berbew | c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925

Analysis

max time kernel
115s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe
Size

64KB
MD5

e59b2dae8a80075cf297092938d54b30
SHA1

3779b206b8531b2e0c1909ce75bbaa001c35bb4a
SHA256

c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925
SHA512

43ab0ef818a189a4e8da13c1a85c0c813ae5adf242343a7602dcc8f8b0c34a05ccbcdb4dd71ebad85b8358bf956d6934d88d5b8bd28a88c98793b487932a6238
SSDEEP

1536:KNO8NVfZZ8FZG8uncCv88+7nBZYsIWyvrPFW2iwTbWv:Oz81Z7eX7FW2VTbWv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2224	Nepgjaeg.exe
2248	Nngokoej.exe
2876	Npfkgjdn.exe
3148	Ncdgcf32.exe
608	Ngpccdlj.exe
3064	Njnpppkn.exe
2256	Nphhmj32.exe
3684	Ndcdmikd.exe
5008	Ngbpidjh.exe
4984	Neeqea32.exe
5044	Nloiakho.exe
5056	Ndfqbhia.exe
3948	Nfgmjqop.exe
4756	Nnneknob.exe
3492	Npmagine.exe
1064	Nggjdc32.exe
2768	Olcbmj32.exe
860	Odkjng32.exe
2040	Ogifjcdp.exe
1896	Oflgep32.exe
2572	Olfobjbg.exe
2868	Odmgcgbi.exe
4844	Ogkcpbam.exe
372	Ofnckp32.exe
2060	Ojjolnaq.exe
2084	Olhlhjpd.exe
4888	Opdghh32.exe
896	Odocigqg.exe
4456	Ocbddc32.exe
464	Ognpebpj.exe
2516	Ofqpqo32.exe
2412	Onhhamgg.exe
4368	Olkhmi32.exe
3280	Oqfdnhfk.exe
3616	Odapnf32.exe
3052	Ogpmjb32.exe
4464	Ofcmfodb.exe
3328	Onjegled.exe
2016	Olmeci32.exe
5024	Oqhacgdh.exe
3916	Oddmdf32.exe
1688	Ocgmpccl.exe
532	Ofeilobp.exe
2264	Ojaelm32.exe
3896	Pnlaml32.exe
2888	Pmoahijl.exe
3952	Pdfjifjo.exe
1440	Pcijeb32.exe
2468	Pgefeajb.exe
852	Pfhfan32.exe
4028	Pjcbbmif.exe
1060	Pmannhhj.exe
3268	Pdifoehl.exe
2820	Pclgkb32.exe
4856	Pnakhkol.exe
5000	Pqpgdfnp.exe
4168	Pgioqq32.exe
4396	Pjhlml32.exe
2816	Pmfhig32.exe
2864	Pqbdjfln.exe
1404	Pcppfaka.exe
2908	Pgllfp32.exe
1196	Pfolbmje.exe
3972	Pnfdcjkg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6792	6648	WerFault.exe	266

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2224	1316	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe	83
PID 1316 wrote to memory of 2224	1316	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe	83
PID 1316 wrote to memory of 2224	1316	c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe	83
PID 2224 wrote to memory of 2248	2224	Nepgjaeg.exe	84
PID 2224 wrote to memory of 2248	2224	Nepgjaeg.exe	84
PID 2224 wrote to memory of 2248	2224	Nepgjaeg.exe	84
PID 2248 wrote to memory of 2876	2248	Nngokoej.exe	85
PID 2248 wrote to memory of 2876	2248	Nngokoej.exe	85
PID 2248 wrote to memory of 2876	2248	Nngokoej.exe	85
PID 2876 wrote to memory of 3148	2876	Npfkgjdn.exe	86
PID 2876 wrote to memory of 3148	2876	Npfkgjdn.exe	86
PID 2876 wrote to memory of 3148	2876	Npfkgjdn.exe	86
PID 3148 wrote to memory of 608	3148	Ncdgcf32.exe	87
PID 3148 wrote to memory of 608	3148	Ncdgcf32.exe	87
PID 3148 wrote to memory of 608	3148	Ncdgcf32.exe	87
PID 608 wrote to memory of 3064	608	Ngpccdlj.exe	88
PID 608 wrote to memory of 3064	608	Ngpccdlj.exe	88
PID 608 wrote to memory of 3064	608	Ngpccdlj.exe	88
PID 3064 wrote to memory of 2256	3064	Njnpppkn.exe	89
PID 3064 wrote to memory of 2256	3064	Njnpppkn.exe	89
PID 3064 wrote to memory of 2256	3064	Njnpppkn.exe	89
PID 2256 wrote to memory of 3684	2256	Nphhmj32.exe	90
PID 2256 wrote to memory of 3684	2256	Nphhmj32.exe	90
PID 2256 wrote to memory of 3684	2256	Nphhmj32.exe	90
PID 3684 wrote to memory of 5008	3684	Ndcdmikd.exe	91
PID 3684 wrote to memory of 5008	3684	Ndcdmikd.exe	91
PID 3684 wrote to memory of 5008	3684	Ndcdmikd.exe	91
PID 5008 wrote to memory of 4984	5008	Ngbpidjh.exe	92
PID 5008 wrote to memory of 4984	5008	Ngbpidjh.exe	92
PID 5008 wrote to memory of 4984	5008	Ngbpidjh.exe	92
PID 4984 wrote to memory of 5044	4984	Neeqea32.exe	93
PID 4984 wrote to memory of 5044	4984	Neeqea32.exe	93
PID 4984 wrote to memory of 5044	4984	Neeqea32.exe	93
PID 5044 wrote to memory of 5056	5044	Nloiakho.exe	94
PID 5044 wrote to memory of 5056	5044	Nloiakho.exe	94
PID 5044 wrote to memory of 5056	5044	Nloiakho.exe	94
PID 5056 wrote to memory of 3948	5056	Ndfqbhia.exe	95
PID 5056 wrote to memory of 3948	5056	Ndfqbhia.exe	95
PID 5056 wrote to memory of 3948	5056	Ndfqbhia.exe	95
PID 3948 wrote to memory of 4756	3948	Nfgmjqop.exe	96
PID 3948 wrote to memory of 4756	3948	Nfgmjqop.exe	96
PID 3948 wrote to memory of 4756	3948	Nfgmjqop.exe	96
PID 4756 wrote to memory of 3492	4756	Nnneknob.exe	97
PID 4756 wrote to memory of 3492	4756	Nnneknob.exe	97
PID 4756 wrote to memory of 3492	4756	Nnneknob.exe	97
PID 3492 wrote to memory of 1064	3492	Npmagine.exe	98
PID 3492 wrote to memory of 1064	3492	Npmagine.exe	98
PID 3492 wrote to memory of 1064	3492	Npmagine.exe	98
PID 1064 wrote to memory of 2768	1064	Nggjdc32.exe	99
PID 1064 wrote to memory of 2768	1064	Nggjdc32.exe	99
PID 1064 wrote to memory of 2768	1064	Nggjdc32.exe	99
PID 2768 wrote to memory of 860	2768	Olcbmj32.exe	100
PID 2768 wrote to memory of 860	2768	Olcbmj32.exe	100
PID 2768 wrote to memory of 860	2768	Olcbmj32.exe	100
PID 860 wrote to memory of 2040	860	Odkjng32.exe	101
PID 860 wrote to memory of 2040	860	Odkjng32.exe	101
PID 860 wrote to memory of 2040	860	Odkjng32.exe	101
PID 2040 wrote to memory of 1896	2040	Ogifjcdp.exe	102
PID 2040 wrote to memory of 1896	2040	Ogifjcdp.exe	102
PID 2040 wrote to memory of 1896	2040	Ogifjcdp.exe	102
PID 1896 wrote to memory of 2572	1896	Oflgep32.exe	103
PID 1896 wrote to memory of 2572	1896	Oflgep32.exe	103
PID 1896 wrote to memory of 2572	1896	Oflgep32.exe	103
PID 2572 wrote to memory of 2868	2572	Olfobjbg.exe	104

C:\Users\Admin\AppData\Local\Temp\c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe
"C:\Users\Admin\AppData\Local\Temp\c9a3e152cc5fa3a72371eac327c8d92fd3cbf44f73493836a4e096f452379925.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Nepgjaeg.exe
  C:\Windows\system32\Nepgjaeg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\Nngokoej.exe
    C:\Windows\system32\Nngokoej.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Npfkgjdn.exe
      C:\Windows\system32\Npfkgjdn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        24⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        26⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        33⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        38⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        43⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        50⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        52⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        54⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        56⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        60⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        66⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3204
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        69⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        72⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        74⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        75⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1756
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        78⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        82⤵
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        84⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        85⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        86⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        87⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        88⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        90⤵
        
        PID:900
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2336
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        104⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        113⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        115⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        119⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        121⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        123⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        125⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        126⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        130⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        133⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        135⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        137⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        140⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        143⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        144⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        148⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        149⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        150⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        154⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        155⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        158⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        160⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        167⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        169⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        171⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        174⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        179⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        181⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        182⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        183⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        184⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 404
        185⤵
        Program crash
        
        PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6648 -ip 6648
1⤵
PID:6712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
64KB

MD5
4af8731b90e589dbc117de9ee92e8a41

SHA1
df43a94df7951b7339e67efbfda2cd9b18c53d47

SHA256
6fab761034923c182f85f8eb797ec377ff627e0a266dd35777a6026d76d24766

SHA512
c96a68bebc4a309f5cd1732e6439490f0bc70f039b84f84685c65b64bede1ded54a02c6b6f47615d24af5f983478acc4547aff460fa10c311d36c4c3f1f1417b

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
e4b7fd76b26a4d5e7cfedf2eb9174cac

SHA1
9be09c63c5a1ec1687af61eab0e259d6445ad62a

SHA256
f01e6b99f8020fc71d7238aecbc564da4c0fc86faf8932744b2912a32309ee99

SHA512
6e05633a4605aa08d34a72d7c05276d4ede442c2cc29cefc8ef38020c7460d67a32ead256bc5333fd91af9dfc3836d3c4ad390b7c86940336578f1923450ac70

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
64KB

MD5
d073576226acb8323f1e1a68f61540a0

SHA1
dab6e0ed77c5488747e9976b5fbd490fa93d4f5b

SHA256
79a383f09fe58ce1363ec2b626114f1094990f9aa13242e7853393a4bf7d46fb

SHA512
15cd27a103688d715d58a8f96fef1e68b50b4c77b54b5b817aee12a068949f7fa178d7aaf0ebcbaf772f472ae0c79d19c609fc5879558914b0f46f9e6ec28bfd

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
64KB

MD5
b977206f5af48035cc52d1fdb8b724ef

SHA1
5f4ec30537699bc36c91860db047c74cabdffee4

SHA256
f4c4c5f6e6aaad0f0813a66b0a85b405311e964613b95424ddbc2b4dee5443fa

SHA512
b24f2653dd08ed58a7815e85b28314270a5768f28ac7660235d9a6913dbca76c8cc7ccbb330b24ec30d1d6083c43f2a1c4030dd16db3a17b90fafd34eaf60c9c

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
64KB

MD5
423265a120fe6ff1c573c8754014569f

SHA1
27dd78f754c5ceb3bec741c48d92a75331b82753

SHA256
c22642f3d25a9b8830de3b13dc418a48869769af76a06b9b27258aff6924cbda

SHA512
745336801a33c193b62a2fa7e3bfdf1b94ca11e9c7d39cccef51bf392c78a7286b5e93cb66d4e1324e563788fcc314a1e973cf4d9fa1c3d9db2b88f4ae4fb510

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
24d3d8b9855f5200768c2b6b26872c83

SHA1
bce2a226df9027ec48912a2cf5bf996b4631afa6

SHA256
f0428744dac7af82295ca928c3f2fe07b48d7c17072ee6a519fe526a07afac60

SHA512
0f3cb4107ecc4847b4732d671c90e9c46561d31adc1b65ae27c71de5c798c0f22a962418e986b5f456db6dfbf21a6bd67578f527d85337aec5ef4d803710255c

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
98c82acba25ffd6f70aefce60df0900e

SHA1
4a856e8a8b5c0f2921ab8e52f2f7fff27d9699dd

SHA256
0cd6bb24339328e2b60e8351bd8ba4cf8462e7f7fc281ea2c44be5e57a182d11

SHA512
f35049cb82120b3c9332f1cf6c4507188841f1e3274df4915a84381a72dcf8597b149921ac62a0feddfd2299f85d90a8b8a59ad1a827b9a9133f14a8b816dc01

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
47f321fdc41cda18f255b665c5796659

SHA1
92e7a2035675bb0c72ccb37776cec75d2daaf532

SHA256
b3a959e571ebf4c8fdec45cfeff3ba188f0d61427df25f699fd8f3900b4412ba

SHA512
5f444343740a0c60d3ab7adf5e489aba0c74ea63b0286381c93ea5aa14a5df0fdd002feecd5d436c5b4bfd4eebfac7e674546518221254d15aed53b8d3e1d38f

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
84575ede15860402a774d6ef8a15caa0

SHA1
f22d8754602333bc7aca9d756a699ba2b73cb261

SHA256
ede065dd270adb4f28a732dc43f5f77aa864165f1b4752da94a1aa5758c207eb

SHA512
7d9f7b66b32929e6b1e694b01d180455c1282813be0c3a99976c339528d83739e55d2aacd5802f63d2a164208dd826f0aa049aacaf0f9f76e6e4f1a64b6d0e9b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
2f3e31c805d984e53641fe541a013a3e

SHA1
940c230c97d763207594e5de9a6e77c7531af270

SHA256
773edd231a6db8c22bd8c84c0ef226bd1fa8e61ee58d4f5e4b1d113846f77a63

SHA512
1e7eb86c3ec2c843dcf66c3252f477ea92f9e4a4f52c02cca161eccc6cd08a0072199aefbe11f171d2e42f37f450213fa4e136b76c2769b6b5839cd237440fdc

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
42683477e7238ea95aa17317717ee36e

SHA1
2131dbab828140c00e54a1160e5b87624ef070cc

SHA256
1940ef31024c16ce84be2eb0806cbe423a2b7928f1b3cb874e9566a639224923

SHA512
ac7cce5ce4f50d1b987f1f42abc665e83abedc33f0595d3ae5ce53ac12a94ae4a6f476f0bdff4d4d6842beab79e9d48803a2ecbccc68c227de94cf189a1515c8

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
64KB

MD5
25e0b4850df92be641c0c089ed55d191

SHA1
187c15379e3f49aa502838d9a386ed0831e1590e

SHA256
ade2234f629a794c6f595f051ffec7c64b65807bd3ef85350a215b3ed0bba45b

SHA512
9fc276403220e3612460b211439620b9dc50460fc10a569793cf3968a51c42879f40422e854e68dfa3d1b32c2e4efe0d807905bedfcad649c3fdc2177d74abbe

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
a7514b1a555c06dcc1d4d26cd518d62a

SHA1
d3d769d4c0dcd5e85ca2776f45d6adcaccb94b3c

SHA256
e0979a6d881f2772954fab80f40e3a93590d348d3710a4313d9c837e58a9cc4e

SHA512
8735d2ab3c70d9e7597a4c161ef6fbef967f20f265574b8856a79e383cae416a7940d96493d369547d3b389354c4828cf13176651aa0cdbb2ffb9782c6e01395

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
6f25d7961f769fef2303ec90cf5b978c

SHA1
bc452576d08ea881d6de3b6e73caa91978b5e11e

SHA256
f60ba9603e5398304ddd47628c5ad285ab66f14a43aef95873e5ac2375d62fa9

SHA512
8b1e34b82a6654c528c465ea0a1c68b0312347de267ac2196854ee1cfd66de3dc0356a809e70be4ce2dcc3ccf5c895e932db1a806ae88ae30c793bc645e30768

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
c568b08d55bc86dbf2c9e884b9c64202

SHA1
418affab6a58900ab16f4626b2066325b19ce269

SHA256
d8b0cc3805ccb6c44d3eaa479f0afce8f7ac7767895c700abafe65daf8af9753

SHA512
099136bfc7eef9114d2522a3e44786d3c18339637f2a021d9da9116cdf4b9637268fe806b8585fbd9cedf7811e95d7fa25d4002555222b9c98583297f2bc4507

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
d944d3fddda7dffd8208513b9d4db794

SHA1
68714ccfd7d06c0b3b4a4bc1eadc9aa1a7185145

SHA256
b954cae8390dd4e4bbd1f9901841237f3585e0a488d1ee1d792ad4b659b8a910

SHA512
fed43c2eed6b077648bf946e0ab247f6fc82dc345b1a18fedc34ffb0c8c7bf6ef9e63e0dedae0b119fc44fe72f2ae23a040d4771f3db6fdc1aeaf6140b19b058

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
2f1674e86d40a2dd0d30a2e6036f02d7

SHA1
e1c085ea5e13cc4e4d5ab27d2a92233aca887c99

SHA256
b15c875f19ca294a016cfd932fff53e08f5a550aa63c49642742dd34f396bc71

SHA512
1f3f07d20cac37cd9ba5c550d5188eb32ef1d7dec7ba3c48cd33b881e71497c169052ceca87d4287bfa4cfbe496e21d021f74fadbb6f2ce493f626a15c022bde

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
64KB

MD5
65e899443f38aeee94923a03f257ad49

SHA1
17bcbdbf334acaf35195e8ce20fc5f3d8bc3c275

SHA256
84cc5b5966842d6d9034fbfa6551cc67222c7da8007d43d7fa52c98ea54be225

SHA512
6ec50a24a2fba194cadf6e154e72d34c666bbb54f0ca5cda2bcf54e949433e1eb06b18c20233baf1cbae6dd6d405224f44ea9321c352cd937072bcaf5e06ee3b

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
64KB

MD5
ac7fef0f9c4631897dd3d540235b6562

SHA1
9e76a92d6c169887716b491a99064ece7c6baeb5

SHA256
bbd124d86906dbe8768e12d4798af84fbe7050324832a97b50ed230584304440

SHA512
e774eb9afe2d486e0a814adf8b27f627448c12825d292d6ced7688db971b96856b490df5e1b0043dfbc522b68e4db8ee9f845fac958cd40c4037d3b37d1c4d27

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
64KB

MD5
ed5bcee99f35945e0f3d5687ffff8edc

SHA1
02c4fa0879ad40f5382ceaae3d74078b8274db92

SHA256
4c22d41e9e8c82e332ba8661b84a14b2afc825a4905673854d0fc5fa656b8831

SHA512
0f79f5f69d4e9884b110192cce4aebeb4813123a7d54f8e3a997d2dee0e940d12ccb77597341299f0ab87bdb7bb37b8c116923a8d561977fec4d027bc064792a

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
64KB

MD5
bbc0d52d43bdbc1a1c6d0288135baf34

SHA1
a79864534ec4282ad9b7ea1433266b9b1378340b

SHA256
caab190afe62f21f99780a4dedf9c3a642a8d05df75f25b6042b95b82f376cc2

SHA512
5d199fe3572e7e180331d0d069c8edb34f2ac899b7d80a6221c17a8d8248aca242de67386ca8ce922310355d4ae3bbd635d055e2a77d2e0d6a3d82a7ffc4e771

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
64KB

MD5
8fa2a06cad4b6a3368db6bd5d06eaf22

SHA1
4e05e416409a1e6edb13aa052dc01c01cce8dfe0

SHA256
0b025a2694b672487dbfc9e284ec69b97d215856968fe53cf0904264d2fd7e85

SHA512
1e7fc621447bdf72fde636cc91ed6775c564f50c36a3debdeca669662d6449909bff2b913c9894630da6b2851e2dde8e094407dd56e8f55ecbbac09f82a142ce

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
64KB

MD5
808d9e6559737886691e0efc3a7c9b3c

SHA1
cb465826659743b7e6af75fd0400d6a1ed2a5a01

SHA256
7f03f8703da07718910604978adfc9a6db557f881aa4d4b7aca31f6fdefc3e4c

SHA512
7d7eacfd6f10626a438843549bfc0aa9c9143d984fc7886e542349f32c7edd0dfa989e7273b7bbcca679d126e8793719faa9dd2b2abc382611e14110df9d50d9

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
64KB

MD5
e7655f69be0a56e25bd8d9a75eaae9e7

SHA1
612e5249db4e97e1dae26113cdfa0a821f12c0c0

SHA256
58064aca6aad2dc5b4e10bda11c2b12f298f43104448776d99190cf070f3f502

SHA512
1448e294d42c3000314bf89d8c275a167860279428676da26c03c7a5452e03e95ad142a8a0417ca99fdc50a37dbbef4f3474160f646cfac4893169c24510f48a

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
64KB

MD5
c1af0767519643890f236b311e68df55

SHA1
0b056e2b656d09885e13a40c49d66bc408f1aadc

SHA256
6e17af7b07b4cb6c12dd40a59c317b3538f21abb547f9550169110450bc9f989

SHA512
89777e9271a2932da363665f5bc62d025500b37865c485f80a808f779bc7e7866b5f24b3154d20747014f01e824be91c266472ff186700d4e42f24006ee80316

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
64KB

MD5
5d93857aca91fde532a344c36757baf6

SHA1
82e31cf775d4ceb83f8589a3030011f55ec790ba

SHA256
15438ccc5edee72dbb59616453e925a6d1b9440929da69076637f6a31b513efc

SHA512
b67b9a36dc45e187fa34d8ff8d332a6262fd153cc0b207b8c36c5238b0c08ac07e51ba1b3f1134d99f073861619376b473fb951225b14c8ae7878a454fb3f01b

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
64KB

MD5
b4e2d0eac2e615c5d526f91eee2ca234

SHA1
339cb2a77fb19e26a785379a5dad0cb4fb645297

SHA256
35757d5485dd0f96cc2d00e0d814f19403354f1f621796fb0488f51643923d1f

SHA512
f639da6dc696199bbdc229797b15a6c6ef1b5bdf811c66929d491907bc78bcafc429371f28ee92f8cb32c3ec8cd5ec493035cecab7a79ba610b86794c16f226c

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
64KB

MD5
f192de50f5bcf3b7bbd4ee58cf2e9f4c

SHA1
984468682f8fab0b64bdb7cbce4b6db5048005c3

SHA256
318392055cf405e50946810a6d5833bb3d709cdff281279f0566bbf9a2d8acdc

SHA512
ec3b49dfb75777d1a47ed242616d200bbcc4728453ee596fe6f068c5e64cf3aa0004db7d6417926e28aafba31be756f954a30656a957aff50f0a87bf8fe171cd

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
64KB

MD5
e56b3640286a3b9914e7eb6deb70b8c0

SHA1
dbb27b9f6fdf983acc91df865d6562d25cdf976f

SHA256
61db8a314396ff15ea7aa79ab99151c722d6f3068ce6677fb703ea2bb8ea1ba7

SHA512
07d767bdf481c45e07367c4001da794c2332b97f90c4b052f902780919d7dd85195591e1661c0f5e227ef0cb7ce1c0faac1a6bd6eac8289c678bb653f1625d0f

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
64KB

MD5
cb67feef07fe45d851b23559eb857887

SHA1
af03b32ce864d837a359026d2fffe37aad385faf

SHA256
68ac26f4e07da914929808641129fd3fc3d2588097dcf77f534cbb583d8a669b

SHA512
2337817cf16f67e88b99a8c5dadb0f932e8b79fc06ee1fc177c7e3344041b836e031135aadde849fa070f12116eb9702774619515d1967940b849f0bb84c8149

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
64KB

MD5
98f0a8e4ead688647287dcc154b6b323

SHA1
c7259124f38598e1d8dc5d11b7f28d4395c5c557

SHA256
64c5f680d1a91b76ff6f9ae4d1dc0ee10d5b2a0e92fa4cdb88302980bd1b5011

SHA512
48157492b1e91b04edf6e5999ae92212c67728cbb8eaadfbf11783bfecc5558db86d69e9a1d63e42aa070943ff37128d3b4b5de4b846b9d871e05669d94447de

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
64KB

MD5
ff5edc2cad0422b199c09ddbf21f59e7

SHA1
d11a8414107b242428ccc9694bf31c5f3548d799

SHA256
2b5d5d712e1373ddf2d14258ec4be0dde2d3baf16f985e881853bd13d0634405

SHA512
ddc66ccd4002c119c4b34677461d664be90e09b00af6882179ef54383ce14c1b917c227e952692749f44c70cace80a57a3661eae510291ed9ffea2af70370830

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
64KB

MD5
f4711bc52d90bc4a89cb671a4a338020

SHA1
1027d9d67e8bda734f933d535a4e353af096f813

SHA256
bf64f6cfd8f34dd0bfa5c2b998ed0219fe554f04f673b4b2078549cc293af2c2

SHA512
aa24a9ff705ba2de9aa5e9b94ba0fd6f1ece2ac2bfe7bf768eb317ed8d6731c6f8ffe00d41e13ea3c64a5bb11eb67ced5d2cb805bb780a6dee96396c5c25739c

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
1d4fb907cb323daf4c3b59dbce85837c

SHA1
5007123ccb5b4dc103ec39f7bec353413a951551

SHA256
75e8c5001733d53de548e57b2c573c25f6d0de68779c41acd9f6fdffd60e61f9

SHA512
33994cc4f139f7c879da92459047ecb66be9e2f72048a8f207ec2531bf7669cb82925855c632ba03ce19a3862ea20c6d8186046a5bec8141647da8942f4a293d

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
64KB

MD5
84ff36458d3b3adb7f84030ee0827385

SHA1
2ababdbd61f9e55c5bf9ffcadb0436768b138a28

SHA256
5c5869aea2ba852ef586502c4a62597959af76290c8e463a59343f81193f9b8c

SHA512
aeca38bb8820391bb1b986ce2b248ded88e21dbdf23913bd0b4e0c7f5c842ed453c08635b28b2b6c860c357e289d8fa4c23dc46b5d3639f295ad84e9bca89a31

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
64KB

MD5
594d06c90d80f3ea0d879c909924ad43

SHA1
e4cef64bdd9d18b2c2a540de3cdeca24064cc7e3

SHA256
3cbbf2018101c3ff1b2e1b197f5723700203e74e59a01e9f0afe2e188514615c

SHA512
b48110821b37700081007e07aeffee392a02e2c74ce939dc24b7b76cc32316b28130f4b50e14a42b60fb3ae56359e9c643a35f25f2c4873e370fbbb3c047a6dc

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
64KB

MD5
e3369f846f3db4012057da11426bab42

SHA1
e68018a27ce49b31d1f46fd3e5eb9f15f7f35c64

SHA256
e935ba0a70d86fc1b6dd3c36d92e26625817d7f6d7fe7eeb41be6bd0e5c7bea9

SHA512
e1f4eb92f2352aaa9f2f14553c3f053a3cc8b615f158142464a0212eee0713c96da5a2acc5a3459e477b1570c76272cc6bf7864afafe84f497f70d92a197c559

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
64KB

MD5
e1974bba376e843b7ba5ed938bea818c

SHA1
b629efeac591b94bd037439d5988a48887da15b5

SHA256
d8d9c29dd9a48016acd96c4a5278c3f29466672c6afadecd4e773697b9aa41d8

SHA512
c445a4d7adceac1545df1c8fc1907ad10f30f57d4579728b5afe94d900a41e53fea0e4ee7e8bfa00a1512013ff6699054f6ce4fb3afc637ef707541e43a0c163

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
64KB

MD5
c716d0ced86188c607a0f400ce319788

SHA1
b7cfc335178c3b84a0cadbbb3e5c180533943900

SHA256
bb3fc37d71b88195592504275d6cb3416aa97994f7e669046cc93ca6c2bbe37d

SHA512
27892f5aa2c46e30c04109468889f4bdd656c8aa9376bfa22a65e442c55a5f812f266b11b14eb303dadf2dc0e4261ddd3e47b2118e7e0d71f0ff7b7ab2eb02f3

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
64KB

MD5
e27e20bddd8ee4d1a6a0c77e74ccb862

SHA1
149f424e71e5fc1b8066aed77672bde18346cb41

SHA256
d31eb106b4df836f5bf9ff8fb72acb5f018c9c665bc064bb304fda5971382da4

SHA512
ef48c9476e434bfdb7470cbb1818234d35e30b81d5707bc138c6ce95152425ad3dfac2bf953e2815478b758880993b0a4128e93ec7f1fc0d51210f86e58ce53b

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
64KB

MD5
e61372c806c75d127c700e462d61aebe

SHA1
9514a840aeb6633a35ec1d6765d6f0213c7e2480

SHA256
d06d0b9829920ea07d3b1b5b3a27a0e2cc7a3dd32c0f9169a396064311dbc33c

SHA512
b179be86a031283116d7ae6e69d64c99b07f06883b6182734f3e09d6715e6dfa42403c4abe55a4b317e7f4dd79a3c0808e34c2ed0e3f535bf818750cc519bb29

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
64KB

MD5
8ea9925dd9d3a31b044adddfcc6494d4

SHA1
f29b28f9fb09b1d0ffe55a43265911fbb7134152

SHA256
f1fcaf876f9290cdc6645b678598679ce020931c6a8c7ea12de68970aa19880a

SHA512
e33bd24bb37e8fb9973b0f050126e10126d6f7e5bada99115938080fb8426f467c65d2a048d219a781a53f0451a5451816c7dd336ababe993ca9a8c246f32529

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
2e5727041ffb4fc0fe7d77ddda430e35

SHA1
79293a4959e72d1fae5137dae3037d1766f12ad0

SHA256
8804b11ad056a5ec9760f1e58bf4a660cada0835b71cf4e418ede0abc56848a2

SHA512
1bdd9fe825481466ad7e1cecf8f4e2b52fa28f2f92025adcfb8dc9c68e3f2b1b41f0ba189b9c79b6092e4d16274b968530bd6f1a24c0d15952cd94537056717a

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
b4642ccfc7a2ddcedc61a3aa08d72908

SHA1
814662f1f2c66e78cd300bc0e3c3a829e0ee043d

SHA256
153b612e72cc0cc09661305aad83f987b4b3031049cb4ddfd18d8a1b4efc85f2

SHA512
ece9f3c410c6a55f813ef939a69a876d82394bcce47957e526322b99a8aea5c3b5b83a33023696b5915c51b0b55906894205fbf39a752c5a836c2bcb80b61533

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
64KB

MD5
ca8fddfa519dc08d31278e2e34f3d550

SHA1
aca1d62da0e225a3997391b9c9dfe6418f78455a

SHA256
8b487d8d3b3c7f6609c6a3bc10bd35708fb219c61d68fa0c96684a087268a0e8

SHA512
cdb68a54522fad582a2ea608bf7ca6ca111a0c02f60d63d82c2e5cfba25662d0e444020a76a078b026869f78e851bf956e4e163f278583638f1ab148cda8a395

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
64KB

MD5
7259c40f1afa040443ea4e1f261e07a7

SHA1
45ab1cd6662862978fba43a4937a42322ee915d2

SHA256
ead5238c7d158f8dcee57736135769c679c1f8ae7c89673a0d44b530678e7833

SHA512
d5bb00f1753e52979551be4a887eb680e90c2d35c52518553ca18067db976f64541b826c649d0282010810ca14f20978e1f2ee0606e295bb8c0d20fc56bc9eeb

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
64KB

MD5
0ae21d67b7819b9766ae71e2e05a8f77

SHA1
5c7c8fd376e8d210a47430828f45aed1bc93cc39

SHA256
36cc920dfc71980bb189f425d515068f9f7118f07618b4c0beac8979af2bcd43

SHA512
3729bc13471f791f351c9d2be6c0890baf69692bc70db41737face31dbf8b9d7754087764eea7ef9b0c535b1d8e9871e0c7e5c23de86b584ada61e9aa941100c

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
18453ff446011a826de43d83d3bb4cc2

SHA1
6942586bbe97eaf449f22e389ee8672b60f7f0de

SHA256
3862c23729dca55703fb84f1e1cc81274aacb2c47feb74e46de0031964ac681a

SHA512
e234d2e1aa26a803d5713f44b06e133392313a09b77b5cce043983425838830a1f57dcc4bf3d4679d6fc786501bafd963d651a755209f478a1edb99597e44f16

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
1ffcc9e8ecd17cb1961c470718af5851

SHA1
cbd64fd0f799a55de6d5196832a2f44597f71278

SHA256
b317e4786e23352138179612365300bb72a50156801f20e3e3530c64c2d78347

SHA512
ec5897510ebef4985936bf60a3126f08d9c11a0052c2f9cfb998fdfd6f1333e8d8dd374371eb6e30ed8601aa87e0b4e71d328a5e3740f8f6f56a772343930d88

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
64KB

MD5
723738d0f173c403b91606f59446b9b3

SHA1
a9aafb0b326da10c72003af687c0a4e6b0466aa2

SHA256
e5c2b864b049cfeebca9c07329fa5073905fab3b1758a72717856f9fe172ad65

SHA512
efd8e9e48732f73299730248b79cd83465e6830717398a2974e38e40b9910cd3331cb473fa9d888e5105efc28591664614c0ff36d94a53f3ed8d326abee31058

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
2cc35aec25199c747dee98a45921490e

SHA1
3e4e2781edbc52781933bb383ce49142256def1a

SHA256
f82842fdb0f0c3b476d5d361c2f3a9bd864e14a23f267c5f35fdc28db52c0caa

SHA512
59d85126e656880f664d57706fcfad4dd9fdbbdf0729cf879e28c1a0ef9e1f048f3e56d18eb29baacc99aaacc85650bc8fc481793902f0620ed1985f241ad2a7

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
64KB

MD5
01f9333bf747a71355b1b0c7a6e2bb7a

SHA1
eb3016429be8dfa922a5d634815cae47911db112

SHA256
72b9da5e9a0a92250eef99154006367b744616f37c60d88721ecaa6d934348ba

SHA512
c3c371a2dddada265329bafd08ad1c6320a79acbff15f521ffde27662a3f80955c2d2230470dab0491e9ceef6e9ac5e810331913126d145b236bf5ea9048f1bc

Download Submit
memory/372-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/464-265-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/532-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/608-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/608-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/852-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/860-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/860-246-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/896-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1060-399-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1060-459-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1064-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1064-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1160-481-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1196-467-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1316-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1316-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1404-453-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1440-379-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1688-343-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2060-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2084-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2248-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2248-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2256-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2256-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2264-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-283-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2468-385-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2516-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2572-273-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2768-237-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2768-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2816-441-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2820-473-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2820-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2864-447-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2868-282-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2876-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2876-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2888-367-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3052-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3064-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3064-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3148-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3148-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-405-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-466-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3280-295-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3328-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3492-219-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3492-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3616-301-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3684-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3684-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3772-488-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3896-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3916-337-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3952-373-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3972-474-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4028-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-494-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4396-435-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4456-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4464-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4756-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4756-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4844-202-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-480-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4888-238-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4984-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4984-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5000-487-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5000-423-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5008-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5008-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5044-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5044-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5056-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5056-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads