berbew | 09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
Size

96KB
MD5

44edccfc51222920ad8298db95035120
SHA1

7f840368c5af8c1ab069550cd28f5374d34ee881
SHA256

09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73
SHA512

98239ed86c8ef0f90e3d3e42734452da299466b00e31c74e6184ec875a2d8d1d1a7c3003d798514518799024fb7f022649095835847eb83ad43faf8c854c4b30
SSDEEP

1536:pNPZqi26ObHnpZkzKb2jWl5X3Ne+Ql2eueQu5fy62LIzsBMu/HCmiDcg3MZRP3cH:3Zq7Fre+KPuetaIza6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkalchij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjlcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ildkgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbiaapdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlednamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eemnjbaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1808	Ekhjmiad.exe
3488	Eemnjbaj.exe
4692	Febgea32.exe
4744	Fkopnh32.exe
3884	Fcfhof32.exe
1940	Ffddka32.exe
3288	Fkalchij.exe
5064	Ffgqqaip.exe
772	Flqimk32.exe
4328	Fbnafb32.exe
2688	Fhgjblfq.exe
4684	Fkffog32.exe
4452	Ffkjlp32.exe
1152	Fhjfhl32.exe
4564	Gododflk.exe
3148	Gfngap32.exe
4764	Ghlcnk32.exe
4268	Gofkje32.exe
3096	Gmjlcj32.exe
468	Gkmlofol.exe
4936	Gfbploob.exe
4284	Gkoiefmj.exe
4988	Gbiaapdf.exe
4864	Gdhmnlcj.exe
3032	Gkaejf32.exe
532	Gcimkc32.exe
2376	Gblngpbd.exe
4884	Gfgjgo32.exe
3144	Hopnqdan.exe
1320	Helfik32.exe
3572	Hihbijhn.exe
3904	Hcmgfbhd.exe
4468	Hodgkc32.exe
3716	Himldi32.exe
3028	Hbeqmoji.exe
5104	Hcdmga32.exe
1304	Ikpaldog.exe
4664	Icifbang.exe
2536	Ifgbnlmj.exe
440	Ildkgc32.exe
3292	Ifjodl32.exe
2148	Iihkpg32.exe
2904	Icnpmp32.exe
4992	Iikhfg32.exe
388	Ipdqba32.exe
1328	Jimekgff.exe
4812	Jbeidl32.exe
4976	Jioaqfcc.exe
2732	Jlnnmb32.exe
4324	Jplfcpin.exe
4240	Jbjcolha.exe
2780	Jpnchp32.exe
2140	Jfhlejnh.exe
2164	Jlednamo.exe
2284	Jcllonma.exe
4436	Kiidgeki.exe
1884	Kpbmco32.exe
2236	Kdnidn32.exe
4388	Kepelfam.exe
3252	Kpeiioac.exe
520	Kfoafi32.exe
4476	Klljnp32.exe
3852	Kfankifm.exe
2360	Kdeoemeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Fkopnh32.exe	Febgea32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbiaapdf.exe	Gkoiefmj.exe
File created	C:\Windows\SysWOW64\Gcimkc32.exe	Gkaejf32.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	Gfgjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Jbeidl32.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Ffkjlp32.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Ildkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Adecfl32.dll	Icifbang.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fkalchij.exe	Ffddka32.exe
File created	C:\Windows\SysWOW64\Himldi32.exe	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Ipdejo32.dll	Ikpaldog.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Clhkicgk.dll	Gofkje32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Fhgjblfq.exe	Fbnafb32.exe
File created	C:\Windows\SysWOW64\Ihjahg32.dll	Gmjlcj32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ckhindhb.dll	Fkffog32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Bkomqm32.dll	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Nngndc32.dll	Gbiaapdf.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jlednamo.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mdmann32.dll	Gfngap32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7080	6264	WerFault.exe	274

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmjlcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcimkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhjfhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hopnqdan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gofkje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmlofol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbeqmoji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbnafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikpaldog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfgjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hodgkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ildkgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgbnlmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahkcp.dll"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihae32.dll"	Gdhmnlcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll"	Ildkgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1808	1628	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	85
PID 1628 wrote to memory of 1808	1628	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	85
PID 1628 wrote to memory of 1808	1628	09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe	85
PID 1808 wrote to memory of 3488	1808	Ekhjmiad.exe	86
PID 1808 wrote to memory of 3488	1808	Ekhjmiad.exe	86
PID 1808 wrote to memory of 3488	1808	Ekhjmiad.exe	86
PID 3488 wrote to memory of 4692	3488	Eemnjbaj.exe	87
PID 3488 wrote to memory of 4692	3488	Eemnjbaj.exe	87
PID 3488 wrote to memory of 4692	3488	Eemnjbaj.exe	87
PID 4692 wrote to memory of 4744	4692	Febgea32.exe	88
PID 4692 wrote to memory of 4744	4692	Febgea32.exe	88
PID 4692 wrote to memory of 4744	4692	Febgea32.exe	88
PID 4744 wrote to memory of 3884	4744	Fkopnh32.exe	89
PID 4744 wrote to memory of 3884	4744	Fkopnh32.exe	89
PID 4744 wrote to memory of 3884	4744	Fkopnh32.exe	89
PID 3884 wrote to memory of 1940	3884	Fcfhof32.exe	90
PID 3884 wrote to memory of 1940	3884	Fcfhof32.exe	90
PID 3884 wrote to memory of 1940	3884	Fcfhof32.exe	90
PID 1940 wrote to memory of 3288	1940	Ffddka32.exe	91
PID 1940 wrote to memory of 3288	1940	Ffddka32.exe	91
PID 1940 wrote to memory of 3288	1940	Ffddka32.exe	91
PID 3288 wrote to memory of 5064	3288	Fkalchij.exe	92
PID 3288 wrote to memory of 5064	3288	Fkalchij.exe	92
PID 3288 wrote to memory of 5064	3288	Fkalchij.exe	92
PID 5064 wrote to memory of 772	5064	Ffgqqaip.exe	93
PID 5064 wrote to memory of 772	5064	Ffgqqaip.exe	93
PID 5064 wrote to memory of 772	5064	Ffgqqaip.exe	93
PID 772 wrote to memory of 4328	772	Flqimk32.exe	94
PID 772 wrote to memory of 4328	772	Flqimk32.exe	94
PID 772 wrote to memory of 4328	772	Flqimk32.exe	94
PID 4328 wrote to memory of 2688	4328	Fbnafb32.exe	95
PID 4328 wrote to memory of 2688	4328	Fbnafb32.exe	95
PID 4328 wrote to memory of 2688	4328	Fbnafb32.exe	95
PID 2688 wrote to memory of 4684	2688	Fhgjblfq.exe	96
PID 2688 wrote to memory of 4684	2688	Fhgjblfq.exe	96
PID 2688 wrote to memory of 4684	2688	Fhgjblfq.exe	96
PID 4684 wrote to memory of 4452	4684	Fkffog32.exe	97
PID 4684 wrote to memory of 4452	4684	Fkffog32.exe	97
PID 4684 wrote to memory of 4452	4684	Fkffog32.exe	97
PID 4452 wrote to memory of 1152	4452	Ffkjlp32.exe	98
PID 4452 wrote to memory of 1152	4452	Ffkjlp32.exe	98
PID 4452 wrote to memory of 1152	4452	Ffkjlp32.exe	98
PID 1152 wrote to memory of 4564	1152	Fhjfhl32.exe	99
PID 1152 wrote to memory of 4564	1152	Fhjfhl32.exe	99
PID 1152 wrote to memory of 4564	1152	Fhjfhl32.exe	99
PID 4564 wrote to memory of 3148	4564	Gododflk.exe	100
PID 4564 wrote to memory of 3148	4564	Gododflk.exe	100
PID 4564 wrote to memory of 3148	4564	Gododflk.exe	100
PID 3148 wrote to memory of 4764	3148	Gfngap32.exe	101
PID 3148 wrote to memory of 4764	3148	Gfngap32.exe	101
PID 3148 wrote to memory of 4764	3148	Gfngap32.exe	101
PID 4764 wrote to memory of 4268	4764	Ghlcnk32.exe	102
PID 4764 wrote to memory of 4268	4764	Ghlcnk32.exe	102
PID 4764 wrote to memory of 4268	4764	Ghlcnk32.exe	102
PID 4268 wrote to memory of 3096	4268	Gofkje32.exe	103
PID 4268 wrote to memory of 3096	4268	Gofkje32.exe	103
PID 4268 wrote to memory of 3096	4268	Gofkje32.exe	103
PID 3096 wrote to memory of 468	3096	Gmjlcj32.exe	104
PID 3096 wrote to memory of 468	3096	Gmjlcj32.exe	104
PID 3096 wrote to memory of 468	3096	Gmjlcj32.exe	104
PID 468 wrote to memory of 4936	468	Gkmlofol.exe	105
PID 468 wrote to memory of 4936	468	Gkmlofol.exe	105
PID 468 wrote to memory of 4936	468	Gkmlofol.exe	105
PID 4936 wrote to memory of 4284	4936	Gfbploob.exe	106

C:\Users\Admin\AppData\Local\Temp\09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe
"C:\Users\Admin\AppData\Local\Temp\09bf4ff6f23e9188a868e5c62c23721df4321f67243c29590588784bb9d18b73N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\Ekhjmiad.exe
  C:\Windows\system32\Ekhjmiad.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\Eemnjbaj.exe
    C:\Windows\system32\Eemnjbaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\SysWOW64\Febgea32.exe
      C:\Windows\system32\Febgea32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        31⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        32⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        35⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        37⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        42⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        43⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        44⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        46⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        52⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        54⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:520
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        67⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2972
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        70⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        71⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        72⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        73⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        74⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        75⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        78⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        79⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        80⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        82⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        83⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5016
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        86⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        87⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        89⤵
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        90⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        91⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        95⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        96⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        97⤵
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2100
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        100⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        102⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        103⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        104⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        105⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        106⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        108⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        109⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        110⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        112⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        116⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        118⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        130⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        134⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        135⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        137⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        138⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        144⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        147⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        148⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        151⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        156⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        158⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        163⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        164⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        167⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        169⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        171⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        175⤵
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        176⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        181⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        182⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 396
        185⤵
        Program crash
        
        PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6264 -ip 6264
1⤵
PID:6968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
21404fd69371e28e6ce77da14d9408c4

SHA1
23efb4fd131490d1fb1dd4638f19c7dcb753a4ca

SHA256
1588799b6781d22838f6b14817092370d63f031d5e9cb341a7cdb89c416c292f

SHA512
9e6f365b3be998877fe7360b83abde5d87d14e6288b8f227b0431cf7f42a3d637d926ab383b0ada04aeb4a5addfde917024da17f696fdec631b6683c02eee395

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
f5e573c826d6e1ef3ec2aae809f7ac1c

SHA1
0562bd4e535fdbabd84738e644f4c04b5bda3989

SHA256
c3c3cd40627c62808058fee5f29e6ba14df98de719f02c30daca29d7183ed9ff

SHA512
d18055fe999e734c9a2d5be48c3ee4a9bc4f3c257446714f286209e639dd096f18132b4c16c90b1e9c9ef1914cd91d98c47d5e0cc83b9752434f47d41cccc0e6

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
6a0ac855ed9a6f9f4721429d887c227d

SHA1
45e42856ee22e47581ef28492e3f8368fdd1dbb8

SHA256
91297119847a4750b8b1df59b3e04a5900be9a4a33795157c4c75e129b0d21c8

SHA512
6b6cbae33d2a7de56c9dbcbcaf6291323a9b1356185672e134151c42771340a9c57b0b27dfecb58deec44c313c40dc0a63f97aa727f97f5df671bc920322eab5

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
801c3ebd22b6b8e8290449b1d7bb8110

SHA1
6c5aa197279e61fcf05e6a6605136c38b61f8604

SHA256
59209c8998008b4520fb6a5890a73a9c2d346b35c96e53faf9cc09f1b605786d

SHA512
9b50bd1cc19c74e96cadc7fb4738c70a0322f637f43b67aa45a8d7816cd37dd1e47288590770844c7cdbce32d7eebc76fd94f21e0f32537415cda30e2817ad31

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
a44c1b680100fdf2a96ae47c311ed912

SHA1
1d0357457688862dd8f8a7b0fdabfdab0c245b74

SHA256
2e7550cbe3f56c80f425e9c33e0b3508ae76ea62183f99450a036f902dd13bde

SHA512
b85e3838e7f20001e72f7aa662de46aa9f4af5a8e998fd222819dbb2725589e8da23fb2148cf5a189081e6fefd70d914ed2e90676cc541cd91cc786ade7ae676

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
c0447c240950ac1047829cdebbccd086

SHA1
f1c33f0fe0973bcecbd2d5897e772ca964a9a4fd

SHA256
6db7d70115bd105f123222575271e701f0fb72e123df8145cb6b5d46b3b81f46

SHA512
c7e472c93bb48bc96a62b8511f495931e3efc4f4d8986a2af73ac6910083dcc6e46bca1ec9c067480c9361f20a33cf3fc370f04d7e9e8daf791fbed1f09ad7ba

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
f802e0c5ef22ebda74db4316e4b41f9b

SHA1
e74432c08073be88c34aa7cf784328ae60c87773

SHA256
1e1fbea6b7277d8f2e613aed2ccca93ca39f83e26581750cc93e23dc4dffd4a1

SHA512
bca8e8af566d8e5fc5892dd367d4998d6044a5a6aeb4913ecc85099f996d724ea1d99dd699b3126666407678577e22d903eb20d3e7bfb8ad9b975b28cad18ce9

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
d70c79d3ceab8297cbb9a340f6e8570c

SHA1
24103dac137e1882494989b2b38f10a839f8c7d0

SHA256
301e67aef6855fbf0b7e9940715d9528bab5a9706f81ca8452848813ab8e2bfe

SHA512
acb09b3b07538775f098769a3f370b42cd925f79434b483e2722b9182f28276177c77e20aa2d65653d358d39f58268d2a590efb31aaa6e9f3419c36fe9e7d712

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
72f14726f0982bd2efbeb13d295d78e0

SHA1
a44c044fa1ef9607048975781cce477354c4dd57

SHA256
903a1a4b0303b823f63a50075e375d1524b1c3451954750c2c531295f17d3aad

SHA512
8eabcf99959075332a01e57919242b523a31324d07af623731125b4e36140f41db8a259be98da7d8666475b2c0e2d42db129b27ab872993b703539fc94b5b413

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
96KB

MD5
521cbd39700b571e6cceb43724b43d2e

SHA1
51a7c1d9380cc40347f1b053e596ab669660bb32

SHA256
6f7e1e325cf61ef4ebc4dd9f57e643ea78f603fa4cbe16a7534593c40ef1dc08

SHA512
c109542fb793ef1da342bbf52c4d01e8802c1ad419595fe3a0fe81d01da33787edd62a86ac615e1a270b3ae0803d0e4fe050a68133f8bc0e3035999e347093ef

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
96KB

MD5
9ad58d26dcbd946141b4940ecad46702

SHA1
1df00d64a7ef1e2e5d89716ace64397d0423e376

SHA256
30886ff727cf562facb2ec7e5704f56ba37e1ff4471ecd1566552c5550116138

SHA512
a8d9b0aa3b2b8d214522d0e0675286fc0287a43b955cf7a451bfcc66615225ecea729adfdbca1784dbd6d4fb56146bc3a90da4f05e4dfdcaa52ba6d6804001c4

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
96KB

MD5
e267fe73fb2fc21bdbf1682d7fcdfb57

SHA1
ae3ea5820cf52a023b12dddf828e45b76611db11

SHA256
c96e6c703512ceaf9ec7ab482a834d167abb64a03d955bee6a801213e2198a56

SHA512
a6ca9905a13be03efcf8948d526e7e533e34ff28b337833ebc3fb82fdb9bb1b44d7ae814238ef19cc59c0c132cc7d239d9e16b1a58756ee273c2952459ac41be

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
96KB

MD5
19830a4df542ede3f415eeabb45e3671

SHA1
961dc689a2210023da7dad86ec7dc9e1365bfb14

SHA256
0a7f8800164d0fff4599da77227efc4ff9e8443c9765d65e37d7bd4e741320db

SHA512
2f28fb38f50e372f07b5b60306973e6e24b9d7bbd5b1dcfddff5a4bb6894612d406995f614f6ddb52098314c5361b1d3e1c2f7e91f6e41b790c0b0b70044e9a7

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
96KB

MD5
d80f350691479eb34d83067bb015fb56

SHA1
0b6070f999b457333b6ee90942b5b911f810f24f

SHA256
f7d3fe79270be62a6cb04875e1dc219ee5e75739b72e09118c3cb33072f38928

SHA512
602d14ad0635ff135cadbc5b8d126f5a81225a24a61b24e71bcca5d287643274e917dd488e741fad26be39ee8a61190d9287a0aaed0b24342a425d5a79b412ad

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
96KB

MD5
a86f656b6c1f31f9487109c57b2eb968

SHA1
3666fccc31880f7019177e02a126a2e706641c02

SHA256
8e09c4e38a65c3182a68880b0782e1f6d59610836f862c09385a67be3140bad2

SHA512
a2570b9646ba08271a0236d16eee4313d771ed8d3e439223b4fca6413acda12d6ec88245337b2f3001f2e9cae5373c94f38ab70282fdcfc1b5e2d4721461f904

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
96KB

MD5
a2864d47fb7a8edcb890a6b445d9cf17

SHA1
30a9be52a029e30feb398b0f40336ec999c491c8

SHA256
c705a0c20be50f27fdde8356c0d355bb8cb6ddfb534b78a0995942ba45088dfd

SHA512
0962c843e9a9b516fb88f663593be69c5b5be81fe4820b6e443922a9fe4f18d7b0c9921f8009557b04fd7d86588d9988ac0784cca12ebd8d57506a857194375f

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
96KB

MD5
0a660ae9c1f6a7737c9ebd89ca42c5fd

SHA1
c2d1e7b65efdae9696797632a57171ec575cf696

SHA256
da60a5c7a6377adc5d2a45cdd39a58f8fa52f5ab1124e28702ea18778e81bb6d

SHA512
4d3a1ab69a05b1a9df95895e50b8e6a4180836065a51cc6259e8dec1f47c5cd7a5f87b203ef7cd2633fc08742257e5c640dc9bad7cbc9846bf4059fe5dbcee57

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
96KB

MD5
a7802ffad62698aaf6813d9fa6084bca

SHA1
f99526f6ee6c1ef8f7b509199910ed17ffe83c71

SHA256
77cc9c0a494708e7fe489103bc21b93357e9ba3817f91646c35fb0d2cc8a8fc2

SHA512
6f039d92a150797e77de67cd8ea246922f012ecb6c75fc52fc1a2e7e1a1823bd2dc2d9dfb8dd82b0476ff772515779dab1939077cbb7831755d59120b50b78fa

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
96KB

MD5
cc13f5c4d5d4bc7717c3168d7e3b3ee7

SHA1
10da50780976b470a0d9b05810037a2916b1492b

SHA256
385d59d59cb3926bfeb92ed290b89739b29c9bf89a6c892f79b2930d49f297e4

SHA512
ae61caa79fd2fae7104a63096b9f138ee804bb3e2ce26c326d9135736ede1862febb78e937b28997f0099a2ebe612e0f5a275ed6e444aff57e674bc6a4b43052

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
96KB

MD5
7cd38252b7ea0c215d63cd5c4a10a86f

SHA1
9e67cb063ebabfde2759fb2ab94863607a1b071d

SHA256
c544b8810921933891e7d0172c2b26f9ccf4a288432eecaaf7b102f3c99b3454

SHA512
68119bba0eb04408d2e8f419bb1eec5e370187e0c3ccd22d78d07152c5cd7ac7cce0ced6be2ae3db686e566f9ae803473b400dca666f4ae4f6175d402811a9c5

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
96KB

MD5
d4611f1bce626d9a9a525cb7ae95c4eb

SHA1
98586e237867abf07da8cef0f81770936afc3d42

SHA256
8e5a938b3984fc88fd0c2776d7c1b420bf1dee70229528a112f2da0958d6f9c3

SHA512
6b0ed502bfb0f2d6d704fdd67eb96863c68302f4c1a8b584ae20b6ae051853de2fd397177de519159f44e78a95481bfc91a8eade750aca87f7fa5ce0e726b983

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
96KB

MD5
15803c4c60dd279530e133727c73e5c4

SHA1
d6d0ed3a9db1f0af3d7214364451661e10d11b7d

SHA256
52220590f26c05c9430261eaa3022362c44ef01b712d3e91e5f259eb2a9a9638

SHA512
344de3dd53499b30b587d625cf36ae2788893e22dee4d43fb55b6ad8f6768641072c9de5adb9d43cd686592c8b30114d6067476a0f6b3cff1a55bcd1a32412c8

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
96KB

MD5
c9b09611aa944906c6f71a0587a518e5

SHA1
1f0f9a5342b824fec9e2a07ef4ec1ee6ecd14136

SHA256
f044fd6d85727c8523a0fac5346d6b3045b3ae80cd6d0710b2698962f5d5f5c1

SHA512
fd56739a0c33047f6c9f6b0e24965762d0fca85ab5449a6be1527018f15a4204803f7db89e5ec2b101f3f0dac62c0135bb36e4b1b68ace310263860754125ffc

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
96KB

MD5
7bef183891ca65cf0b9d02dec5ccd7b4

SHA1
3cc6dbeac126f4fc8f94a52dd415036f7d8cfa59

SHA256
50e7a07c9076a75992cf9bee3947b48a2aaddc3fbd68157d68a32ed6f0051785

SHA512
e17e6cf1d52c653663e4f58dea5bb1d0af1116c57c39fa063d33c87d7c1505f2262239f53d99bad43f561bfeee6d5f96550ecb4e64f2854443b31f1370e4d8f4

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
96KB

MD5
77bd57b460bb6dc0c86aa545a5e20dd6

SHA1
207999967dac766fb9bc7d23479c11d5b8f233a9

SHA256
e9e6d7215a003a95d982d1c009cadc4517c3eeb37010e0b30af412dc29a4139a

SHA512
178f9cc9b23c8eddd26a4fd422089634051b6f46cdfdc7b0f4b851daeb50d445df452ae57f3810fc573adfaaae2cd4d037e324895b7557478c992eb51096cedd

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
96KB

MD5
9b2d23a1b4870e680299451095c70802

SHA1
391ce7f72a9a877a2bd195e82491b427f641e410

SHA256
45fe2cce33c05288048903f5eabb63131a27518c2d9cef73a5f017ee676bf237

SHA512
db62f8a77fbe400d4417c0fb283905fc6196ecd4124e6df4323ee014819ac19db96d16004ee6be8f05a3662fdc3b6ca4abf17539f582f1b778774df08d848166

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
96KB

MD5
d19244148a6eac60a49433801139ca6c

SHA1
b82a360b0d6cd025f93084b96ab38a04ae9a5872

SHA256
df648356f23098550a32444085604ed6a853fb0c9f223f3bec38b42aa73d8dc2

SHA512
cc8e55c69173c22bac48f1fe35becec60ee148f8ffb347d7ff90458f4e0734171a1143a731f77aed7148269416bc4b7bb9237f55926c3e10dd24128d274daf94

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
64KB

MD5
7eabbd95dba0fcb79f2bd8e5c42229a1

SHA1
677f2e12bd210be26516f2adf5a8c186c1152c4c

SHA256
a8b20da2eadefb2fa3b71ab5baeeb0a3c4af28dae51cdc0e43e28645ddd1b5a8

SHA512
95ff705a675e1a704cfb102d271021b6f393ed3cc01cf5323811aaaaf9e81286a0bf1db44a5b4ed82bbac4f6a4124ecbf4077cd11665c6f0df1a08cffdae5b59

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
96KB

MD5
ab93073ba32b7acd21c7d3bf03c414e4

SHA1
d3166c838c4af430e97902dddb6006aaf3c0811d

SHA256
f315d4fff42549be5cf37f4aa61594f91047debfd4bec5af0ff316752e574e95

SHA512
3eea304d639c367d5c7db30884b1baaa5bf45010632b57808ac94917b171fab7c4dc4128330ac690eaab4c6a507753f0a7b9ca04406e4fa148ca31071e89977b

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
96KB

MD5
f21c6afe04031b565adec48138bfeca1

SHA1
9d1df46fbe94a30db5d4bc3a22a08941e8f220ab

SHA256
331247723ac4a8c163f07b095f5d20b83807ca496237f03d150f2448d1e049c1

SHA512
58660c000488f38a8f568ce66c07703bd45932a6b32023b5479653dc23f0aec5c4f3fa5bbfe5c74ef92594da32250975a9b2ca75b6cb2ffc10681b3c13e237e0

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
96KB

MD5
198470080972f06448df259ead143fb2

SHA1
0521c0e59833f3d8572ecd950c9af384dfa00682

SHA256
79fd71c80808f9aba8e7ce7737b51a2073a7c77946026ff48f1dac38e18969e0

SHA512
7b2c3dbe63caeaaf34d40d8f1cc17ea0ed2c0157af01dd110d68bb2d7075696913835f39c3bd33a60afe18f01893d1c1fd71defc532d8e68302f4af304dabc0e

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
96KB

MD5
4739c2186f12920c13d924192c7cec5a

SHA1
da3e38cfd008806ed08e1a2a2aaf1cb0b7991243

SHA256
56cd40bba34dd3d6eec0fbb08ee53fa28f44f305514f5ae0dbf6796b1c59ddc5

SHA512
205b6a92e57b0df016ce0341afb1569043832ba4004f5ff6281eddfbd8796ecdc061abba8a2348825a0e68ed2ec5592e58168f2fa59fc379ff00fdeb197024fb

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
96KB

MD5
cfce3451eee12950bb5b07a87a33ed22

SHA1
ec67a5d8264b67c5577327b6bd758ec2aaef5234

SHA256
6cf3ccba1229b3e009645b91784dad899bcee78804e20e312503be7a0c635cb6

SHA512
00be33a808209115beb304d83d0332d963b7b3901ebc94b52efc8bf69a0d90df3e4dbd67161c13205eaee2f67cc58ae6b21df8dbc48282988200fdab997f59ae

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
96KB

MD5
0aeba64de19b8542f82e4ebce73c4e01

SHA1
0850d32b4d4d0cf69948788f117b071f3ccb930b

SHA256
78d2edabd84351bde5cd6af547e97ab0eaae5f6eba454faf538d9c51b56e3cc1

SHA512
57699bbb61d0244564f88bb4d9173449d6d7f8cbde6649f439778c9afae34f59bfbb68fb94f35cac4d081a26eba62d74d2a5d0d85a497b44e841a9d0807942c9

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
96KB

MD5
ef10bf51c6d8cd9643d116fb2a642b67

SHA1
c64c1164d54c8c265f1b44c037512e7a95c2c7ae

SHA256
0c02f180ea3a22ac460af974c699472184623399f988f17332cdbcab1b240def

SHA512
47832c661f8d569bcc16701b9dddac51db2e476b03d33e6415960871cc6fe6f75f215b2e1448db2f852e2f6df6451df9d41b3ae98d14606f84c319144b875148

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
96KB

MD5
a85168bc36da6db72e520236867d5c72

SHA1
835aba74082978af1c19dd62d40aca71f68fb6f2

SHA256
8fdff738356381e557221997fbc14297acfa6203d4f415c8b09398df71fdf547

SHA512
6278a2fcaa34f89795c0f9e67e8ebafba2692bb8e5cf69f6e29d338b7ec49a8f04a596f4a7b7430b942135d8d84e44160dbfaf48793c23b1912728d87c82c754

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
96KB

MD5
8abb41a064770c939893811a090e8255

SHA1
7dda561eaacb74474bc81bff37f5fe69d6abb5e1

SHA256
5dd4b8b578e354b91424df7db2e2f95a388cc9984ea9d362f20af20be50e150c

SHA512
07dfd8742039dec819cabb60405d00d12f5c13cba249f042c523750fe2a1bd2587c747a48200c56695e4a7b1cbd127a43d79f2a388ecaae968e8abadbe167e82

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
96KB

MD5
537569cbbb8eafec74859c114f55c33e

SHA1
f52b6a963975e1e7fd2927580f67f5c4c5b5da83

SHA256
1a77b9b6eed19d14d3726e753e20d9b4e4cfeea8081e33354ab9d28048b222f1

SHA512
a44e2c6489485c31f65ad0f9a272a35833a8e08ff8c15c27405eb82831a0b26e4e6db68530e7ad884a281dcaaed5560d199efb654fcd14c9d3781c25b43ca2b4

Download Submit
C:\Windows\SysWOW64\Hcdmga32.exe

Filesize
96KB

MD5
b8a8e10fa1491c3ad21b3e25b58b73c3

SHA1
440dff6ed4077f95f60605bf77992d0a0fb4269d

SHA256
b593c53f9adc624055e219c662c3f2eada4ea2a709f80807c9b59589a76f486c

SHA512
428eadf2d001293628ee7169d15e83205d962d58e1a6e363a7bd719aaaa3c7c98173590ea25e442f6b29ba2b89b149f2a395e7b2b24ef09318eb745f678c5f88

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
96KB

MD5
0e0f32bac2b853f124df51eb919d3ff6

SHA1
b0febd3c54002977699c381a210a83055a41791e

SHA256
d24bf686c8577f2a45d52df2dd451cd41e5e12f542c94ed1de3c0ebce8522705

SHA512
22e9c7e8a199d781db7128f63fb88cc0de388dae58aa32be35d32c1358c759de47aa3096756ae1f6e5afa7530859f773f1d1e18ab351bdcef8faec67f878fabe

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
96KB

MD5
ce7ff12501eef822f617d3035ca857f8

SHA1
f6589efbf6887ef3b0972c522bdd035eb88d4582

SHA256
592dd074ef37c76e78e452c5054ba510ed614209f1d56486ea8fd4178afce06e

SHA512
8a24a29c961d6a0c89f10ce6ed2ce4a35ee2d8a53e601940f34fb3201c8f0227862e70d54c16d7e581a35857f1e9e0b31556caa3a1c6053743a12f237d02cc2d

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
96KB

MD5
6d57aac28e318a6d4929cd5144feb5f1

SHA1
1e0bb920be4e9a74f1c2a1f7abf291b16593ed8b

SHA256
16dfd69d0ee21bc90e76318f3bf27a5de0919a0da1737125eced17c188417b0a

SHA512
0642da946ef164cfa70c73472e69015beeae37b69355eee0d321872816f99052985c2cc7e1564dbb5c827cc8b9880fb51750e837d0e52cdb012a5a0a444e33e4

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
96KB

MD5
8582fd1a197722c98d72a459e2ca248c

SHA1
9dbfc4b42fc0993ed90f22f95c17beace61d4d47

SHA256
aaa25f3a41fca7c13fede74c91598aef7e3a8ce944a1f803304f399473316eb4

SHA512
925bae8dc3e6d788dbd4d3216c29700602f45b576850c5a1a7d68fdfb551084e90947a5493db34ede05e0755ca3a6b73d81ee168ad07a1a73d9b934c2ef1ba24

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
96KB

MD5
16a35d027dadbcad62e98fa92e2f0f64

SHA1
15a78fc0e6641b8b354ada15d04026714cf980d6

SHA256
07f8d7d2b2e04f3e9af0914e2f2d320584936c38d3a897c312de411bc3edc4ef

SHA512
56df4ea28203ded8d8e7ca6aa9be9fc5158a4e8c0309de6fd004501c560703bc4fe9847196cb261bd35efecf12f21d62e5ab8dddccbcc7bdf890c2fbc3b415b6

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
daf667e71f90d0723c3232a49b431c07

SHA1
40e3f0235bd22310afbaa659f1dce2cff635603f

SHA256
7b50b6aede4a1a6f101dffe3eedd6a12a65e0bc838968bf3bdf60047b874164b

SHA512
e48308d92d20fb8608a2de2954bf2541c6957df6bec4fa20cbec19c3f1879160af9ee49e9180bf3d070404eb9f82ad0bbad1bb1883ffb52c4439f54e7c695770

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
29c9c9a7d6c9bcab0055ca6193af508b

SHA1
5746bb3458ee435cfe85edeb564212c175e9d922

SHA256
19e7490367159d97e7934accc0ef40424f1092c83d70fa1efe3947e4913e2141

SHA512
c0f19deed7f4ee3f1142f9c573c67f0ec8f87867bf40ceaf69fdd80791b62a8451e1ca890cd22bf4dcf337ce90e19e18287e7a9728e4490e4493dc690406b349

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
96KB

MD5
4e0100597fffd90e6652c00474dd9829

SHA1
32eca8bae81e1801627598667968012e3f3b6763

SHA256
3e99a2f7f77a2005176e342e50fd12270eec1eb3776ed96289ac3b804de86eaf

SHA512
9a47f3198dbc295c2342be6f91e76d943f4025adb424afa4769179176cfee42488be3f83e55af749c0e98fb156f21266e04349f66dfc4e66bba918d2972a9ecf

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
64KB

MD5
509fdd5a94ee2cd9beb78c0fe0ed2689

SHA1
49d264ed3405307713c27f78d304efbb5697c2e8

SHA256
9ddc5e993c35656aa70d48c604cb30286894ce43cdac7e022ba52eabdcca80d4

SHA512
6139839dff230205305d11ea40fbfc598cde3287f5d389ad512707ceb783ebacfe0873c504ee3d1fbde6bfe9c29d49d21196ab215e0264c68e6b953399400d4c

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
8d8327b9820b28533c47761501cb3def

SHA1
32d9c375fc9130726b3e6314a47e7d76edd20b2a

SHA256
37536ba2b1a9e91656019df0596240a97c6d7f99162f29c182c13570f916f1cd

SHA512
5ad3bfdca37e432c830843dc5a81c220cca69384151868cd9a40826b22fe072226c07cb6d544d79a3e5c8e77620b6e0997d82c0f171a396681a4ea2563699dae

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
96KB

MD5
cc81fa90cdabc2bcb8cc50e5ef919a8a

SHA1
875691d5a5f6f91b97ceb523fc0fbba9e5f1acac

SHA256
bfb0a0fc0a9329c84a4afeb92b92fb87eece16e90f671071a11d5cb578f5cb9a

SHA512
7a065e36a4874ff2074a444641576810235acdc7d5fcf7dc997babcf22b23d9479f0f300f40e8685214b7be69b887187e57d526499a32e10f4fc559ab6eb6cb5

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
96KB

MD5
397e96c809d6b9453b7ae4b48a722399

SHA1
da1e9c308bc1d3f1ca49cf252905329c5b3deeb1

SHA256
1d1d8becdbe7103a573871987c5cb4d6ab1f6af5299cda793cef32bc499aff85

SHA512
6bd1bbd1e561bb762068afd79c09bdb3ba654a041fb771477ad84bb98b57d1152943d86d09f2391c028a25cd9de6c47af5b735cc6f805659d4e1cfe5a5c27a02

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
855ee978da9f89991eaefb3b95cb0a80

SHA1
2812269ab1a84962c8d6b7eeec9dfd121236b951

SHA256
af60aa16398b18fc3bd3e131b042035bc757150dde8d4f78acb7b4be7b0888e1

SHA512
717b45afba1931f6d0548ec50fe83e439c92291abb316665fe48ad313412564a25f1bf823a3a4076b1aea58952f3eaca89f7b9aed2559a248d88744fe662d588

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
a8dca4e2a79a2dbc7f1a656cf219a42f

SHA1
3a1f7da6a932f5949044d311d56678d2ac43e0b1

SHA256
0d4206f7ad7664e4440971eb6caaa6c0c14ddaaa82396d0dac5ad59639e5c6dd

SHA512
bfa18a30223764445188b6bced5d49f897dc1b525e036491760e8fe104b4951322ab13537a4eb51d5993346cc3ca891ff741fe191fb9ce0c422b13756525022b

Download Submit
memory/388-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1628-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5828-1373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5960-1372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads