berbew | c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe
Size

187KB
MD5

d76ef1c7b146392f213d9e7080cb1f72
SHA1

cb29c2bb85c96a60db53fbde6f73c2a8a0ccb437
SHA256

c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d
SHA512

bed0ac1a7ab5d77bb52c6dde27c6c6b51f76d9c2fd87056232ddd1b98a96eb0f43f0156e0b860b1f815364f7f87bd8276672007fe8c56ec408b8d0f82868a30b
SSDEEP

3072:7MZin1/4XbuAqu+fiiO7AYLo9VgtRQ2c+tlB5xpWJLM77OkeCK2+hDueHO:Bn8TLiO7AYLo9V+tbFOLM77OLLtu

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleiam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eemnjbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eleiam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkojgao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcdmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodgkc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1804	Eleiam32.exe
3968	Eocenh32.exe
4180	Eemnjbaj.exe
4652	Fdegandp.exe
2420	Fojlngce.exe
1304	Fhcpgmjf.exe
3016	Fkalchij.exe
2280	Fdialn32.exe
236	Fckajehi.exe
2436	Ffimfqgm.exe
228	Fbpnkama.exe
3344	Gkhbdg32.exe
716	Gfngap32.exe
5040	Gkkojgao.exe
700	Gcagkdba.exe
3768	Gmjlcj32.exe
3556	Gfbploob.exe
5036	Gcfqfc32.exe
1904	Gkaejf32.exe
2664	Hmabdibj.exe
3340	Helfik32.exe
1892	Hobkfd32.exe
2780	Hodgkc32.exe
3540	Hmhhehlb.exe
2164	Hfqlnm32.exe
4008	Hcdmga32.exe
5008	Immapg32.exe
4852	Ifefimom.exe
5020	Iicbehnq.exe
4832	Iifokh32.exe
2452	Imdgqfbd.exe
2900	Icnpmp32.exe
4064	Ilidbbgl.exe
5112	Jfoiokfb.exe
2228	Jcbihpel.exe
4656	Jmknaell.exe
4236	Jlnnmb32.exe
4616	Jfcbjk32.exe
3020	Jefbfgig.exe
3188	Jlpkba32.exe
440	Jcgbco32.exe
596	Jidklf32.exe
648	Jpnchp32.exe
3508	Jmbdbd32.exe
1340	Jcllonma.exe
3928	Kbaipkbi.exe
2032	Kmfmmcbo.exe
1644	Kdqejn32.exe
3096	Kebbafoj.exe
4324	Kdcbom32.exe
3448	Kipkhdeq.exe
4584	Kpjcdn32.exe
4032	Kibgmdcn.exe
4552	Klqcioba.exe
5016	Leihbeib.exe
4780	Lpnlpnih.exe
1528	Lekehdgp.exe
3552	Llemdo32.exe
4640	Lboeaifi.exe
4400	Liimncmf.exe
3704	Lmdina32.exe
4544	Lbabgh32.exe
2036	Lgmngglp.exe
1672	Lmgfda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Defbnajo.dll	Fbpnkama.exe
File created	C:\Windows\SysWOW64\Jlnnmb32.exe	Jmknaell.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gfngap32.exe	Gkhbdg32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hikhen32.dll	Gfngap32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Helfik32.exe	Hmabdibj.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Gfngap32.exe	Gkhbdg32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Immapg32.exe	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Hcdmga32.exe	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Fojlngce.exe	Fdegandp.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Leihbeib.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Hodgkc32.exe	Hobkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Hcdmga32.exe	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Gcagkdba.exe	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Fdialn32.exe	Fkalchij.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Phaedfje.dll	Jfoiokfb.exe
File opened for modification	C:\Windows\SysWOW64\Jlpkba32.exe	Jefbfgig.exe
File opened for modification	C:\Windows\SysWOW64\Kipkhdeq.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mmpijp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6168	5128	WerFault.exe	247

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmjlcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmknaell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eleiam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcfqfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkalchij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfbploob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcllonma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkhbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffimfqgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcdmga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdialn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfoiokfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihae32.dll"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhcpgmjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkolmml.dll"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll"	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlmbpgdl.dll"	c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eleiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Immapg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1804	3532	c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe	85
PID 3532 wrote to memory of 1804	3532	c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe	85
PID 3532 wrote to memory of 1804	3532	c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe	85
PID 1804 wrote to memory of 3968	1804	Eleiam32.exe	86
PID 1804 wrote to memory of 3968	1804	Eleiam32.exe	86
PID 1804 wrote to memory of 3968	1804	Eleiam32.exe	86
PID 3968 wrote to memory of 4180	3968	Eocenh32.exe	87
PID 3968 wrote to memory of 4180	3968	Eocenh32.exe	87
PID 3968 wrote to memory of 4180	3968	Eocenh32.exe	87
PID 4180 wrote to memory of 4652	4180	Eemnjbaj.exe	88
PID 4180 wrote to memory of 4652	4180	Eemnjbaj.exe	88
PID 4180 wrote to memory of 4652	4180	Eemnjbaj.exe	88
PID 4652 wrote to memory of 2420	4652	Fdegandp.exe	89
PID 4652 wrote to memory of 2420	4652	Fdegandp.exe	89
PID 4652 wrote to memory of 2420	4652	Fdegandp.exe	89
PID 2420 wrote to memory of 1304	2420	Fojlngce.exe	90
PID 2420 wrote to memory of 1304	2420	Fojlngce.exe	90
PID 2420 wrote to memory of 1304	2420	Fojlngce.exe	90
PID 1304 wrote to memory of 3016	1304	Fhcpgmjf.exe	91
PID 1304 wrote to memory of 3016	1304	Fhcpgmjf.exe	91
PID 1304 wrote to memory of 3016	1304	Fhcpgmjf.exe	91
PID 3016 wrote to memory of 2280	3016	Fkalchij.exe	92
PID 3016 wrote to memory of 2280	3016	Fkalchij.exe	92
PID 3016 wrote to memory of 2280	3016	Fkalchij.exe	92
PID 2280 wrote to memory of 236	2280	Fdialn32.exe	93
PID 2280 wrote to memory of 236	2280	Fdialn32.exe	93
PID 2280 wrote to memory of 236	2280	Fdialn32.exe	93
PID 236 wrote to memory of 2436	236	Fckajehi.exe	94
PID 236 wrote to memory of 2436	236	Fckajehi.exe	94
PID 236 wrote to memory of 2436	236	Fckajehi.exe	94
PID 2436 wrote to memory of 228	2436	Ffimfqgm.exe	95
PID 2436 wrote to memory of 228	2436	Ffimfqgm.exe	95
PID 2436 wrote to memory of 228	2436	Ffimfqgm.exe	95
PID 228 wrote to memory of 3344	228	Fbpnkama.exe	96
PID 228 wrote to memory of 3344	228	Fbpnkama.exe	96
PID 228 wrote to memory of 3344	228	Fbpnkama.exe	96
PID 3344 wrote to memory of 716	3344	Gkhbdg32.exe	97
PID 3344 wrote to memory of 716	3344	Gkhbdg32.exe	97
PID 3344 wrote to memory of 716	3344	Gkhbdg32.exe	97
PID 716 wrote to memory of 5040	716	Gfngap32.exe	98
PID 716 wrote to memory of 5040	716	Gfngap32.exe	98
PID 716 wrote to memory of 5040	716	Gfngap32.exe	98
PID 5040 wrote to memory of 700	5040	Gkkojgao.exe	99
PID 5040 wrote to memory of 700	5040	Gkkojgao.exe	99
PID 5040 wrote to memory of 700	5040	Gkkojgao.exe	99
PID 700 wrote to memory of 3768	700	Gcagkdba.exe	100
PID 700 wrote to memory of 3768	700	Gcagkdba.exe	100
PID 700 wrote to memory of 3768	700	Gcagkdba.exe	100
PID 3768 wrote to memory of 3556	3768	Gmjlcj32.exe	101
PID 3768 wrote to memory of 3556	3768	Gmjlcj32.exe	101
PID 3768 wrote to memory of 3556	3768	Gmjlcj32.exe	101
PID 3556 wrote to memory of 5036	3556	Gfbploob.exe	102
PID 3556 wrote to memory of 5036	3556	Gfbploob.exe	102
PID 3556 wrote to memory of 5036	3556	Gfbploob.exe	102
PID 5036 wrote to memory of 1904	5036	Gcfqfc32.exe	103
PID 5036 wrote to memory of 1904	5036	Gcfqfc32.exe	103
PID 5036 wrote to memory of 1904	5036	Gcfqfc32.exe	103
PID 1904 wrote to memory of 2664	1904	Gkaejf32.exe	104
PID 1904 wrote to memory of 2664	1904	Gkaejf32.exe	104
PID 1904 wrote to memory of 2664	1904	Gkaejf32.exe	104
PID 2664 wrote to memory of 3340	2664	Hmabdibj.exe	105
PID 2664 wrote to memory of 3340	2664	Hmabdibj.exe	105
PID 2664 wrote to memory of 3340	2664	Hmabdibj.exe	105
PID 3340 wrote to memory of 1892	3340	Helfik32.exe	106

C:\Users\Admin\AppData\Local\Temp\c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe
"C:\Users\Admin\AppData\Local\Temp\c63037541f98a1f33f668015d699a589a26a1febdd1edcaedfcf3a5e7cbb627d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\Eleiam32.exe
  C:\Windows\system32\Eleiam32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\Eocenh32.exe
    C:\Windows\system32\Eocenh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Eemnjbaj.exe
      C:\Windows\system32\Eemnjbaj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        25⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        29⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        30⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        32⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        33⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        34⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        42⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        47⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        54⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        62⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        63⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        73⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        74⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        75⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        76⤵
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        77⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        79⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        82⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        86⤵
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        88⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        99⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        101⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        102⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1612
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        105⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        107⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        110⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        116⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        118⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        120⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        121⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        125⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        128⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        129⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        130⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        134⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        136⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        152⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        153⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        154⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        159⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        162⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        163⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 236
        164⤵
        Program crash
        
        PID:6168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5128 -ip 5128
1⤵
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
79f0add4dca801ce17c96f2f21e6451b

SHA1
498491c748a2f780c4a4cce8bd47f29a88c37d93

SHA256
fd9af422b7669d8846eb0d30b450cc5b522162c4493f6774b2d89d096a4a58e1

SHA512
01a6d9513800595f100a5bd07539a51f8adeb2518e9d636e85698337f30a9538ebe2dcddfec007e6af3e5ae9bb79bee3b5ed77aea4a3cd4a20c28aeb7fa4a0a8

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
187KB

MD5
3465cdd94328bf3e306bf0be59556dca

SHA1
9bf05135500b8da5bdb46ac7f0217c5b0dec297b

SHA256
a90fa8e62ff0e0116fe7d78d24bd0f24c7cd62023af09efbbde43acd2d95e556

SHA512
e8798f0f4879395e9542dc4f5a3dfde43946ff563d451ea7d3afee0ca0b68db26eae53b948b3a89c8c91d99652dc175232f221f013b026ba7ae2de81140c72d8

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
187KB

MD5
430559b2487b873d983e999f96a6ab1a

SHA1
c83d072f9f294c7b03e08ccbd6f50902d60fde82

SHA256
6b8e2fccf67f208927325215148dd479047bc7bee0244b12883e74ddd9416744

SHA512
6882d032669743be3ec545d74cbc836325af6e4bae51b2e3c670aaa4dfe1b4f09cf569565bd1dec9b2f01892845d89c6ee60d3aba893022088c9f18e1f3483ff

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
187KB

MD5
2a90be1bc752005d208ee1adffabc7b6

SHA1
a444d90998ffc0e089f28355ed5687940d63ac98

SHA256
ccc82804d4606bc084963d3577eb0a38952eb7d7f082c543ed66b61901c97ece

SHA512
359d3cf7ea1df9be4d16521595bafe0d0ce48cb5ee74113b7c3df77f19a443280f3a146c8a451a598c4bf6c54df460699ad487dfeff1cb1ca9b1640513b2b752

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
187KB

MD5
9230822ab9f509fa488a029c4a553604

SHA1
8247023c2fc67a546f8a40b7d3451f7460e976f7

SHA256
ad2b3947c7fbd16c7f719173181b8efb19353c2d61d9ad46fa9271647087ed3d

SHA512
a2f491f6d51bdd5757fa7bd5b0c4012d942eac2b86d877bbee559e60414a2a1338ae84ec7d092d2e6c70f3497c5dacff9d728e82019a0ac1d779002a0e1c9998

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
187KB

MD5
75b3e1a252444a68949a3d14b4d1547e

SHA1
b539a839dde62caf65ea5befd65eeb421b5b1216

SHA256
b18db38ff8fa6e21d265ac3f22846af54163553af03d2f720ec099ba07f604d0

SHA512
49d6825ea1714c472c642c962be6035575a6c64e30bd4a88054835bb35d76a7890abb9a17bf26f64133028101aa3339799cd2c20bb22f299018e14edc1c239f3

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
187KB

MD5
781fbd8a44bfe8896351fbc4aec0324f

SHA1
b708d820caec04a3eac8fe41491475e8c1b46249

SHA256
ca85a41ed88f6f208e377550649c0cda0093d0573c44f8db123b8b35784331d7

SHA512
314e8515520bb0314d209878eb5550fd30187858dd44f1b371216208c12b7e4b8abc19575ba5b8e8b2617fe48f0bc1dfd0b871491b11594a1286a5cc6f991952

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
187KB

MD5
aaf09a970ba284864ac423f20e02b3df

SHA1
6a616be25149b9f73211cc686316d88c568c9ce7

SHA256
ec236f0573839da8015b5dc6bdca8ada3a1b6f556409033101810d26ebbbe127

SHA512
609c6d6f08418bfcce854fd45e8fd9ec4f4d7f2ba182b6797327496f9444955c959d1f82593a5032326b144ea9af2cd5131e6d178d586b9fb381f17a0b765577

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
187KB

MD5
5a31b4b58c8619e26ee35aa50881b838

SHA1
6e00b6e1ddc52e1155e74d3b1b722f2a340f89c2

SHA256
449c074cc85e0320e77096437c8f0ad4905936bcd2e35c95e11ace62c47d4dcf

SHA512
b7f4e3467c6f8409c8a0fefbf82ad7072dc63bb7bdbe7733cf5fea95eb5150de392b5f0ea384e230c3e9ae1d9964ec38ddd13f4a6012ce3a386b172e3c8b612d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
187KB

MD5
4cf14c5bc91faae8d303781c17f56c82

SHA1
c931c3a90a70bb2423c436d38e6c6f452a1226c4

SHA256
70c3154c3166bbfb724ef9353ec0e21a34949fe126017e6f9400ebe3a135e6ad

SHA512
ff37f86522d15f451fe4506c6cdb883e633a69586791b445ed52979aa665c56327865d722efa6d81e45767b6b7c96608d7bffb95682a0d723893f6c38f24773d

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
187KB

MD5
53e8272a5e925a11cf44fa36438dbdfe

SHA1
7291c4b3bd263f18152b609926804522622c1fa9

SHA256
bd59c08a662440b86f3c291c86320b4a6b5b823ad172b3ff8fd2d8ea8b5541a8

SHA512
83752a9a67ebe2c3ad7ab5dedd7a866ae14cc6dcf32fdc7b089ec05f808d88b5232732b95ec01c1b35bf86ae02c8bf9e0c5884954c4ef577eaa0bb299f708672

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
187KB

MD5
bdb97a85695bd6406ab1e9f9380e4a90

SHA1
ac6851f507b7f5b98a5981ac89d5242355f2f1b1

SHA256
22dfd3e08904e647f100036be006aef437afe9e0d1159a844f1c9f6ec3dcc066

SHA512
33e0105e4562ab8bb8b382b56eece678f440b28c46d327d2db8bdb35ca194067028a39ab1f4edc6440e60a7664c8df983c23b8c3cac8e2454df16686661f8b43

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
187KB

MD5
c9add0ab08dd4552d362724febebdc4d

SHA1
41d562a53175b88500979e96989a588fed6b6a68

SHA256
02d382bd7f5eea4f0ffd28c0dc884a9fa8ea76b28de8053781e2e27df1fb17bb

SHA512
f0046d8ff28cac16a3fcc75cb13fd20a7824614b71cd5f46fb76c5fcb000ec16987402f3b30bbc74d9430d45cbb403888eae67db86acf86235b52e7bcde22bec

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
187KB

MD5
d9b05ccba2b47b7fe57dbacbcbad0d74

SHA1
693a8607c4e30d5d9be8bdc4ae8972c3389b761b

SHA256
56f0eca3caaa95538d80cd836974c38766f531acc5b67861e29824128b65d2c9

SHA512
944d80ab65ad56ecbac46ce81d0e6de2da3b01df70bc26fc79f99cb04d06c3af70f986db99114da710ff4c63d99b5a54e35bab8975606c6fac7f8258faf0c1ca

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
187KB

MD5
bc00eaec254fd6fd63cab623d63fdd9f

SHA1
b530665afe10ca5e2fb56ba435214126d5cefa38

SHA256
daba2121b5c985bbc01371e8f7cb4e8dde8236c535495fee69fff910a5955cc4

SHA512
78ebe3dbcb9401104e4f95b2afb2940eabfb54593927cd1566cab9bec9547d7878b8f9a8a919931415e45e9dba6a2f7213f3c0f5e626a16ecb3eb89ebf062505

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
187KB

MD5
82fb5d62953ad5f4e834941705fa9a6d

SHA1
0fd747c2c946f3f179991bc4c7fcb0b19d41bc81

SHA256
bbab87256ca98e4d1aa283a23c281c563e44c318829cf5816726b5785985b62f

SHA512
f7b616921cb5649916633708996bf2a0ce29f24ee9b2b6aa27b5d8caff596675bbcc6137e997c072032663e1221dc5157b26cf455df03faddf87e5c81149a7c2

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
187KB

MD5
044f786007b51df096c8afa70ae04258

SHA1
f6a67c0f41b7b347ab715dd38666136424409161

SHA256
0acea81aa0b0a2b623a337d42ea906c83d72763913c396bf843e7c09d443a815

SHA512
b3e429c232a627f5ac612a4421296dd1a94572fff5e06cd43cc152362ae6d2d8d0d1c16aec8e3082ca72dd45af86adfc499f28e7a00ac819518cbe0c9442eec8

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
187KB

MD5
6033edbdf8e1091a395ff03efdebe18b

SHA1
1cffe5b4b88e2394faaf5ec25e7b5099e6882822

SHA256
02777b9c4875558ab82660f795cdb58b2e14d43d5d761a3db0a4cc3e19c1d822

SHA512
692e3e279a2fb8e8e9481ecffe5708f6ed921b6e943c6d386622c8958cfd6b359c67f27fec11c10fff8b0833187665f41bcfad368f7a3cc8c41bff43f147fe3d

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
187KB

MD5
72bef7aa5c7a155667e3454fb955ab2a

SHA1
2e0f3924bc485d35c5a5121661f71a7d3eb9950f

SHA256
aa11ff776717c7cf0f8635ae584624dbafd1be98962561cf1c3a10127679ebfd

SHA512
980bf831bafca7e79514aef4026f5c6fcf4c935800f67a6353a524cd2c020d319a9c5c6b5daa2c576eb7d6755f70c1a47afdd29524ec1c94d5ae6dfe32d69464

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
187KB

MD5
9c1d149f4de33b61ca7ac1ee04797a5a

SHA1
1819172d9f65fb0dc3e0f8a56c9b6fa64d55df5b

SHA256
9e5bc57c3fa4b87971616af3e410fec2fe768d58e040330d09473dcfeefc709f

SHA512
7989724ad9a7b2963b08125a39f0f779dabc2220243ede1f1796bae281b9cb9d2b82b26e8d58b5dcd240a494827f0e4d0d511631ebb29d4052275dd9191f6b86

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
187KB

MD5
3a9c55917d5b7f107e8ae5c9f728c2d3

SHA1
57faf8e6b6f7a4b3265724a38c19fbd5ccf0545f

SHA256
35be186d3692f5e4b7295ac43a6d926041656c312e61616242b40163444df95f

SHA512
5f4bb76ba923af4be7ea5395accade2bc843967396a11e957b58bac4003b455ae0a6fb08ff5fd38a04a2bdd3076fed7039b5ebca54b5a3dfe97e343fff40c3a1

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
187KB

MD5
b111e7ab784536ec710a25c3e88ae465

SHA1
d6deab56aeba5b83af55080312344f9c173febc0

SHA256
b741dd3fe5d6bcda5cb830211d8caba8bc366b94cf0d94f776ba1081c28d11d9

SHA512
7612eb3ef6abb2ca579643e6fbbdb4aa9bed197cd02aab65d95dcf7e0bd1837200b93c4e1cbe6f3ddabb78de31d57440bc3d42708b5df01e5fe293560f720f6b

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
187KB

MD5
b33f599c308b38dd00e37e127ec2bf0b

SHA1
9be08d39f4c912fa2b859f26f586a93023ce6766

SHA256
d71befc694b8dfe0353837a9ac0cb042b4ca53d3b99ef563534bbeb4d35db0aa

SHA512
b88bde188d0e6732970c5a6e5b94fa4de22440bbad7fc28f6f9c89f29e142458a0706badaa079943438a31671f0e8f98aefbc8cfcdf28b9eec03033eecf33596

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
187KB

MD5
3ee4c82d6358f34605d4b9d97b605410

SHA1
515cc536de7fb7e6f6db208e1c34cec5a2ec7e36

SHA256
e650bb6be4e50a0d68d02f423f945a76ad2d3cf27eee6c9d15e55ae1d82cf8d4

SHA512
4a4ebe3543a5afde9a611b879106e7b1043e285b69c04cef6b085e41af00b014d4a9b9768e8d356da7cba3083100719b3ee537b36960fe1147c984a135e9ad6e

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
187KB

MD5
45578b4411c612f945034fee7b718799

SHA1
d4e7d49082a06fb37e5c7217031b0ff9dca8bbbb

SHA256
929d132e6a5ed3cf5dfb71ec725f8583ba91afc2c7a21f6c10bdd5b31280ec02

SHA512
b4864145363ca0dd9c4008bedf26d351664e5d06ae37d901397516fc6c7a201bb45be5fd20e3e0eed696635efed336c8c95d0516622ba19b2ede16fea24140c8

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
187KB

MD5
b108031f793cc455d3d4bc30fb50f8b3

SHA1
d1b9274ad0846df21f10ffa2c48226b4a1b1b59f

SHA256
56a250f8ac7d8412e9e82a70dcf67404de206f9f7e5d309da970dfb05d725358

SHA512
f89f9fbe274882e8acc6830c9af3a6def92f3d6fa97be75d092517ff724dd0a32271583c86ce9420e649c0aa799e42d1319d662b4249ba0add378a8dd2e17b65

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
187KB

MD5
07d3d6714ec9ff5dcca8795b580fc640

SHA1
656f79cc88bd21f421c868a425e3bdd74e866eb1

SHA256
f2163f4ee50d0ce2937b47bc00294794824b5891c3021ef3112859dc16b4bf0b

SHA512
07c88873fc4e2fec29ab54e59d1f086edb497e1c7b4a0583518748416e916df435282a43153e8420259b717d078f1ea0416159777765905c871b172e0001f0f9

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
187KB

MD5
7094b6621c28517ce842ea3675b2ae03

SHA1
4461eac410959a8cccc322fcf691d935189c4a42

SHA256
18f2a8b727ee0765b940aab23c158c1f077c519804f314c726b7bc5b70297561

SHA512
b7dd62912f8643a3f1cacc2b820bd853eff6bfc65e9d11010697e8fefd7e22d4f14ebc436c2274807c5f636753897a08eafd85465b658ebf54122482d3357c76

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
187KB

MD5
d1b8078d5afd155744c7c9afdb98adf1

SHA1
af0d0c2078ce29445930f5ad299696da14ebb612

SHA256
06cc70232683123a03286ee312c96e5d085fec698114b7698bd99b9816d1fc5a

SHA512
650270d5230b134beceded8cde307e2f6c1c770813901304afd67fce60704a403b4a27bd4637554e60d7588508d60591e28b5b37f4a06721c08df60d0dfb0559

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
187KB

MD5
5b8298cabd974409e855456ab994b1db

SHA1
3c168c62b42ea19fd412c0fdddb8b852d8d9a7a2

SHA256
4944d02f11877a2b5399ec96ba6edc539ed1270354046fc19a3058b068f76e67

SHA512
c7d88ed1bd259eb7d140d2dde8ada0dca02a63306aec0d7d25187d00e221a1308842c02f370f860eda62239458480eede85b61f762ea91d97b0d8be621aedeb9

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
187KB

MD5
bbbf21aa691e82f93531a1a91986a7d1

SHA1
d4e4993b1b05c4294a7083791b47fa0aeffe76a2

SHA256
4cec603aeb9366063501266462d3a3eaad130952fd95cda38889c526be342b07

SHA512
f882ebdd4246760d7e1a8c047ceddcac20ce49da67603aecadf0ec4f29fe5d21440880f30ff0744c5e2b7bcce7b7def10bc6c8f49a30c0191ff89796cb95d657

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
187KB

MD5
9060082043cecd212ed6c87f08ebad12

SHA1
f39546acd29d6480fd44c151dc3a2fcb4c0db954

SHA256
4d9524be8b87c3ff0725b216ce40a78bbb1e809973ad1a93775893e83c736a04

SHA512
a7da181efc8f26a6f6389eea3c771199a62d025e1cc61d8bf7241c8ce89361c6cef4468187ce2077aaf2ed85c0abdc18a5c18fe7f1c7c0067b53bba766c62134

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
187KB

MD5
81c29e9c90d592ee7ce36b26700e85c5

SHA1
7f12864582dac4ff5394b382a041999885f3a51d

SHA256
0f03f327665378b6e56615a127cb6373e38ca0f439cf59c4334f4cfad43487f7

SHA512
0fa3f4a4878078688f82881f90aaf38f7eb677aa68a6b9f79da5c60ccb1f7a38b7c7d5bffe9bab94704b75e0d71953212e1a5f76410fbd65ea9eb68c87d32c64

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
187KB

MD5
653ad346bef9476501f5e89e1fbffb80

SHA1
d8f5e63041595436df698a3defa170d17dd29a0b

SHA256
cecc0a80db0a6dd1e49eb00c1f79b69b78cfa901373ba33d18d95427365aba77

SHA512
3a0adcd533b04a0b50caf753159e8fe99b20299ddf1603302a1fe241ebd28dac53ee1acad9b0317aded6b1fbdd60450fbbfac1eef09c5d4518c06e342e3a1a71

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
187KB

MD5
8289db76b96a8bf662e271eefd773fa6

SHA1
96dcd9455a6eca41f9334ddd343febab0b9bb2b4

SHA256
c71f84183e54eef688bc8a6c912464f24bc2a0072e3cacaed44218eb9bf6b6b7

SHA512
2556a7c43031b4c9cff9fcc42790d84877571ccba9f995ccb488b6b37069e5f2c31b5ef68573b7da23199b943e5fbd3d37e4b7bc5eb89c6e48340242ff886739

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
187KB

MD5
6970b45236668c81bcaa7319b1834214

SHA1
2a3d7c863e6abb9d5dd569071f8c36e79e970257

SHA256
884f57ff144816ed7682784566af019a17d83cc2b72c75c9c8e02917d09043cd

SHA512
36f74f98a19bc26b2b8e5d656ca23ad885580a34c6688821c03206fbadf05fbe64a0b80ffb908e59b5de8039417ec2a520a61b3477a60a00d704b1bebd0e8c04

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
187KB

MD5
469266e266edfd69340eacc9e34382be

SHA1
a76699e3bf3612f5be9e53ead38b7267e78536cb

SHA256
1fe953b17824d7fb50cd914d762cee0340e6c48d41dfa30ef5c44998721f25d0

SHA512
b45b3d04f8b32aa9405331369c3c7037e9440fa88853eb7b6c505f62ad9b030583e369af09a9369af8452815af977e4f65854158d4cedbddbe6105a7ad0aa294

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
187KB

MD5
f3690215c137638e0c3fb7bc40fb25b3

SHA1
10470352713f28ae249f1bebf2ac6d650cfb1bb0

SHA256
7d5b5fa4052ac95cf83f39b35d23674c1e294953065055aa8351a5a2722b6c7c

SHA512
809e96780788a64508e8235acfe5be89a023a4c2eaaa3c6981d3087be215f609d7228bca844f1621621b523ce8a21137d01baa149eb5e79f2bf71b01efad8e6c

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
187KB

MD5
252dbdcfba0f306a8cd23ef73c5a1fca

SHA1
b14f45cc231ec1eef3cbbcf1c2bae568d3538bef

SHA256
2bf11a58441203e4db9c1d1a6a05d475400cee8f4987c3057c75a1e3b66635c9

SHA512
83fc2fa070e4c29ec23c1531a72d0750140fca71e0263976af4ad926ddaf17aa0608ed7627e70913105bf9ff0f41e30a580cd53865741710bdc488efbee575f2

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
187KB

MD5
657891c57cd92674f4678d3937811e1b

SHA1
8bab2ea2035c14034f3a2f6be7f7c71271f2fedc

SHA256
c7e6c416d89bb0bc57007ce6c39f3e03998b73b58264bfd8a2c6f2cde7a237c1

SHA512
72e939df2f8cbdf2e87fb3c6348abc66a29e17effd3d9932e22d8535b06e97cfffe0c4312c454e5f393b6d80f88abcc82673826dad8abc241698fc4c916b9909

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
187KB

MD5
844007435f000da9841f17a9a2adf202

SHA1
e0f479b8181f883e6c0c3a16b48bfd6403d6ed5f

SHA256
345eee482bbb86cff1fede1446d3aa90380f574c8d131b09a337712bb864c09a

SHA512
84f1ee7155c036c3f2428639f742125b61e5101a75584b777a4fc3e92f4781ee947c28709315b731cfbd76adc8c36ec70567065a9f33aeb842a00ddb4da3b59e

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
187KB

MD5
b909b61378918d31009c3421d7b3651f

SHA1
483afd5a52346869980fb25683391406427ad4d5

SHA256
71e00d77651fbac9be273f2dd7b27fdb1272c66ae2f69eb9433910ddfede2ef4

SHA512
475f25873ae5478d650001a2316bc37e2ef4300517aae68c9c0ef4f5d6cbe804e9507de1a387fe8554a4a4ccbe85a66599eb4642b414838cf4d63b5cced3037f

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
187KB

MD5
6f216773dd40a8e8850927f1479fd79c

SHA1
a0fc4e12f820ce844cfffb0615dc9be3507388de

SHA256
44c66e247b13b8e909fb77b3e9ebae4a108165835a0ad69fbf24823fa129270d

SHA512
065f5777119ae0be04cc67d8aa300e533c2c4e02c368bc1e7c2db3773e061084ebc82a995b95eb675704b0a61ac9a3181f935b573639df02668a764a334299f5

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
187KB

MD5
2752b38ea6981a53dca279920d2946d6

SHA1
dc1e7b8d152350d807458fc489ebd62cf703ee79

SHA256
ac9a801a27063b8d63709c1235c0f7d091d914f9c27f3593bfc2929ec1095503

SHA512
57a9b5940eaed2c04764a7585ebda69e4ab0a9f3d893c37ab9b53c824f3640e8aa25a8260106f0118a6f7148e00c0cc2f67c2a293bda4ff0b32d5c2b1e12a92e

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
187KB

MD5
fa2836a813f31d669f104ee22069a4af

SHA1
2b634b9d44ed98687317729253bfbf4f5897465e

SHA256
74eaf74d465f37b2b783d9686a5af8e01745dddf4cb96181f371b1a246e901a5

SHA512
a0822d96d9616be4bd83445c53941b29993b0f42175c134086f34f4fe87a71097f0f879d4bc6efffed4dabff3ccd4ee974bde5dd03369e99e2dd3769d310e8a8

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
187KB

MD5
a72575cb68d29c55207f0aafd7d6222a

SHA1
c71c73d1f96bf5db2b5eeed8d5cc4f7382c16b56

SHA256
4b3786f77c3e08b10628decccba570702c508936a5db108c3e8bee4ff1780582

SHA512
6843a3b21aafe0da7112d6b0eed548ef09652b8ff384c53d5f6cd91d40a1bd8ce93472af1c1d7a78320ee0142d140c3aa3a0c28e173a45f2eca12eee213793d5

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
187KB

MD5
1b5a0abb5a7028416cc2eb9b136483aa

SHA1
9d35580fb674c33a233f2278e2d8326a28bce4cf

SHA256
10ba6c142a4c938ab6044f44fd75455d9b4441885062abc59ca5936690101732

SHA512
554cf5c017997b79801621b499da9f136af58e46a3c5ab3aded63ddcc5a8eacf5b7797a3b4f8ac05f8b38604a6e5f98b033dbdba4bf237d7b600b8fd31bc4076

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
187KB

MD5
91276caf90f38480ec279381dfc52065

SHA1
f5f895185dff77c22f84e9b8fa1a2270600ee924

SHA256
6f0a5199cbcf81c3c9215e66028b913e9d73165a5f50743007b50cd504fe9798

SHA512
98461c27b2502a30372b14eea0d2985119cae87ca1df9c080b0ec7527e705bd57b2482338e0771f9f6d3447b5369bf8682dc4fe7ad1e909fce9a8d9e3c368e39

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
187KB

MD5
a31e8966289f8188d83a2f58b73b898c

SHA1
83c6e743fc9eed9e3bb245bd37efbf0a3555d9d1

SHA256
7de615795e7ed2875bb03bc07e37ed98db9b4486390e9f9ce63bfe999b68d576

SHA512
2fbd8914be462431e2543e418585325b67732e3b03fc6d5ae97427eb22e1f574bef9610ffbcfa362e1dbd152c1908e003c800c3a8d838e04f59b9eb46aefacbd

Download Submit
C:\Windows\SysWOW64\Kmipecpd.dll

Filesize
7KB

MD5
3e1c44445463e1a2c5572cf16c5c8025

SHA1
71923677922384fd81d37493f489394782be1c0c

SHA256
ffc1b208f43a25258e5e24a2ca4e339771511026470d9916bbced0f1f8804dd6

SHA512
093d301f0edbfbfa9d6b1b1867d1d624dce7922059abcf4eb0e8e206d8e85101c8b7fe0f1a42ca0b330debbba3e9c32cded8a994f8b826dec9e58a3e81fcb6fa

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
187KB

MD5
bd39517d54a2f6f6837990bf9de71e16

SHA1
9b54be648510eecbe76edbbaa33269e5d19ac28f

SHA256
15b2053ff294d6390ad782d2b9eeca9aefe75d804a18422dfac86f4aa550f035

SHA512
e2129022935264fc032513715b139ca3f2a62fd7ba8d8655ae7f08b1f5ede5bd4a2e4ea1c69d351519dbf8653d8e0aa829d8d08a6015fac3071fe0174106f86b

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
187KB

MD5
b6228fef46adf2a0c9bbdf3a43a59da5

SHA1
108c58009ff08473a3f51d07ec0d56bf6cbe896a

SHA256
f993067939c6dc510f057f083bfb4941629f6baceca9c74320d2fe9463f5d303

SHA512
b58935b3b545c6687bf5ac8db633b302d9a9b644e73f76f76973d3ad2693b70bd857511bb134c1f218d66a2cda0d33b69d1c7a97506126806674d11d012d45dd

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
187KB

MD5
9519335ef7d802829cac02e5068a6f69

SHA1
e6218b2ef6d49432a67b45bf637d96ff710b2986

SHA256
8b7c0b07f838b115ffcc62d685a7ac4d0bc4883e5cb8852219c615db61e07023

SHA512
a9b49028899d8b311380cd4a195bf2dd8e2546982e71eee76d412d001f57396d04beab1c9936fd9ffe0f9af193c17d3fdfc688a79170ae6f3322e35a407e21bb

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
187KB

MD5
050e2a91d3c3f0218186aab0155fe042

SHA1
5aafd182380db4ee30c660a8c9f0eb9dde4b3739

SHA256
68ee424637ed138b03971a45095ea4362de598fcd2fb2eb9aa0f18162d081631

SHA512
05d37453dde623b4310de5704a2a8fa3e6a829ab685b2e4560e40e6bbc2bdd7a6bcf68ef063d91e005c8ebf37f0cd6c57254b17203551e05bfce1c07df75368f

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
187KB

MD5
413d31f0a9d43722d01bc39baf8220f6

SHA1
d1a824cffda3a7d993471f885b46b7f4ae9b30a7

SHA256
e6c550ba60a4a90632284393e269ee70519c50e8b985c98e1decfcf6c74fad8d

SHA512
25dd535a9f80277d16a6ff3d3b7a85ef67735e1d1186b7bf36720d7b8318880e3cd9031fcf115edb961d5564a882bb2af48463b71b065097f4d49b205ef10767

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
187KB

MD5
a75cc4d937a2fe7cb7c46e1fc425c7dc

SHA1
b0d88b431a159250b2c47d0daab4b12ffcb5ba5e

SHA256
4637eaebc4b99f6fd32d96947a60e1fd2fb04323db40d05ab866a73a03689b06

SHA512
d300b368c95d9abb0c9183aebb21f6cb47fc06a43dd29ed84d886327c06011e6c41a95a1637396337918393e7e3172e32d4a8ca895d70127580801eade5d16fc

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
187KB

MD5
28cf25d9e1262b4eb12e18e2d65c7a41

SHA1
183bad2519cc70537a9cb3bddd429f575535c0ba

SHA256
a15da802f59770c3452e78c3f226afac86378c5e1d9591866ea6848b8f16c090

SHA512
f9b9c56c2f317311ef35e5d0ded13ec7ebf04655fcc9f043c391bac7e3e347307e9625aee8134927e3b766a11576a3f55a091a592e1f299a051edee38a44f9f8

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
187KB

MD5
bfc364f984332c6b2e04c992d6031c4a

SHA1
65bd06b40000c8df3f95c600e7816828f8788295

SHA256
6d2e3b8e0d03ee61732cb63eff1e3e1bd9fe8504f1388435494cc0a31d44859c

SHA512
68fb4fa4d272d275e82b14fb1a9a2e2eb52c0fa2176737db1354bee2bbe0f142353bbcce2eed36036f84260c9dd76e09d375950691c1c7dc4e18749e6d91fc76

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
187KB

MD5
8bfde101a8f2447a02b24614709c51f3

SHA1
d7d9afb233dcc2c44bf1ac7c4b51f304e3dc723b

SHA256
82ab06d13e80706932227a92c50b2c4222e104595b7669b0575023b57d879c04

SHA512
47c309cd4a3a8c1c63b8117bcc273d5e505094e2d3b26bd2b5782671de1ea0236db549b0fa0982dc8391c789449324b97875aa7739009b6f79941442689b2997

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
187KB

MD5
162b41bee16fd9b4f3a7b413dff3c720

SHA1
c908a37b32c214d1320dcf6cd57005bd35bc2a1b

SHA256
26273a8d9f05f47a8b54230b7934b7bdf589291aaa4f0c111f46be5405647c3a

SHA512
f9bb22b2a0f74f306293e432f166fff825fb0beabfbf5663533f606233967eac51f950bee73965e8bdc9da766efbaa8b0133c4e9f514e90c40990fbe301c16b9

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
187KB

MD5
ef77096178c5f28471b6d657f14cc3d7

SHA1
8d21cd918d470547d234361ebab5b6048bbf0d3c

SHA256
19243eee6811858719399558b7121c6a36ba2b88410ec8a7e48a27885cf29390

SHA512
5c6bd9370039311dd8cd33fca644c7dbea3602d854a39ff1965402a4b185514afa651aacf076608bbf968398b379eb27eb5561a851ea285db11b7c5ca4dd1b6f

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
187KB

MD5
0027fa11ae07090e390b5bfa9b2a87d5

SHA1
6930ea5df50feb34bb91986a96de4cec7c7ae27b

SHA256
4dc3e5ff9a3919f1edba84853268466c4c5e4d42e12f4231ca5d6b45d30409d6

SHA512
157cac890b08fbc623a35785423bca3091539943641cb43fde4adbcccf0f44eda38c37f6c88504ef937ef025cc482a54d4d0fdac569c5ff482ebb9176c707deb

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
128KB

MD5
44e1b440f24b11333f38a41cf2e58c19

SHA1
6b44473801f502cfa29d63db433baad2d9f8ceb4

SHA256
6deeec5f89f5172b9d415540fe7344e29e365d4c35ed5cad0d750f67a6f5b07d

SHA512
e763931983713dfc45bb10ee46c189d0f697965d2712e907a913a6cdd47a6d30f58521c071ff2c8fbc0c57cd50fb99bdca97c90ac7e16c71f8ac3bc881b63cc0

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
187KB

MD5
f9afc3242ab6bc8ef2c79b6e697605f8

SHA1
d8a0747c77efa32476f410163c1801f8cdc6d2f8

SHA256
a9c90422838e9f3ec040377f2126a7178fc2fcc82ec3fc3e66bee18094025759

SHA512
7b795cc77124c378e666a8be8e4088e0f7eafd9381b2de8adc15b78a771605751135e1cf6e84fbef49d642bb1746fedf1c7d5da2ff54f4a1d86533aa12fbc642

Download Submit
memory/224-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/236-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/520-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/596-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/952-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-1188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5972-1121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6004-1152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6096-1198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads