berbew | 2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab

Analysis

max time kernel
95s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe
Size

95KB
MD5

5b992b4d7bfd894d555adf406c7f22ef
SHA1

d329cf6a54e703a2cce802c894445eb9ff3bc988
SHA256

2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab
SHA512

96dd050507d90b9c07a6eea34b8cf2b3e1ec333a267e7f142f40523ef3369b92adcf9d2ab7afb2fbfd8237a9c99920bf9962fbf85e8e6d48847557eec6f380ca
SSDEEP

1536:8QS7bnTBxNjqZI34GTuN7b0UG5xEK60lI/58vgwIRQrHzRVRoRch1dROrwpOudR+:PSLRjqNGTbEK6GIyvYe7zTWM1dQrTOwT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2256	Lfhdlh32.exe
1972	Lmbmibhb.exe
2576	Lpqiemge.exe
2712	Lfkaag32.exe
4616	Lenamdem.exe
2876	Llgjjnlj.exe
3048	Lbabgh32.exe
1984	Lepncd32.exe
4800	Lljfpnjg.exe
4824	Lbdolh32.exe
3152	Lebkhc32.exe
3704	Lphoelqn.exe
4048	Mbfkbhpa.exe
4832	Mipcob32.exe
4024	Mlopkm32.exe
1392	Mchhggno.exe
4768	Meiaib32.exe
2824	Mdjagjco.exe
4752	Melnob32.exe
4376	Mlefklpj.exe
4796	Mgkjhe32.exe
5116	Mnebeogl.exe
396	Ndokbi32.exe
2888	Nilcjp32.exe
1848	Nngokoej.exe
3056	Ngpccdlj.exe
4120	Nnjlpo32.exe
2092	Ndcdmikd.exe
208	Ncfdie32.exe
5028	Neeqea32.exe
4912	Ndfqbhia.exe
540	Njciko32.exe
4512	Npmagine.exe
4212	Nckndeni.exe
4704	Olcbmj32.exe
1228	Oflgep32.exe
3428	Olfobjbg.exe
4944	Opakbi32.exe
1932	Ogkcpbam.exe
3476	Oneklm32.exe
4180	Odocigqg.exe
2656	Ofqpqo32.exe
3268	Onhhamgg.exe
2140	Oqfdnhfk.exe
3552	Ogpmjb32.exe
4044	Onjegled.exe
4984	Oqhacgdh.exe
4680	Ocgmpccl.exe
216	Ojaelm32.exe
3712	Pdfjifjo.exe
860	Pgefeajb.exe
632	Pdifoehl.exe
688	Pfjcgn32.exe
4892	Pjeoglgc.exe
4100	Pqpgdfnp.exe
3708	Pdkcde32.exe
2720	Pgioqq32.exe
4396	Pncgmkmj.exe
1308	Pmfhig32.exe
2192	Pdmpje32.exe
4988	Pcppfaka.exe
2832	Pfolbmje.exe
1460	Pjjhbl32.exe
4620	Pmidog32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5336	6060	WerFault.exe	233

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2256	2396	2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe	82
PID 2396 wrote to memory of 2256	2396	2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe	82
PID 2396 wrote to memory of 2256	2396	2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe	82
PID 2256 wrote to memory of 1972	2256	Lfhdlh32.exe	83
PID 2256 wrote to memory of 1972	2256	Lfhdlh32.exe	83
PID 2256 wrote to memory of 1972	2256	Lfhdlh32.exe	83
PID 1972 wrote to memory of 2576	1972	Lmbmibhb.exe	84
PID 1972 wrote to memory of 2576	1972	Lmbmibhb.exe	84
PID 1972 wrote to memory of 2576	1972	Lmbmibhb.exe	84
PID 2576 wrote to memory of 2712	2576	Lpqiemge.exe	85
PID 2576 wrote to memory of 2712	2576	Lpqiemge.exe	85
PID 2576 wrote to memory of 2712	2576	Lpqiemge.exe	85
PID 2712 wrote to memory of 4616	2712	Lfkaag32.exe	86
PID 2712 wrote to memory of 4616	2712	Lfkaag32.exe	86
PID 2712 wrote to memory of 4616	2712	Lfkaag32.exe	86
PID 4616 wrote to memory of 2876	4616	Lenamdem.exe	87
PID 4616 wrote to memory of 2876	4616	Lenamdem.exe	87
PID 4616 wrote to memory of 2876	4616	Lenamdem.exe	87
PID 2876 wrote to memory of 3048	2876	Llgjjnlj.exe	88
PID 2876 wrote to memory of 3048	2876	Llgjjnlj.exe	88
PID 2876 wrote to memory of 3048	2876	Llgjjnlj.exe	88
PID 3048 wrote to memory of 1984	3048	Lbabgh32.exe	89
PID 3048 wrote to memory of 1984	3048	Lbabgh32.exe	89
PID 3048 wrote to memory of 1984	3048	Lbabgh32.exe	89
PID 1984 wrote to memory of 4800	1984	Lepncd32.exe	90
PID 1984 wrote to memory of 4800	1984	Lepncd32.exe	90
PID 1984 wrote to memory of 4800	1984	Lepncd32.exe	90
PID 4800 wrote to memory of 4824	4800	Lljfpnjg.exe	91
PID 4800 wrote to memory of 4824	4800	Lljfpnjg.exe	91
PID 4800 wrote to memory of 4824	4800	Lljfpnjg.exe	91
PID 4824 wrote to memory of 3152	4824	Lbdolh32.exe	92
PID 4824 wrote to memory of 3152	4824	Lbdolh32.exe	92
PID 4824 wrote to memory of 3152	4824	Lbdolh32.exe	92
PID 3152 wrote to memory of 3704	3152	Lebkhc32.exe	93
PID 3152 wrote to memory of 3704	3152	Lebkhc32.exe	93
PID 3152 wrote to memory of 3704	3152	Lebkhc32.exe	93
PID 3704 wrote to memory of 4048	3704	Lphoelqn.exe	94
PID 3704 wrote to memory of 4048	3704	Lphoelqn.exe	94
PID 3704 wrote to memory of 4048	3704	Lphoelqn.exe	94
PID 4048 wrote to memory of 4832	4048	Mbfkbhpa.exe	95
PID 4048 wrote to memory of 4832	4048	Mbfkbhpa.exe	95
PID 4048 wrote to memory of 4832	4048	Mbfkbhpa.exe	95
PID 4832 wrote to memory of 4024	4832	Mipcob32.exe	96
PID 4832 wrote to memory of 4024	4832	Mipcob32.exe	96
PID 4832 wrote to memory of 4024	4832	Mipcob32.exe	96
PID 4024 wrote to memory of 1392	4024	Mlopkm32.exe	97
PID 4024 wrote to memory of 1392	4024	Mlopkm32.exe	97
PID 4024 wrote to memory of 1392	4024	Mlopkm32.exe	97
PID 1392 wrote to memory of 4768	1392	Mchhggno.exe	98
PID 1392 wrote to memory of 4768	1392	Mchhggno.exe	98
PID 1392 wrote to memory of 4768	1392	Mchhggno.exe	98
PID 4768 wrote to memory of 2824	4768	Meiaib32.exe	99
PID 4768 wrote to memory of 2824	4768	Meiaib32.exe	99
PID 4768 wrote to memory of 2824	4768	Meiaib32.exe	99
PID 2824 wrote to memory of 4752	2824	Mdjagjco.exe	100
PID 2824 wrote to memory of 4752	2824	Mdjagjco.exe	100
PID 2824 wrote to memory of 4752	2824	Mdjagjco.exe	100
PID 4752 wrote to memory of 4376	4752	Melnob32.exe	101
PID 4752 wrote to memory of 4376	4752	Melnob32.exe	101
PID 4752 wrote to memory of 4376	4752	Melnob32.exe	101
PID 4376 wrote to memory of 4796	4376	Mlefklpj.exe	102
PID 4376 wrote to memory of 4796	4376	Mlefklpj.exe	102
PID 4376 wrote to memory of 4796	4376	Mlefklpj.exe	102
PID 4796 wrote to memory of 5116	4796	Mgkjhe32.exe	103

C:\Users\Admin\AppData\Local\Temp\2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe
"C:\Users\Admin\AppData\Local\Temp\2e219cc7ceaca5daed857ea3ae6c241399031b8b4f49e3fd96d5c698968cbdab.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\Lfhdlh32.exe
  C:\Windows\system32\Lfhdlh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\Lmbmibhb.exe
    C:\Windows\system32\Lmbmibhb.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\Lpqiemge.exe
      C:\Windows\system32\Lpqiemge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        24⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        31⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        39⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        44⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        59⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2800
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2660
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        72⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        73⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        76⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        81⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        84⤵
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:856
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3256
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3832
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        93⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4676
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        105⤵
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        108⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        115⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        117⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        118⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        122⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        131⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        132⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        135⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        137⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        138⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        139⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        141⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        144⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        145⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        153⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 416
        154⤵
        Program crash
        
        PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6060 -ip 6060
1⤵
PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
95KB

MD5
cf7c522d99d1cfb46d561c8d425decbd

SHA1
d4c002fdd2f9581be5129febd20396ff180ce5b4

SHA256
97c30f8832076b5680aeacc059298c7b977001182271fce5644f4c3f1fffee98

SHA512
ab43bcdfb945d4c116cf9d75013564ac345a42958cf13113d5f977ebdb5413f2e0fb1a6bfe6b0d98b60bcbd545dc5fac477f91c706ff6e97cad470c46781e443

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
95KB

MD5
56b40479f894d164e667d5c3d6b16248

SHA1
7e68104815167f5d84645ad040953c7001571b4e

SHA256
9d1dac94ee2961255c30ed69b06d37a71665fee448319b8b0d3e28d4a08196ce

SHA512
a4f9c37ecad098ddec3533f882bb308a8d787f2aabf0b7a6061bea47d6d1e6d40061cffa88d994a0fdfbd3066f5a3ffc9eda900b149b03150a6821a54081bdfc

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
95KB

MD5
c71e761e0af54cdc45ca88d65c8c0e57

SHA1
dfc5232a6c914bf0a075cc6635e0eb2b37d4b383

SHA256
dbf7d415f5f1d84ef1cd9ada21d760379136936edc21a4f3e2506749f084fc73

SHA512
e39bbf62522da40806cdaaee8bdf5a7c1c351401e375713cbea7ba0b787e1d64569896f5688d7e3455057b6b8a5bcfb3c127061f7c92e11aa9138c3cd4ff276a

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
95KB

MD5
009c1e05b57b709ba4229fea3f042e7d

SHA1
0dd5693d69d1aa4a9da71f6ede652aef28f4670e

SHA256
a9aad2652d5727a9dd3fad838dcb34ee6ec3c7ea44288b12ed73a96501b5cc1f

SHA512
a156a5aba2389fa2f36a8df47af607f865ae979d63196629645f6a70532d1f53dc577bf4920ec996992990ba193c3e82c217a55172dc2a0f0af09b1b6c85cfb0

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
95KB

MD5
7faaa6ca358de72544880b952fd324ac

SHA1
e1abb0b81ceff24e32eb535c85d7a818e26826ca

SHA256
06024e62996ee812a2ecde76e80fe24583ae74e1cb3656a031cd4911ea607fae

SHA512
be15c220007d8a5a7b72e394e0fc289eccf4e2680b9d85d974d11d9fe1d95bb5538cadca6659d10cf003e381d7fc3ea6ae4e273936f632855dd1ad9a9e12f559

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
95KB

MD5
0eb7ce2396a2eb980f84f4a81c719eeb

SHA1
d4e3cd50ad64f30f7b79c9e785433e22f5664ce6

SHA256
769d12b507d081bbccc605abf20a005b5af03f9baa68c3bf2af7ea69cabd2360

SHA512
e751bc182959f0d11de0051831617ce2c28b9691eb69a384c15db39b5c006ef322eff64771f69faa68e73da3b355cedbd48c9b348e7656df8d1a75ff5cf39104

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
95KB

MD5
0f483554a842a7803e1ef3b01c64c481

SHA1
5af1fd940e08a9e253dec2d9d69efec7a1227e55

SHA256
f9aefd339ce5c0a8c3f1ba2b5a5b4d6ac608c1f16d5a8e671a3d1988ae17fd97

SHA512
5b315b1085f03d584583a65f3838e0777ebffcff0a0b1f315a5334f876ca756e92d0bd0b04c902c3b5798b34998b1f103d745d1b9ba7a34a1e2518b424dbd10b

Download Submit
C:\Windows\SysWOW64\Bfajji32.dll

Filesize
7KB

MD5
05696cfb6e106affa2b998e285ad97b3

SHA1
7c9a6d7eca3bdf96fae7cce544306963c9c1954e

SHA256
ea479643ea7805fdacafb75851eff4bc4293f7b68848716dd3f590ba23ddb1d1

SHA512
e0fe0edbd20e74705efa60f55886f8cc8c43e549e1b6e2588821ebef74e0b6665952d3e5a057adceac79ebd03fef2471c899e876eae384dfed98b4f58b353ddb

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
95KB

MD5
554e3baa1e29cf51e4bfa4c1853afb56

SHA1
627fcf75f3ba698b2e72dee6833580199699e375

SHA256
7259e18a52573487355de441b3da39231832c95008d026fe86e73485faddffbe

SHA512
ef5944d2188d58684c2121dc42b176b11c6b7e29eae0a45be26e4b4b3d27efdf281493757f704dc155ecf76afcf01b362bd399f4b8d767a995c69fea1f09ca13

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
95KB

MD5
f40f682deff651721771dcdbc3aad40b

SHA1
3f66214a6252acb3a23b129e2e2236425411990a

SHA256
5453b36fac70120c66186dc987b0d68b491cce3de8d9b576a6844d27468bb8f9

SHA512
59f207a03f25e14d616c83191262053ca9e6bf4fa52d4e0841d6b22d91c8def7ae568b3e1d7758c54e13c045c7154bd5d9033ea01ffe500f1f6315c0f6444437

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
95KB

MD5
3b8163ceaa760a5fcd6f1146ae42b56a

SHA1
241c4f6e812dc9c3b20e284af4b8dac8b209792e

SHA256
4b8de56dd928a669c90f4b62707038431d9b5f3eccc6f6d73c2ccc329321c419

SHA512
ad8f9e633ae676153046de3fb6c704f7cb6cb91e3caf7577a7948d9aaf16b6060d6485e61ab630279318e4428c8cdd58a6f646d9b5713171fbd901d563fab650

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
95KB

MD5
a6233886545bdf72a5a813e619f55eca

SHA1
9de3cae4a9dd4f914c31290e48373b03a7cd7355

SHA256
96838d11c1a6bb3aa330529b15d40ed5c511abcdcc8d7fa9ccde132d40ccebf8

SHA512
bd8c72960e59f240b1922784d4e5f40b508b15bce3722cdaf8d214f401eb2eb3b79b1114667cb7b5d462fccdeb15f6d81d26eedb0c5e79d635147d9861a55bed

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
95KB

MD5
dab781f8a6b255f1bae5553ed305c88d

SHA1
1b36f3ee68a7874624477acd981e6bbbbf5d6967

SHA256
f2abf253cff918823bd19b08bdb3ddbc6d15650080eb7905fa94bf4119520a3a

SHA512
a2ab70341497daf0000b1b8bd8939bfcd6f4957ab269489e866fbf7f156fbc7726c3feba7b8f9e4b8e8cbfa84fee0d2166a91f60543916599396724f379b8bb1

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
95KB

MD5
242e1f4aacd1f27c8730046a6a3f44b8

SHA1
778958c031120d21ba377d564d22cf830d4d8c51

SHA256
3455c9887d73d41ab79a7431cb3a9058e66692039e9f63ecbf26aa11562942df

SHA512
172f6decd8322eb8b2a71cd2ca14607f6692968096f9ac928cf00c062ce96ffb6284acfb54cabf83a3116402a4dc821883b536acbfa53ddba7b5dc06f7f5fe35

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
95KB

MD5
3dc48b98cab9b0d670eed3e44f2ab1de

SHA1
222bad3f8a4a1dfdbf08710586a396a15cac3d1c

SHA256
c7e5fa8e1f0323afe5d04f3920665eee1a6ae131d92dfce80ca391116255e2b0

SHA512
627186770c7070f47e5bfba018129ad14e9cc05409da174126debf5a38b1e1921a4685bba2e6d7944a4e8f491e2e7a5b94abfdcd9bc317f1f0bf190646533f7e

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
95KB

MD5
cb9efde392f2a94cd5f8f258c96f3461

SHA1
a6b8dec53810a44fd7703cf02d2e8404fdfe2336

SHA256
153b827b442c2568a6f5f169e13e5dacfc1c7aec832e9708c1c01ee006e6ef6f

SHA512
9a668ca0f27eb8eaadd4f9c4556834398be2a33b76a0a9604ae37c32341e89247fc8843bd98f202dec9e73cbc0548d94975cf2a416a8c7d65b730c361a18887a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
95KB

MD5
c574da1f09294f5a002e8faa3897caf8

SHA1
a60614d833ff63e44f696112f4cddb1a2182a052

SHA256
afbde6f2e67023ba6e8f899c5ea1c067a7c7be52f13b675f9fc513a69a83c112

SHA512
66e99a33346a25632e9d06941d21b4a5e631b0f396845082f34a54704e0d4512a9beab77910b5ca1e9751c555363ff9c7c5304d2632d885c166e0dd6b871a4ce

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
95KB

MD5
029c5f3a2804362285ac7d867c76b551

SHA1
3e4524e83c79c54f36f64a12b4d6c9b85a604774

SHA256
f546423e424f82063152702da67e684867e54112871b4436430d2f649d43c83e

SHA512
2213d08fc4d52a4a6e543198b8eb8b707bf2b6d86a3289bb8e48379bf3b55ed9544254460d88baffb7f0d5bd8bac9a09e984d04c0ffade41cb22756c7f84e604

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
95KB

MD5
8071245599b84bc7da57aeb2b99155d3

SHA1
637ba7cf5a9415ae1edba77c2c9df830feb392e7

SHA256
54d65168cc66168fa82e784f32634591388e14456c9d8890f04ee3070401a9bb

SHA512
2aba3ecc5c99c5b42d7db4354c21f71f053a3415becd4588df8b22ffeb2c59b8ea15c5460ed2ddffde4e9f21964e44ca8a223bc1d4dc970d02cf1e9711bb1a46

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
95KB

MD5
9bb6ee4bec76bbe6ee8959d587f78ffc

SHA1
976d4995a7cb570e918e1e351ed793a19dc4e6da

SHA256
55ea027cc2d9a4559ccbd0eb274255c9c051b173199e849c1da70c9728b98cba

SHA512
62c418443b469dda5bb530d9666fa3021de08f47173ddab6e14a5f253e270e37e515beef2f66219ba9adb6d4e6186733ec88fe4920f749cab5d9073d6e292849

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
95KB

MD5
8eed81c27ee9d938b5958697b9ee2e27

SHA1
3f1b4c3beb61ddc31d6da0db4c792b9067674ca5

SHA256
6699d297f6d5c3273e403a1a8dba9d3a40a77fa56a525dd90d378d89896a36dc

SHA512
f8a4fcc3388700b60f07449df24b70c1da6f655e59d5c02a8dff06bcc2654ac410da574ff9fe9b165dc11921f7a48ee85f8b2597853a733bb15ed52211ef5aa8

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
95KB

MD5
aeae8e7aba34999c80163a3887a37819

SHA1
c85d30c0babae1d38e9090f0542504f4c0d1ce94

SHA256
bac0bd2c752d18509d956405c07cd9ec29ba0a118d487bd67fa4fcb530aebdc1

SHA512
7c3cd02c8c138082f280d258863794fdfe98dc73162119a11ca187c98ffa9d7e66a4b395acccc30edd7a154fe3c9b7594a1cbc84a7e779cd0a1ebeac7138f9e3

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
95KB

MD5
0eaf03807d3c00eaa115bce759107e42

SHA1
ec9cce62e60118491518d98bed5f91481b75716c

SHA256
b2bc2194b22db27354b0662e2ad21378e25d00810e8eb0df5be5b9d674c42c29

SHA512
6ace68b0ec65854ac0b7fdf97ffa3c634e199acad9aad5ecbbd3824eb9ef405077dedd4b6f9914e714e0dbb09ef617722e36052dc30b2bf76ce67ffdad3ff43b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
95KB

MD5
de5b86f75d217f0bf48473f6fbe8ca97

SHA1
94f62a73ff1ca774a7fa68d85c3c863f9d8dd8c7

SHA256
a888635fd713e34fac9aacc843ac082b963b705575cc28e0eea8084be16dfba9

SHA512
4fe26e13bd4e26a2f62599625acb2473046c0d53a747c23f5919429f9bb5fc6b5f838e19a1f50eb2dd29bfc925f82331b53c8565871f7a95a7cd5280c72320b1

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
95KB

MD5
23871553397c8a8a00a050fbe392cb05

SHA1
824fde56320c177097c9bf9aa1f1a909f4f4c21c

SHA256
21ecc816e9ccce8c380361f9a4ff898beae2c55d1deb1aaa644f6c37f9236121

SHA512
281f51477e6c149b323efa22225b3d16d6d72134943f125f856b787cb4b2723df4e233621071efdcbd067fb4f2a396e499b2d58f3c41900d8136c6dc3f9b9cee

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
95KB

MD5
e5e752b4c7d24c57e53a9d9e696ca445

SHA1
4a460678acf7f7416c32908bbc3979c9e20c5974

SHA256
6640bd68564f44f0a90bc92d40816bd2bb8f31c2d57422a2210edfa53764fbef

SHA512
29b30a96a8e8483cae450cfb165ef744ade2cdbc9633cf877ddc57dfdf0412dbbd456f22285dc7cfb62989faeeee88505bd9aaff8fcde3c2399e6f972e308374

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
95KB

MD5
67b105a575ef0a5a7b7ed9b4587f952f

SHA1
093c901e8d124a7f666b8b99727a71dba3321eb0

SHA256
3eb395237c1a9420d40adde50eb9f152ec69034430bc3bed77345bc0c84656f0

SHA512
92e04a8fe6f6db33fd113af0a48123275d8b89be1bee162affa115048bc74809811a91dbc53756ad280ac786b06c126d715bdb51f7b0068001c3045e59ee7c9a

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
95KB

MD5
a0bdf4ef0ab36a668f0951e22b15498c

SHA1
ca0ca2aea2b36d460c48a723d37eecd3f376c38d

SHA256
8d05dc35aeb018d861fdb3ffc1d131e015a6714df8963d2522f2640c9161af86

SHA512
0b6b8f2f06a1c08075b059da189ff4302a0f08947472746eefb6e80636123b2f72ded9691baa39cfa3d0152399a9d9fed7bfd6b31c1ec8325ef5bf17617480bd

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
95KB

MD5
c1028e7d4e7f8bcd650a4217ccdab1b4

SHA1
1f78c5316baa096a9c226a0dfebbe50aa78f752b

SHA256
931e94ebe8aeadc7909be278b22fec6bb9cfd23a8fe3a051930949ca54b842e2

SHA512
6f4ca071272f35c382b4fca09255d557da0bc319eca3afe4a63d331db552971cb6e321525cabbff434ee58cf94f2da4dfa478a3fe60311fa58fd26e2ae99d77e

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
95KB

MD5
f12ab845af884700adba7a65a4f22a45

SHA1
b7ffeee31b5635e37582abc290bb05d7d3a4f250

SHA256
0804739b7f6d92d93d3461db9ae5e981354cc7aaffa4593190f4aef975c7322f

SHA512
fcac0cd772adaf4a507575e3f87eaa40c24bf45425f364fc6ba2e5ebf3d935bcbcf4de1b083a37c3846e7eb2b5c0a3a124c97857074bdc12e1a74b28cbcff9c0

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
95KB

MD5
6ef844649aacf0c534036e7f5439606e

SHA1
126bfd3731fa9b28746caf62a39f5c92b907d5b0

SHA256
9a50cc2a946f95671fc808791eddfd47ab420a78ece2488a6e5748309984d9db

SHA512
8d6277c18be3e0a55c161aecddd2dddaa1046cd9334deafd2cffb2008435dca91c95a12bf3ecc86233c6751384c150eefac805aeee3fdcab760b21085653a748

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
95KB

MD5
97717c398fe68ff8df40f2816687386b

SHA1
8a6e009fbd1c88d81953d3258158889f0d051f3a

SHA256
112f2cbe1dace0aa08001cd7f9551c4421bb52f27715b5ee0425837e2b2e9437

SHA512
62d1ff4917bd33c95425a25f3c0b01d192f2db0a848fc3b2c43a56a1abdf5d553d76fcc27c3a20fcefb453aee5a2198b848caaa37a74e1e579ef42e08f8c8e6c

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
95KB

MD5
83b39a0a21342ea9a8c8dd90df057507

SHA1
522ca485ad38304c92e82419fe416b08088802c4

SHA256
bf11bb9e7530a140ba1603f3893b0fa7b834bd4094ec2affb3a6fe7f224e4345

SHA512
b091202dd888021313c05418e2cdf785ced55e0fb6412801771f115abdd7296cf09b6ce210f2bcaa72e368b8d10230c5ab3d4dc17d1cc01db9085b73ae486f62

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
95KB

MD5
ff8c6c2e14833c831ea4f57bf70e850d

SHA1
282434add2d63dadade961abbff0598ca072f888

SHA256
a52ecf52e27bad0788e0b10d400ab1c8b6b392fffc308df793a91260cc88bbf5

SHA512
b81749c1100703215edb3714a4351c82ef7705f2d8fe84deb7cbc5d073c764ed926251d83b3c26e7ebac7db3497aded952f57b304557d429c3a3221b8566093a

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
95KB

MD5
b4984c61f5cec5dd41f8f450b1397194

SHA1
10fa1f70f5a855a446afb80be66d561159387b3d

SHA256
884abff9886f59a39e57c1722271c6615ab42b4ba3fdd7f6fce2649afd43cbd9

SHA512
19a4dad6d5770cd06f90e7760e6d0532293545436aa5a83e83c38d393fcf51af403907b0785f8baaf1fb082835d46e5369f7cba924b79f45ef0ccc1c406ff313

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
95KB

MD5
1c2f2ceda23ce5bfb4275bf0d4756437

SHA1
4e7da6475e9bccad2d08e9e3d189f538cec34bb2

SHA256
9f4246354312840c96110f3afe5f97d0f4972b540cbf41d0f5bb58b7a9e63baa

SHA512
62c0cf761996647a0438ed4516f38b81ae7fe1a77c484c4edf2ff4a3c313d9d90c02cbf43f33dc93a84b3a394d65e02b81b901a5ed04c72452ac99a6047ef065

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
95KB

MD5
e7adca47d19877bfbc80b657b956dc5f

SHA1
388a2c8f7964a22ec69de696b8c8330bb160945a

SHA256
81b3beb4abe635d28e9a4a31de2adafe1d2b3258b9e6b446e7453b165092ad70

SHA512
0a1fea97a3739670f24ab49319dfd9e4a2f23ccd5df1f0b5ef2e29393f048261e12638a67a1b01de09207197eb3b321a65fa8c6dc9fc5963da61b28cbe202d8a

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
95KB

MD5
4fc4ab528708ad1d609cd448dfcb2a77

SHA1
cc4b7f067da3164fa4a9aae5e0417fbd9630a0ae

SHA256
f73a2643d821c1666b3e4beb199c313414d3fab40a1069d915841e605bfcc8a2

SHA512
996258e77c2b3396276e8151b3ffc69127151dfab87a3d2fbae284df5442d8b7e2faf9f46bc18dbdfb6c370abbc3084864cca5f4f7ed3c8c0ffb65557189d6c3

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
95KB

MD5
f9871c6e17caf19af8475dfd71a1adc2

SHA1
17449f02cae92a2e49b77e2d89a09aaee64e70f4

SHA256
2ec97c55c520499806128cf781ec9016611df6b1ff45789ceab6b57ac6c68886

SHA512
34c79565ab4740dee0f6385ebc161594a5eb61f5c59ca311e602e3f38ec8cdb9b0a29df788fec223832e33ec3126208e85beeb7172c6083a46d6c0cbc93b3fb0

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
95KB

MD5
1abc93ac8f41ed923d4aca24bc1e1412

SHA1
d7cd4f3d36b252f8cfa6492cf0b7b2efb758879f

SHA256
f155ae1f1f4ca49a4879556dc4d08c9372617ee046f254724bdff3fcaac6867f

SHA512
965a09723a617b162e3dc9294b2df21e30f173d86cef701904751dbd035822a19b97cf94afa18fd77c276a430b5613bf209916224ed1dee52c39d97cbd6deedd

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
95KB

MD5
d47f83b44fbb266476ea7e791352c3d2

SHA1
e2c41bfe7ea38324adea4c02c31abbbcb443fc42

SHA256
5d60655cb875ecc7de654cb48edaf7d9326d928c51bebc0d2aff921aa7d8c877

SHA512
817ce40550ca54a4de197fd83e53b2e0d0026dd8d18ad4b21c9c0edd7ad93c06b4272d75b745e8e89fbc7b148fdaeb1aff447fd5ab720aa22bded16e9950be1c

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
95KB

MD5
ceee2b32f126034fca05ffc6ab18e3c1

SHA1
0f47065e651e1653c613338a722a9b83214f40e2

SHA256
4bc077d112dbfa85ad0945748b5b773516139744d4cfc46180eeb2ac7e926301

SHA512
121941f2743b8c52c04a12f7374571fd4203e3b53ce0f0ee0c52f5905871b2ab5f252a5b11d0a8a13408e95607132e000fb93c92b4482665c0012c5063c0c67a

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
95KB

MD5
d72d06fd9a6f32805856cca5e4f57a27

SHA1
d91525d6e165c8320de471134cf523dcaa566251

SHA256
0fb608c84c4f54dc2d123d3a164b9b5d58fb6268412febf22e1c82b0216de9d0

SHA512
f9cd22809bf957b91a26e228b3e9e523e8f0dc72ff66cacaa8c6a1ca075128c705a46766ffa2e33072b4b84c9e8516d55a7aae50108df97641cd07d8edf64038

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
95KB

MD5
17ca286cd5ac6800be425de07f56298f

SHA1
4009b1cf1dfcd9198680eedee2c77f21d085c0a0

SHA256
81acbdf8715f9c61f2e9c8202b0959eadb588e7d6e339e1d29f1bd09d3cdba27

SHA512
fa38705c470769818def5af78125e4ee6ba83f711c80882bc7136ea75239e2900a0bad0610da68f29890cc2f5cd67c34a6d9adbb5e03e4da038f1898b0cfb00f

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
95KB

MD5
bd5fc4bcaf077cc8acb975f03691f491

SHA1
f570a8e14e925923123610b41e8a1a12f5f9f587

SHA256
98597b337a2a35f5a8c33dc24feb8f02c02b7df181d0f1293273ac3d8b7457f2

SHA512
79a396b363d1d620dab972f6121f8cce9a8d7a1d4d456f24a615338ee81a0804bae870d7205ebec5d142953f8da74a8a62b26fe17c9a03898f5959f5e3a678ae

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
95KB

MD5
e87f125ecd33742daba2e86cde99277a

SHA1
b45af51f26fcb1a816c38b3935bdd226f4b47ca9

SHA256
1c81f803f44cceb3a641fed73e165eb64840e9b51c7d264bf0f4fdbd64fb3858

SHA512
8d47abfdee00fe8a1a75d5d8fe7bc0e4b7c673391f3712cdb2e955a8fccf98cf601729742bfe9dd1f0f8528fe482dea043ae6df3d71b81d86d45eb43d1062863

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
95KB

MD5
5c803412ddbc651c3740d2a861355001

SHA1
d959f58d3cff549d6a7176261761641daf84c05d

SHA256
d007facbb08c9a419a4b14e71a1ec5985d8b2ff7d6f0c445ff3b815e57d0556b

SHA512
a0b3558bd75bc2b6c63982e59fa14ddb825cdb336e9d21d74cd7ca21f474b5b515a553cd327573f94008b138952412b6fd28cdd230fb023fecf38ce379cc66ff

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
95KB

MD5
1f00186b74ffbe34f93c31c934b56496

SHA1
ef2429894ab29b9c9dd3a5d1b83b9ef7b296bedf

SHA256
36cba6501f08f213274841a9150a66e30350a55799757b20c4375c3ae03e22a1

SHA512
bda8333136e9e21f37540cb52cc32982595dfeb35b1d5dcfb9face0e59fa0edca7bbc4129dc8e231fa5f636697b926c0f8c02df914b2952ae6c14cad34e12634

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
95KB

MD5
7011c8f4aae76b8c300df78dea7159b9

SHA1
df0fb3629baec8d2059dd96b616257a07a6851fa

SHA256
acfcb659b771a3e9d84390ce841acebda6cdbefc0a2b1a4314fbfaae40e46e21

SHA512
affa23bb32e320304f58e2ac2f94e7555587ca02a74fa9b0adc6ff6e035a679f0438aff79f5da612cd60a6cc8b85a41d095c28ae53070e48c77b266fa78cc9e6

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
95KB

MD5
778e6015f64cb129187635c1e4e5838d

SHA1
794ab8489d9f12a2b37bf1d49daeadb49c3a9660

SHA256
6778600a8e32e26cff32378404cd790ed85b02d24d636a08408141ecff28fbae

SHA512
e78533dbd1d00506423c125cf696388dca34d5504a16d8f4f236c9daa2a60583d68ba2698d01d12b98eba8c9a81a912f85ae032d9315a229cc8a4f337ea2b3f7

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
95KB

MD5
cce25db4cf0fe6cdbac0cde266f4c8fe

SHA1
b85cd1ebd1906313b7e3bf56146b6a1641bf02aa

SHA256
1588d2c2891f9a8c4be659d3b7ada132590ee581ca0859ca15f46af3474b26a6

SHA512
50fdb21a6347c95f560a805003c2f6df8cf3341c40c430f083e5be2155a2adc6d9554fe82a6d55ee4547dde4a49d5658da089f3cfa407cc652ef27a64ecd5315

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
95KB

MD5
4084f6089fe27296743e927295b3d3fe

SHA1
dd64ebec1c6307d3b90227918df84879cf691ad9

SHA256
2f575e0fd04b66d613e91cbb64b69f2ebb69f0b563a66a7ed63041a1d60d9165

SHA512
14c2376b883197561e047a175788fc686e4a0eed6fec997cd53fb68e972490e0afa6df59855622b4e2849948586b112c7b56e070bad56d1a80364741610a022f

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
95KB

MD5
0074c61a6a3f9b0821372f0d2067dd58

SHA1
585d7aad13a33a56f7e9d5529330d20bf5f7d55b

SHA256
3a0345a42fb46a48c48f0f304b0e835d7100a9e0babcf272eb595f60b1efc66c

SHA512
3882d5c57336c88fe5f6624e09d484a8ce39fa9d1e1d74bb61621955da6e084ac25592e9e3cd9ac5238c915bfa45a7ea322f24025f0ba454c2fc3f5a3ce13bbf

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
95KB

MD5
eb5320785f91190206b099d1b716010a

SHA1
58ff2d42ea95359c34574db0cdff78e1af5a7f18

SHA256
f26ddcdfb4101003f5197aa86021e83304b39f16d02b6ea9b10e2beefbbd05a4

SHA512
08de59fdef09a6e1765d872f129f500c36613452f0cf75bb48a6368b467c6b3b76c05ca504baacdb9fa243c4a2d9953b6e99f07f05cbacfed48d2cd9a763ea7a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
95KB

MD5
ef8d5b6d1784da27a23d13549e47dc63

SHA1
f0270ff8b7805f1676eb94258a8936d07a1954a3

SHA256
ec16771c6eeb626412730f53a84d24711c2439b09204d1ec32c3a5d699b698b3

SHA512
a09fc21302be64c65b64b93cb4e86e4c4617450f7fcf6e8a2cfdadb6e3bdc817ed228f3e8f1831b7b3bf65045a8d416f056c3ab46762011d78758588f1ba3355

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
95KB

MD5
04630ada3692ef73993f1bb1989a8f6d

SHA1
3609534e4ce5a008659ba07f46f647c6ea0adca0

SHA256
a8c77eb88afac84c158eb92bd177dbdd48a1be861477a97e88f3f6d04becf1e2

SHA512
f9ab0b600e24d3ba230244ebc42e6a712c7cc50c80795499be1af6eea9c7c002be96e2347ba137a2d9ad8284432770be03a31294ce60bc9f71fbb6f2b5d09d24

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
95KB

MD5
1a0ae8aace6cc6bff896b5870313be34

SHA1
56b6aca1a1b8adfd7a031815d7abcfcf670e5205

SHA256
67d8b0eb9018b4a8fbb29e1f345a7713265232a58a7b300f0241ddb4183b0a18

SHA512
0942e7871adb20c0a3644fa4c8f0b88f0efe970425213f69ae00b5d54f86bd8a61a935f615745ff696c58c7b1632d8a2beacc4a2bde930ec51826d05c538c6c4

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
95KB

MD5
3fcfedabd4a841f5139998fc1dfa0ec9

SHA1
5c11bf0e75975b802d2c3f43cf7d93acc0812252

SHA256
3e660fed453628f40cfb5296d54d5a74faf543036b37d7d9a3cd8909847650ca

SHA512
86118ec565875596c12b66bd0d6bc3052857800da4dea2cf3abae18cc1c5eea518fe11acd24b0f210cdaa3b0b65cdf577d85b9a063af4aaee2c1fc05aeaab35c

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
95KB

MD5
84b9574c1b5b76773288514ec1343c6f

SHA1
66ebe2fc14b9c7dc3802b41eada15da15aacf38f

SHA256
12d45a46a2d71bbeb4a8011d8b2053dd33c35a0d7b9e4986926d8efe90b5fd09

SHA512
c093711354f7c5f76ce35ba8331b37bfbb9ae570da427f67258fb646bae7cefbf2e54941f73343036245641b124adc9002a1e2751931475940946a60e3c83721

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
95KB

MD5
49cea86393ad34d5d956b51ed22d2d05

SHA1
27c6fbaba48b292a1cdbc715b9801c5caf259bb8

SHA256
1fe99784cbe1ba70f2fdc10b2444890e54934072925cd625cc8f50a26c18d86d

SHA512
bb56ca63e4425946aaec2609e052e319a8a0d5a3b1a35955d70d04a24fbcbbc2d6f44440269ca82cd13375f2ba1a810b15f22d6362d24c4b44377173da125b4d

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
95KB

MD5
010f789153dd1bf2808dc6d4d411d7ae

SHA1
df14796074bf76513ddac7ffa45d9b6b779f935c

SHA256
e81ac79e138bcfad8c00029fc43dd8d3ddeeee500e857d1c1397b10d1faf649c

SHA512
9eae971fe0373fadd0cb0fd81291a1f3207bd3feb8f75dd13aec7e018486e545e0eb6154210213a737b844f65a604ea82e9b4e5ff290098a722b7e589018eb30

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
95KB

MD5
7fe25fd57cfcb76032faa646d1d1980a

SHA1
73de53a93135c8cc96e941107f91bfb550ca058c

SHA256
4f29f59936d847320053a6e30886280cb1369e7d0b8c256c609c59df18a56f93

SHA512
11ffa585a4910e0ea271768f8985cc07f22949d4b4182f9b395a1a5adbaaecfcb91f9f96cb99670ba690f0ae09b0abdac8d34d0278679442eb7448cf554cb982

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
95KB

MD5
2490236e7beac6ceff71065db814667d

SHA1
3e3eecf218804deb8eaa5596458121298232bd99

SHA256
7e25f39f711d4ad26592928349fa39aff2675f34a686b8400565729b0a526da3

SHA512
a1040cd65aa97018494875ce63ea8b6dbdc5b54abe0550a04090a746d5464ec30f3c77d930fe2f8927681420f4e0e7d2b1a8903011bc79083d9279db3f7307a3

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
95KB

MD5
3c33b1a968e1f99ad624ef16daa9d9c2

SHA1
a3608bf89f5271b00bf96ae9511386813444492c

SHA256
3ef24ecd331c11cd94998cbdedbeca790fc6c2d38114d07fb5526f467532683a

SHA512
f71be537d1e4ac8ecfff14745056d38e60796c80a71eb2af395ed1cb4bf5398cf93e1adf99df72f68850eea54bd8dced5753e7ff5fdb96fe07979f55f1adf7df

Download Submit
memory/208-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1392-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2876-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads