MD5
0dbdb17f2113d04e8cd41561906b65d6

SHA1
aedbc1521dcd37959fb3e8a838e1ea66869d0229

SHA256
3d63dd1d79f7c91edbcced18ab56cc19bbd4184bd5fc63ef0bdb92921e9c7047

SHA512
87fa287279783f56242cf6f1ebe5245312e48ede8bafe056ae13c96859a2e3a85cb47bfa5398ecaa253ed2d926123da3a5ea4eaaab823694b4195cbdad268a81

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
187KB

MD5
3328e975f5b49fd0ab2d1eccf46f4cdd

SHA1
20a8250504155d80c244d2a8b7a0ddcb64585136

SHA256
cd8b5b7435f2eaf07e48d4410edb506afb7a2f5cbc21bb86fc24be6572ef1991

SHA512
001a1ff461f7c89bb70b62473a28e90bc2ec0e86458e2122cf29cd6fcae52b1dee5f6f04b0a50ee2141973f9fb25a9f96f70d0c227e8fd59c25d622753653044

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
187KB

MD5
3c1ce956409411061b838e32b33c37bf

SHA1
d6e9d61334f4677ed923389ee45fddddc9abebb6

SHA256
7577350c8389d016ca0c79b3c01bde6e3e401ca00f13ce7ba7d84148223be8f0

SHA512
66b47ba30b877fbeb34a496ba30f187fd0098c6507c563831b8ccacfa83f45d27758c2ff04a6fec861dbab9799ee3c946324c2d30240146c8911202c1aa21f1a

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
187KB

MD5
1c4f3e69f7f151517faed48841efa3a4

SHA1
f1c72d628f1deb5f51354b5ea4e32f2586257bda

SHA256
c9e456ca3c197233d12f9b3cfaff079ad084ec419783e54685720b0e8f509d26

SHA512
6a5c4df8699dbdf7dfb9d36220a494fb7f0aac99f247f89ce37480928239c7cbd39762b08fa1c3bebe14ad799c35ccc82c193e8cb78c0a5e96b329217b998db3

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
187KB

MD5
5d470c792f3723719c70eb7df30a1025

SHA1
4ccfb6be58ac640ff3c2f630466399252cb710ef

SHA256
bf1d6666efa34b647774a909773f957a97eadb343bb876e7eb70d95b14e51f46

SHA512
6c9d2c0d77217050452c009de812c0fd7f9ffcb9e8c2ddb5ea7c6d2d33b01e75bf91f71e53ccf81770478f052adae7b25b85f7c983f0bdf48d4da95e21c27b23

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
187KB

MD5
275554dcfa59b259b23b1f50f7adaeb7

SHA1
eafb799e1e0ef4045bae5063a5c0ed56498fd2c5

SHA256
f9bde2895fbcfb6cf53a482419dfdc742280bf0c1788ca24ba99b19850a5eab0

SHA512
d4635b762c5674998baa28d915368ec5809f8d16375b2dccc01c156394f9e9df301a14f25f68a34531ef4544c18cc014797021b2d135e4a4e8ce0cf2e54f61a2

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
187KB

MD5
2f1664ac1bf2208cbf8161586080cf5e

SHA1
3cea945dabb23948e30c5c4765540d0d94504efd

SHA256
4f2c6cc8100f6ef146c210af8238ff34d031a068554c8a10bcbd03826fc7be7d

SHA512
97d8e0307265a6fd24044b0498911d8d5d4ef3d68d4f8fcff3be18f3bfbbc476c5fa8faf1fe6b6bf35aac42ac4518a8b1b032b3a7973d674ce5f5d807ea7a6e1

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
187KB

MD5
25a52bbb926b877c2e5f7661055d9393

SHA1
53a9e8fc473702c31e8c6896e92896d23401f21e

SHA256
ab4e44e299a3f2bd71979fa3af59344e86ce1b7c37fb1aa64a28428f603fb9bf

SHA512
5663d37721cb0be6eeba74a93eb8080e18f0e10323db9662d9a2c0477c9c66f47cc8ba4f4e4ddf6e8de2dc7630b04c295e11ad3bdec7f2a6e91064273d316ab7

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
187KB

MD5
14d98eca105f3692c2a5b045cb63c193

SHA1
33b6e5b302eb8c34e18115eb9fcf375a82fe17ec

SHA256
03b1c2021e91b791126acf715fc1267470c43e00ad344cece2ce61b9ed322e36

SHA512
bdc95a3782d4f4a5a87d1d626138b976e53d89b7bb99aefeb543f374bb8c85304a54eb8c76d0814ffdd8ac849c91ad75dc8904e0afff3ada98ea467c17aa78d2

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
187KB

MD5
7fcb94e48686564a41cebf1a45522fe2

SHA1
03196ffea0c1e518d6d3764c79ce56591cf1d272

SHA256
3f5dc5526af91d8a239c92c19e91a21bcd5ad5557b136c9d34849f7927d13a27

SHA512
efeec5c9c00fc3354220a51577fbd975ca59f13df731aa202d17e4a69a2e908bc63929853d178ddf245f2896e8fba167e1f2ef4800ee5a6df66295918c01880b

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
187KB

MD5
abdbd5702931a5e274523e95ce2df80d

SHA1
7a2987cdd029e97695c91035be63b5aa3983dc72

SHA256
b58ec5fbe897942f54cb692797635cf141c8955648d91e50c03068822a33bffd

SHA512
7bd8a5a19fea92e94792046e641b15d04ad59a82d600339835223bb5e746053448cc851d652415ad65d3f3251951ccb121cdc86b75497251f8e20c909ccbb1f8

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
187KB

MD5
290eed2822370a2aa9b724aa67608694

SHA1
6d19d1d2c444abfe5f33797e648afde799bc4be9

SHA256
56083e86fc61ed12b313214c520a57b38d2c0371fcaf15fff27f0a06c764ab7c

SHA512
2691b1c75af33ae45907e96b55b26b92011aa8f52a7055dd2b878aaf30fe94e62bda1c74d9dde692e9224565af9a2d574495e33b4a969859a415dd8662d1c4b0

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
187KB

MD5
f1066483db1dac1bbb7e3de2e9b8c6d5

SHA1
672b7559f5d989961a3ee2d8413cace1b3c4c48b

SHA256
41aac4185ade516f586c96485ecd5da827ca861d024f740494df488e1204c87c

SHA512
0617e1dc5f9e5555eee54a608c4504aa309532ca1b96fef982b031d89c7a76cff45a41a3f44d50f7cec2bd0c260e5bdc17c7c4d721b658d7de74a933838a8d4f

Download Submit
memory/448-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-1058-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-1049-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-1057-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-1021-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6096-982-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads