berbew | 121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3c

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe
Size

322KB
MD5

d8c4aa1713578024f1a6c77e3317ede0
SHA1

a2ece18ec830bb034c6150f28ac4685d7b38e977
SHA256

121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3c
SHA512

e1cf3f864e7c71628487807a815463cd2163fbad956024a043e984a3c01a69c5aa84dafdb6f8c6ec160bbd5da1f6a117677cec64d6d8336b48f3d3058fad71a0
SSDEEP

3072:Q/lHDJNy8MLRf5FZAVFdo/uA+s9eGSVGZ3Odl:Q9Htk7x5FynLA+bTkO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmalldhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Badgdold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhfne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnedfmlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keappapf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfiogn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblhokip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afepahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abnnlhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niegehno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apndjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhmggcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aikbnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhfne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlbefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpdghkao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhennjma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdnhofj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aamadpbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbhqbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liaelpdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnnnllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apekklea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgfbochc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgmoidqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaajdckb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pblhokip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apekklea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkhip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolaogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmmdoppe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddlong32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfocgfmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemfeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpgdmjpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchffcnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmljjgkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nomclbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbikjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cibaeoij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kblmcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kppnmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mchffcnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paoebbol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Badgdold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdncliaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnajk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofpnok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckkhocgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbblbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjemfhgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfapmfkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbofbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpdghkao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefika32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aikbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cikkeppa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjmdgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhennjma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckkhocgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdclgh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3596	Jbjqngim.exe
5044	Jehmjchq.exe
3776	Jhfifngd.exe
2008	Jlbefm32.exe
2856	Jpnagl32.exe
3288	Kblmcg32.exe
228	Kaonodme.exe
556	Khifln32.exe
3516	Kppnmk32.exe
4852	Kaajdckb.exe
2836	Kemfeb32.exe
1828	Klgoalkh.exe
440	Kpdghkao.exe
4604	Keappapf.exe
1724	Kpgdmjpl.exe
5012	Kedlea32.exe
8	Lolaogdd.exe
672	Lefika32.exe
372	Liaelpdj.exe
1620	Llpahkcm.exe
2912	Lplmhj32.exe
1484	Lclfjehh.exe
4620	Lhioblgo.exe
4408	Laacka32.exe
3252	Lpbcii32.exe
4244	Lfplap32.exe
3424	Lpepoh32.exe
1604	Mfbigo32.exe
4360	Mjmdgn32.exe
1064	Mllaci32.exe
2996	Mchffcnj.exe
4536	Mhennjma.exe
3340	Mfiogn32.exe
4384	Mlcgdhch.exe
4324	Mfkkmn32.exe
3448	Nqqpjgio.exe
2744	Nbblbo32.exe
612	Nbdiho32.exe
2128	Nqeiefei.exe
1888	Njnnnllj.exe
1808	Nmljjgkm.exe
2676	Nfdncm32.exe
948	Nomclbho.exe
2564	Niegehno.exe
2576	Ockkbqne.exe
3336	Ojecok32.exe
4552	Oijqpg32.exe
4564	Oqaiad32.exe
964	Ofnajk32.exe
2840	Oilmfg32.exe
3816	Oqcegd32.exe
2288	Ofpnok32.exe
2876	Omjfle32.exe
1780	Ocdnhofj.exe
2488	Ojnfei32.exe
4192	Pmmcad32.exe
3588	Pbikjl32.exe
436	Pjqckikd.exe
4180	Pajkgc32.exe
4428	Pblhokip.exe
4592	Pfgdpj32.exe
3916	Pmalldhe.exe
2656	Pckdin32.exe
3912	Pjemfhgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Liaelpdj.exe	Lefika32.exe
File created	C:\Windows\SysWOW64\Lpepoh32.exe	Lfplap32.exe
File created	C:\Windows\SysWOW64\Mfkkmn32.exe	Mlcgdhch.exe
File created	C:\Windows\SysWOW64\Dokimi32.dll	Afepahei.exe
File created	C:\Windows\SysWOW64\Afhmggcf.exe	Apndjm32.exe
File created	C:\Windows\SysWOW64\Mbklhceb.dll	Kedlea32.exe
File created	C:\Windows\SysWOW64\Foipagjh.dll	Lefika32.exe
File opened for modification	C:\Windows\SysWOW64\Llpahkcm.exe	Liaelpdj.exe
File created	C:\Windows\SysWOW64\Pcnaonnp.exe	Paoebbol.exe
File created	C:\Windows\SysWOW64\Bmmdoppe.exe	Bbhqbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckfocc32.exe	Cbofbf32.exe
File opened for modification	C:\Windows\SysWOW64\Keappapf.exe	Kpdghkao.exe
File created	C:\Windows\SysWOW64\Pdecpd32.dll	Lhioblgo.exe
File opened for modification	C:\Windows\SysWOW64\Mhennjma.exe	Mchffcnj.exe
File created	C:\Windows\SysWOW64\Dooenm32.dll	Nbdiho32.exe
File created	C:\Windows\SysWOW64\Fjpiapan.dll	Njnnnllj.exe
File created	C:\Windows\SysWOW64\Oaodfe32.dll	Nomclbho.exe
File created	C:\Windows\SysWOW64\Mpappm32.dll	Omjfle32.exe
File created	C:\Windows\SysWOW64\Pmmcad32.exe	Ojnfei32.exe
File created	C:\Windows\SysWOW64\Gedelh32.dll	Jbjqngim.exe
File created	C:\Windows\SysWOW64\Aahhia32.exe	Afcclh32.exe
File created	C:\Windows\SysWOW64\Adnjek32.exe	Aihfhb32.exe
File created	C:\Windows\SysWOW64\Midlnpeo.dll	Bkaehdoo.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnjo32.exe	Bfhfne32.exe
File opened for modification	C:\Windows\SysWOW64\Cagmamlo.exe	Ckmedbeb.exe
File created	C:\Windows\SysWOW64\Qpicja32.dll	Cchiie32.exe
File created	C:\Windows\SysWOW64\Cmnnfn32.exe	Cibaeoij.exe
File created	C:\Windows\SysWOW64\Pajkgc32.exe	Pjqckikd.exe
File created	C:\Windows\SysWOW64\Mhennjma.exe	Mchffcnj.exe
File opened for modification	C:\Windows\SysWOW64\Aikbnb32.exe	Adnjek32.exe
File created	C:\Windows\SysWOW64\Bhdlea32.dll	Bfocgfmn.exe
File created	C:\Windows\SysWOW64\Bncpqm32.dll	Badgdold.exe
File opened for modification	C:\Windows\SysWOW64\Bdjjaj32.exe	Bmpadpnc.exe
File created	C:\Windows\SysWOW64\Ocepom32.dll	Cgaidd32.exe
File created	C:\Windows\SysWOW64\Cibaeoij.exe	Cchiie32.exe
File created	C:\Windows\SysWOW64\Ppmpel32.dll	Kaajdckb.exe
File created	C:\Windows\SysWOW64\Hnjdme32.dll	Kpdghkao.exe
File created	C:\Windows\SysWOW64\Njnnnllj.exe	Nqeiefei.exe
File created	C:\Windows\SysWOW64\Niegehno.exe	Nomclbho.exe
File opened for modification	C:\Windows\SysWOW64\Ojecok32.exe	Ockkbqne.exe
File created	C:\Windows\SysWOW64\Iijjlflc.dll	Pfgdpj32.exe
File opened for modification	C:\Windows\SysWOW64\Kppnmk32.exe	Khifln32.exe
File created	C:\Windows\SysWOW64\Ofpnok32.exe	Oqcegd32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkobbpk.exe	Qbekejqe.exe
File created	C:\Windows\SysWOW64\Bfhfne32.exe	Bdjjaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaidd32.exe	Cdclgh32.exe
File opened for modification	C:\Windows\SysWOW64\Mfbigo32.exe	Lpepoh32.exe
File opened for modification	C:\Windows\SysWOW64\Kedlea32.exe	Kpgdmjpl.exe
File created	C:\Windows\SysWOW64\Cgbaak32.dll	Ofnajk32.exe
File created	C:\Windows\SysWOW64\Pmalldhe.exe	Pfgdpj32.exe
File opened for modification	C:\Windows\SysWOW64\Jehmjchq.exe	Jbjqngim.exe
File created	C:\Windows\SysWOW64\Fmpaaacg.dll	Llpahkcm.exe
File opened for modification	C:\Windows\SysWOW64\Pmmcad32.exe	Ojnfei32.exe
File created	C:\Windows\SysWOW64\Pjgikh32.exe	Pcnaonnp.exe
File created	C:\Windows\SysWOW64\Badgdold.exe	Bimocbla.exe
File created	C:\Windows\SysWOW64\Oblanggg.dll	Ckmedbeb.exe
File opened for modification	C:\Windows\SysWOW64\Dcmcddng.exe	Dalfllhi.exe
File created	C:\Windows\SysWOW64\Kaajdckb.exe	Kppnmk32.exe
File opened for modification	C:\Windows\SysWOW64\Mchffcnj.exe	Mllaci32.exe
File created	C:\Windows\SysWOW64\Nchmmd32.dll	Afcclh32.exe
File created	C:\Windows\SysWOW64\Aamadpbl.exe	Afhmggcf.exe
File created	C:\Windows\SysWOW64\Apekklea.exe	Aikbnb32.exe
File created	C:\Windows\SysWOW64\Bfapmfkk.exe	Badgdold.exe
File created	C:\Windows\SysWOW64\Ofcgjakk.dll	Kppnmk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5320	5232	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjqngim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclfjehh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnjqikq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laacka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnnnllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibaeoij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajalaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aihfhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pajkgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmalldhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdclgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liaelpdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockkbqne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paoebbol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhfne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmedbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgkljb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemfeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afepahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkhip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmoidqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblmcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagmamlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qadnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apekklea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaidd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Digkqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cikkeppa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khifln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaajdckb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqaiad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimocbla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdjjaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaonodme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apndjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalfllhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolaogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjmdgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchffcnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcgdhch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqqpjgio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmmdoppe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckfocc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbefm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpdghkao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpbcii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjemfhgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhqbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhioblgo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdqpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgfbochc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paoebbol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfapmfkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkhip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdgmlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banjkndi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmdkpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdgbo32.dll"	Kpgdmjpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlggenhj.dll"	Lolaogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pblhokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeboehba.dll"	Pckdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddlong32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beekdcmo.dll"	Oqcegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkiibe32.dll"	Cikkeppa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdeeb32.dll"	Cadpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaajdckb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lclfjehh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmihlci.dll"	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpappm32.dll"	Omjfle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfocgfmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhqoglf.dll"	Bdjjaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhflm32.dll"	Dalfllhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqaiad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlmq32.dll"	Cagmamlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnohji32.dll"	Cpljbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Digkqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfjfp32.dll"	Digkqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmpel32.dll"	Kaajdckb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhennjma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omjfle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbjmggnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cchiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnedfmlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjqckikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjmbaeh.dll"	Aihfhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aikbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcdbcmg.dll"	Bmmdoppe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cibaeoij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgeclkie.dll"	Ckkhocgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cchiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liaelpdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laacka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calhhjhb.dll"	Lfplap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbaak32.dll"	Ofnajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabfe32.dll"	Abnnlhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpdghkao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcnaonnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdlea32.dll"	Bfocgfmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cikkeppa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjanacc.dll"	Jlbefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mllaci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooenm32.dll"	Nbdiho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagmamlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kblmcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keappapf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpaaacg.dll"	Llpahkcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfbigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojnfei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppedgp32.dll"	Cdncliaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhmggcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 3596	4616	121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe	82
PID 4616 wrote to memory of 3596	4616	121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe	82
PID 4616 wrote to memory of 3596	4616	121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe	82
PID 3596 wrote to memory of 5044	3596	Jbjqngim.exe	83
PID 3596 wrote to memory of 5044	3596	Jbjqngim.exe	83
PID 3596 wrote to memory of 5044	3596	Jbjqngim.exe	83
PID 5044 wrote to memory of 3776	5044	Jehmjchq.exe	84
PID 5044 wrote to memory of 3776	5044	Jehmjchq.exe	84
PID 5044 wrote to memory of 3776	5044	Jehmjchq.exe	84
PID 3776 wrote to memory of 2008	3776	Jhfifngd.exe	85
PID 3776 wrote to memory of 2008	3776	Jhfifngd.exe	85
PID 3776 wrote to memory of 2008	3776	Jhfifngd.exe	85
PID 2008 wrote to memory of 2856	2008	Jlbefm32.exe	86
PID 2008 wrote to memory of 2856	2008	Jlbefm32.exe	86
PID 2008 wrote to memory of 2856	2008	Jlbefm32.exe	86
PID 2856 wrote to memory of 3288	2856	Jpnagl32.exe	87
PID 2856 wrote to memory of 3288	2856	Jpnagl32.exe	87
PID 2856 wrote to memory of 3288	2856	Jpnagl32.exe	87
PID 3288 wrote to memory of 228	3288	Kblmcg32.exe	88
PID 3288 wrote to memory of 228	3288	Kblmcg32.exe	88
PID 3288 wrote to memory of 228	3288	Kblmcg32.exe	88
PID 228 wrote to memory of 556	228	Kaonodme.exe	89
PID 228 wrote to memory of 556	228	Kaonodme.exe	89
PID 228 wrote to memory of 556	228	Kaonodme.exe	89
PID 556 wrote to memory of 3516	556	Khifln32.exe	90
PID 556 wrote to memory of 3516	556	Khifln32.exe	90
PID 556 wrote to memory of 3516	556	Khifln32.exe	90
PID 3516 wrote to memory of 4852	3516	Kppnmk32.exe	91
PID 3516 wrote to memory of 4852	3516	Kppnmk32.exe	91
PID 3516 wrote to memory of 4852	3516	Kppnmk32.exe	91
PID 4852 wrote to memory of 2836	4852	Kaajdckb.exe	92
PID 4852 wrote to memory of 2836	4852	Kaajdckb.exe	92
PID 4852 wrote to memory of 2836	4852	Kaajdckb.exe	92
PID 2836 wrote to memory of 1828	2836	Kemfeb32.exe	93
PID 2836 wrote to memory of 1828	2836	Kemfeb32.exe	93
PID 2836 wrote to memory of 1828	2836	Kemfeb32.exe	93
PID 1828 wrote to memory of 440	1828	Klgoalkh.exe	94
PID 1828 wrote to memory of 440	1828	Klgoalkh.exe	94
PID 1828 wrote to memory of 440	1828	Klgoalkh.exe	94
PID 440 wrote to memory of 4604	440	Kpdghkao.exe	95
PID 440 wrote to memory of 4604	440	Kpdghkao.exe	95
PID 440 wrote to memory of 4604	440	Kpdghkao.exe	95
PID 4604 wrote to memory of 1724	4604	Keappapf.exe	96
PID 4604 wrote to memory of 1724	4604	Keappapf.exe	96
PID 4604 wrote to memory of 1724	4604	Keappapf.exe	96
PID 1724 wrote to memory of 5012	1724	Kpgdmjpl.exe	97
PID 1724 wrote to memory of 5012	1724	Kpgdmjpl.exe	97
PID 1724 wrote to memory of 5012	1724	Kpgdmjpl.exe	97
PID 5012 wrote to memory of 8	5012	Kedlea32.exe	98
PID 5012 wrote to memory of 8	5012	Kedlea32.exe	98
PID 5012 wrote to memory of 8	5012	Kedlea32.exe	98
PID 8 wrote to memory of 672	8	Lolaogdd.exe	99
PID 8 wrote to memory of 672	8	Lolaogdd.exe	99
PID 8 wrote to memory of 672	8	Lolaogdd.exe	99
PID 672 wrote to memory of 372	672	Lefika32.exe	100
PID 672 wrote to memory of 372	672	Lefika32.exe	100
PID 672 wrote to memory of 372	672	Lefika32.exe	100
PID 372 wrote to memory of 1620	372	Liaelpdj.exe	101
PID 372 wrote to memory of 1620	372	Liaelpdj.exe	101
PID 372 wrote to memory of 1620	372	Liaelpdj.exe	101
PID 1620 wrote to memory of 2912	1620	Llpahkcm.exe	102
PID 1620 wrote to memory of 2912	1620	Llpahkcm.exe	102
PID 1620 wrote to memory of 2912	1620	Llpahkcm.exe	102
PID 2912 wrote to memory of 1484	2912	Lplmhj32.exe	103

C:\Users\Admin\AppData\Local\Temp\121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe
"C:\Users\Admin\AppData\Local\Temp\121faf10c24c070c8530c9c6030297efbf003bab7cb646bf52f289eebd5c9d3cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\Jbjqngim.exe
  C:\Windows\system32\Jbjqngim.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\Jehmjchq.exe
    C:\Windows\system32\Jehmjchq.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\Jhfifngd.exe
      C:\Windows\system32\Jhfifngd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\SysWOW64\Jlbefm32.exe
        
        C:\Windows\system32\Jlbefm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\Jpnagl32.exe
        
        C:\Windows\system32\Jpnagl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Kblmcg32.exe
        
        C:\Windows\system32\Kblmcg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Kaonodme.exe
        
        C:\Windows\system32\Kaonodme.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Khifln32.exe
        
        C:\Windows\system32\Khifln32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Kppnmk32.exe
        
        C:\Windows\system32\Kppnmk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Kaajdckb.exe
        
        C:\Windows\system32\Kaajdckb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Kemfeb32.exe
        
        C:\Windows\system32\Kemfeb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Klgoalkh.exe
        
        C:\Windows\system32\Klgoalkh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Kpdghkao.exe
        
        C:\Windows\system32\Kpdghkao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Keappapf.exe
        
        C:\Windows\system32\Keappapf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Kpgdmjpl.exe
        
        C:\Windows\system32\Kpgdmjpl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Kedlea32.exe
        
        C:\Windows\system32\Kedlea32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Lolaogdd.exe
        
        C:\Windows\system32\Lolaogdd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Liaelpdj.exe
        
        C:\Windows\system32\Liaelpdj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Llpahkcm.exe
        
        C:\Windows\system32\Llpahkcm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Lplmhj32.exe
        
        C:\Windows\system32\Lplmhj32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lclfjehh.exe
        
        C:\Windows\system32\Lclfjehh.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Laacka32.exe
        
        C:\Windows\system32\Laacka32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Lpbcii32.exe
        
        C:\Windows\system32\Lpbcii32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Lfplap32.exe
        
        C:\Windows\system32\Lfplap32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Lpepoh32.exe
        
        C:\Windows\system32\Lpepoh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Mfbigo32.exe
        
        C:\Windows\system32\Mfbigo32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Mjmdgn32.exe
        
        C:\Windows\system32\Mjmdgn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Mllaci32.exe
        
        C:\Windows\system32\Mllaci32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Mchffcnj.exe
        
        C:\Windows\system32\Mchffcnj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Mhennjma.exe
        
        C:\Windows\system32\Mhennjma.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Mfiogn32.exe
        
        C:\Windows\system32\Mfiogn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Mlcgdhch.exe
        
        C:\Windows\system32\Mlcgdhch.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Mfkkmn32.exe
        
        C:\Windows\system32\Mfkkmn32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Nqqpjgio.exe
        
        C:\Windows\system32\Nqqpjgio.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Nbblbo32.exe
        
        C:\Windows\system32\Nbblbo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Nbdiho32.exe
        
        C:\Windows\system32\Nbdiho32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Nqeiefei.exe
        
        C:\Windows\system32\Nqeiefei.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Njnnnllj.exe
        
        C:\Windows\system32\Njnnnllj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Nmljjgkm.exe
        
        C:\Windows\system32\Nmljjgkm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Nfdncm32.exe
        
        C:\Windows\system32\Nfdncm32.exe
        43⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Nomclbho.exe
        
        C:\Windows\system32\Nomclbho.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Niegehno.exe
        
        C:\Windows\system32\Niegehno.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Ockkbqne.exe
        
        C:\Windows\system32\Ockkbqne.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        48⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Oqaiad32.exe
        
        C:\Windows\system32\Oqaiad32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        51⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Oqcegd32.exe
        
        C:\Windows\system32\Oqcegd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Ofpnok32.exe
        
        C:\Windows\system32\Ofpnok32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Omjfle32.exe
        
        C:\Windows\system32\Omjfle32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ocdnhofj.exe
        
        C:\Windows\system32\Ocdnhofj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Ojnfei32.exe
        
        C:\Windows\system32\Ojnfei32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        57⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Pbikjl32.exe
        
        C:\Windows\system32\Pbikjl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Pajkgc32.exe
        
        C:\Windows\system32\Pajkgc32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Pblhokip.exe
        
        C:\Windows\system32\Pblhokip.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Pfgdpj32.exe
        
        C:\Windows\system32\Pfgdpj32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Pmalldhe.exe
        
        C:\Windows\system32\Pmalldhe.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Pckdin32.exe
        
        C:\Windows\system32\Pckdin32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Paoebbol.exe
        
        C:\Windows\system32\Paoebbol.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Pcnaonnp.exe
        
        C:\Windows\system32\Pcnaonnp.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Pjgikh32.exe
        
        C:\Windows\system32\Pjgikh32.exe
        68⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Ppdbdo32.exe
        
        C:\Windows\system32\Ppdbdo32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Pfnjqikq.exe
        
        C:\Windows\system32\Pfnjqikq.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Qadnna32.exe
        
        C:\Windows\system32\Qadnna32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        72⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Qmkobbpk.exe
        
        C:\Windows\system32\Qmkobbpk.exe
        73⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Qpikonoo.exe
        
        C:\Windows\system32\Qpikonoo.exe
        74⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Afcclh32.exe
        
        C:\Windows\system32\Afcclh32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Aahhia32.exe
        
        C:\Windows\system32\Aahhia32.exe
        76⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Afepahei.exe
        
        C:\Windows\system32\Afepahei.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Ajalaf32.exe
        
        C:\Windows\system32\Ajalaf32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Apndjm32.exe
        
        C:\Windows\system32\Apndjm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Aamadpbl.exe
        
        C:\Windows\system32\Aamadpbl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2796
        
        C:\Windows\SysWOW64\Abnnlhhj.exe
        
        C:\Windows\system32\Abnnlhhj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Adnjek32.exe
        
        C:\Windows\system32\Adnjek32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Aikbnb32.exe
        
        C:\Windows\system32\Aikbnb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Apekklea.exe
        
        C:\Windows\system32\Apekklea.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Bfocgfmn.exe
        
        C:\Windows\system32\Bfocgfmn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bimocbla.exe
        
        C:\Windows\system32\Bimocbla.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Badgdold.exe
        
        C:\Windows\system32\Badgdold.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Bfapmfkk.exe
        
        C:\Windows\system32\Bfapmfkk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Bmkhip32.exe
        
        C:\Windows\system32\Bmkhip32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        92⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Bbhqbg32.exe
        
        C:\Windows\system32\Bbhqbg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bmmdoppe.exe
        
        C:\Windows\system32\Bmmdoppe.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        95⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bbjmggnm.exe
        
        C:\Windows\system32\Bbjmggnm.exe
        96⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        97⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Bmpadpnc.exe
        
        C:\Windows\system32\Bmpadpnc.exe
        98⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Bfhfne32.exe
        
        C:\Windows\system32\Bfhfne32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        102⤵
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Ckfocc32.exe
        
        C:\Windows\system32\Ckfocc32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Cmdkpo32.exe
        
        C:\Windows\system32\Cmdkpo32.exe
        105⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Cgmoidqn.exe
        
        C:\Windows\system32\Cgmoidqn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Cikkeppa.exe
        
        C:\Windows\system32\Cikkeppa.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Cpedajgo.exe
        
        C:\Windows\system32\Cpedajgo.exe
        109⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Cdqpbi32.exe
        
        C:\Windows\system32\Cdqpbi32.exe
        110⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Cadpkm32.exe
        
        C:\Windows\system32\Cadpkm32.exe
        112⤵
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Cdclgh32.exe
        
        C:\Windows\system32\Cdclgh32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Cgaidd32.exe
        
        C:\Windows\system32\Cgaidd32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Cchiie32.exe
        
        C:\Windows\system32\Cchiie32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Cibaeoij.exe
        
        C:\Windows\system32\Cibaeoij.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Cpljbi32.exe
        
        C:\Windows\system32\Cpljbi32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Dgfbochc.exe
        
        C:\Windows\system32\Dgfbochc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        122⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Dalfllhi.exe
        
        C:\Windows\system32\Dalfllhi.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Dcmcddng.exe
        
        C:\Windows\system32\Dcmcddng.exe
        124⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Digkqn32.exe
        
        C:\Windows\system32\Digkqn32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ddlong32.exe
        
        C:\Windows\system32\Ddlong32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Dgkljb32.exe
        
        C:\Windows\system32\Dgkljb32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Dnedfmlk.exe
        
        C:\Windows\system32\Dnedfmlk.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ddolcgch.exe
        
        C:\Windows\system32\Ddolcgch.exe
        129⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 424
        130⤵
        Program crash
        
        PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5232 -ip 5232
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aahhia32.exe

Filesize
322KB

MD5
178459d03ab592324cf907fabc419db3

SHA1
248f6dd6c09400b067bb800e85af430ffdbad9f8

SHA256
54526d0f48abd5d3e131be3d96e75654ae31d91568d6b1f0e0915b325b8b51e8

SHA512
2f38cbf244d4f7c5c05c23122fa10384b43776b8a8fbfc3fc879f64b382a357c3dcb2a8d872a644eeffbb9e13f8d0a6c3252b0ebc891252052a96a360f49f9f8

Download Submit
C:\Windows\SysWOW64\Adnjek32.exe

Filesize
322KB

MD5
5e971860ec8d9cf0c46a807ddb6879cc

SHA1
9d32dc4e50a73798cd2cff8d5065c4b70c44f8e2

SHA256
c233b552c3af0f2230ebbfc7e83b6e5170e8177a4ccf4075405c7bb8d225003f

SHA512
77487e19b0a6ae3f4cde4bc1c7ea88a37e9d089d8c99f5844341558561476b052181d86dd6aecee4af9be16d9cf210736cc0511241b641e1a864cd753def7885

Download Submit
C:\Windows\SysWOW64\Afcclh32.exe

Filesize
322KB

MD5
1ae55560fd61e1329beaeabec80c86fd

SHA1
8c73fa1cd5becf3d3f33fdf003bf8c90b061c637

SHA256
9b16fa21f6ededa7f00f775832ed4d776aeea8ccd3216e392f9da2d8abad94c0

SHA512
a997ca9fa3a2616a3d7f608492a671be5dc535a833156c8953bd75665fa8cbc5f72ef0f2012e8167755ed4bb5ad2dc698b67373373e705694d0e695b3e089ada

Download Submit
C:\Windows\SysWOW64\Afhmggcf.exe

Filesize
322KB

MD5
0f7166bc8f1bb5527f3b982235619dc1

SHA1
0aa49f4a7e8b3656102257a5d7f1398034a37e90

SHA256
dda851bf12b63927462b3ca25b8da4f318cb3b1754e593a1d32fe93825a88687

SHA512
10502238b710e563f772802297e740fa40db07e5879ee462b1d7d48ead9ddc7d3ab3a8dffd187745a6f9a6d4fedf8ea5f3b8079c7eed96156b4740b0ad01dfab

Download Submit
C:\Windows\SysWOW64\Apndjm32.exe

Filesize
322KB

MD5
720a0455a10be31c3f5b38cee74e69e1

SHA1
28ea3a8280626c1a12984c92e3afd6fdd8b7457f

SHA256
c59f6b3830bd46a294d5ba07de9ab197f8275806d2a1e80e7d29c4150ffeed8a

SHA512
918fb58be64e531e26d11d54163c6207d704d5c2887c72abccea2a6da5c6aa1d1e48732ccff612c4130c645dae2209197027d48f98f9ba8b80778f1a9efc5a4d

Download Submit
C:\Windows\SysWOW64\Bdjjaj32.exe

Filesize
322KB

MD5
aa7ebafcb259727ca4d14c7de6f4297c

SHA1
b56961b9eff70cd06a5fa9f27c97d645969f3424

SHA256
a8efe810293c45735b4292530c7391739d5663a663c5b6050ca938a44a4e6f4a

SHA512
f30b734eca37ffa585b738832531c6d3facaaf0b35fd73c9986b410602d371e38bc19da9da41ce93ff08cb4575e653340358cb1e6db334ebf98c6b8f21db02d1

Download Submit
C:\Windows\SysWOW64\Bfapmfkk.exe

Filesize
322KB

MD5
9f0b8a9a619d476f0dae4da07ff64f4c

SHA1
aa0159795bc1da915aee7c93ed90a20a0e206e61

SHA256
ac0cf46e8d06cfc67665e02a6e5351d7c1fd35773542469e2fc3eb04d70f4eba

SHA512
06ad9680f1d892f2e62e51ed7257b1a5e6e7c0a7f209475a59591afeea25f8c938496ae24903f92808aa66ac9e0951b393ac0c2ce807d7b0480efb89e5a7be6a

Download Submit
C:\Windows\SysWOW64\Bfhfne32.exe

Filesize
322KB

MD5
17ecd09de7d12da7fad7af4b8f0a06a8

SHA1
f3ef6e03db384a99e59c10ac2bb94a64ea996093

SHA256
1b607eae9b8f75b301c722978a303e4cb7b1901fa1606ea9b53129b2e284604c

SHA512
00b05f0ba85374d56221ed297a902b2b8e3687b1f4e2d15752fcb0ab6d6a377d4825cdfcaa75e46d19ce83162df02eb5d781025d9feb5376dda1d802e468b7e3

Download Submit
C:\Windows\SysWOW64\Bfocgfmn.exe

Filesize
322KB

MD5
be163671164f3597226c307c87860379

SHA1
fc4e3f8f2ba9cf6ff86236e09b4ce5f7effad267

SHA256
980ac6c778b77ba58f8272e04e42d12db50ab7e316b662d7f345862c1a815d00

SHA512
d7047465ff22a0e7ac7179f6ebb05c67708860b31a0d166ec058ac2340ec41f57d48b1bf3fc3b6bcf1e2b301aaae30097d9220d665b70f2c741ad9d69b5dcfbf

Download Submit
C:\Windows\SysWOW64\Bmmdoppe.exe

Filesize
64KB

MD5
33a7c7bf2726da5805e791f26806d281

SHA1
fa982ac9c75e02c021ac5c48e08c6e5c89dd98ad

SHA256
bd2a224b9bf73fb92f3d5d0b3e75887cc9e373ca32fc4bb9d0dc43ecb90e805e

SHA512
d0aff62523dad292344634550f453d61ce9320c1d7b49220a5ad9dca9637302ad9ad677b769df672018b41149579fdba089098df9496eb875e3b66e7b0d87f41

Download Submit
C:\Windows\SysWOW64\Cagmamlo.exe

Filesize
322KB

MD5
439f7b78a59e92e667ce3b90ab90ed13

SHA1
d79cef292412212ee35f0a2eabd120df7888c81d

SHA256
3bb8dbbda00682f8fb4d5d6844f3201009c06d4bab24e9aea8e493a8406794ce

SHA512
893375f3a26f937385fdd4ad7ff1ce3a08d99982407c81050cdec182b3aa5b7204e457697090cda0857c27ad3aa761845d7ce0e29e1d356edd9a95cfe6003792

Download Submit
C:\Windows\SysWOW64\Cbofbf32.exe

Filesize
322KB

MD5
61fbe1cdee3d8019c5075bf764a6f731

SHA1
f7a9e43e7daf5b17e5826584de38620333c9b6dc

SHA256
541440e00b3ae30b37f73fece50b1a08e9dab1b7561d663b1a54b6f8794f48c6

SHA512
fc2d5e4729e32c83339bfecc532ccd03f93bc35d7e067acdcea8431ffffdf6949aca179971bf566c5965483e5d50d3192161238179656e3c1b57706d1c46798c

Download Submit
C:\Windows\SysWOW64\Cdclgh32.exe

Filesize
256KB

MD5
6c4960c368f21b67fb6bfc8311e0ec44

SHA1
6583b93c66841eeea49f734d7d10924c54ff9983

SHA256
c713adba581bdb7c30047ff8a671f911e176e57c139d8236f6bdaeba85bdb265

SHA512
7f22db0077bf05fe61c6f79415a52e3efec6e38c3bb494fec8f402c55eb0d6b2914681e797c6220112a73eb03e0df87a67d1259b2e32b22fef40567153dfd2c5

Download Submit
C:\Windows\SysWOW64\Cgmoidqn.exe

Filesize
322KB

MD5
a3f1275b4b504aa7e5750fa28059f105

SHA1
79e553a3a4b60b2d31e9bd4e4e835fa5ec212577

SHA256
53398b63cd170c212cc6476c1e223b0a3350fa00d81d92bb0066195492b6e962

SHA512
9a4c5b637422ecd48ce8c1d7c8ecb9fec501522b745844c2b7f80b7183c6dd9d5889f02a316cc8149fc5c9f7b4a458a6559749c1861fcfc5a6e5e7e1e46ca2ba

Download Submit
C:\Windows\SysWOW64\Ckkhocgd.exe

Filesize
322KB

MD5
24ef3275195f660c6c190be0616a2208

SHA1
8c8d4d2118268219707ffa3f1d93706a7d2b6f37

SHA256
e435c5aeffe471b136467490996c86fef4094c95f97c9de9218f515aadbbe703

SHA512
34cbf7a65225d8f6b69b59d959bc873e65f6f400dc5571c6893782dea531b5f19e18dcbe6e0571e9088183c238fc5b3ccbae018ec1f783ceed1577005c9652a9

Download Submit
C:\Windows\SysWOW64\Cmdkpo32.exe

Filesize
322KB

MD5
9b1b80bf436d7b9d503964cf10b30aac

SHA1
a86d201869a8b1e99afce1eb9c124c4219956735

SHA256
62b5e14b3612433c4b652d7cf9c8679bb3c15cb05c5815e1a45e616834793b30

SHA512
18f4d9fba494a06cd2aa783efdb56b2006a2a796a5956d88acd61dbc373d82239e2e9466861719d2f42f15aaa835d93efe9a1c12f79359d103ec180435394772

Download Submit
C:\Windows\SysWOW64\Cpedajgo.exe

Filesize
322KB

MD5
68de3bd025f479e1564bfcec43ca5b3b

SHA1
4b671e6471b9cb2f95f15acd06da75872076f86f

SHA256
056c5d211813af92ba3d129a57a86a14f8a4cbd54e6bdd766f8c3c7ecf980504

SHA512
1524dde496f6e6473ab8895a114660fa51f39dbbc4c04b31d3e162ac36ca845b1442b651907eef0b02733e0a2b86e943584f48148e5c5c7c93261ae85ca4373b

Download Submit
C:\Windows\SysWOW64\Dalfllhi.exe

Filesize
322KB

MD5
e5641318dbbe212aa9fa17a01e0da2dc

SHA1
e121292d42815bfb2a6198a2425ae4ec51ab1d96

SHA256
ffb8ff08b9d1d2b159168aa8564c667dd6e0cf71290e6ea4fff336fb25139450

SHA512
da0c668a6b7c256a7d842d2fe9b9c54980506e7f97a0f7043f752503dea1507be389816b58eba7e04d596622ffba50ae23789979807f8c8238dc828692098c90

Download Submit
C:\Windows\SysWOW64\Dgfbochc.exe

Filesize
322KB

MD5
56fb4d82e17fd39f0c3c0548b50adbdc

SHA1
d8b9ba1e338426d009e278210e43aece6fa74d3e

SHA256
936cff44fea144f8320ae70dbeef6094fb0632d027928da193ec873a6775b170

SHA512
77701af2e66a1125380bbf881c6fb77347d8be1f23e46b5a4e4ecc5ad016aa673dd5c119af2893ee985d5770135eca73e9b146db94679ffda1a0cadda8a0bcb0

Download Submit
C:\Windows\SysWOW64\Digkqn32.exe

Filesize
322KB

MD5
45c40d151f1c2f40220222e0ca8dec5d

SHA1
39a0195eb269719ee648fdaeb4b09fc128e039fd

SHA256
afbb5965389444a91108adbd39847cd35b4e8963a37496f411a70aff2f3ae7ed

SHA512
7417fc8e26aca3a19cb4b1f7266abd0950e189ac2dd69af8c1da50939defc2ffc32d9acabc912b084a46d38436842dc3c352ed9f3c9340d1e74a98f3f814cfd1

Download Submit
C:\Windows\SysWOW64\Dnedfmlk.exe

Filesize
322KB

MD5
978d422b300e7c9b9dd1dcba3b175b3e

SHA1
27aad1ceea98f2dcc68e2ccf845f06aa693bc6be

SHA256
ef9311cc79be31ed142738134e9eefcbdd7a3b476501f3353d07021b540666ca

SHA512
e6aced74102fe04d13e386857ff13849df13a3b18c1085aca24c1e7944abfa097e8308ff49561217e3149f258ca2b2dceec0e81e88ab5d91f5a95439ae15ab74

Download Submit
C:\Windows\SysWOW64\Jbjqngim.exe

Filesize
322KB

MD5
c9c6b0e3b2b976cab02e5f34ad4d1113

SHA1
40004563d9796a122155dd67544f87a51bcbe358

SHA256
baf9ee60c02900473c56ca057b12ae14c31d051871e46622cb3d9713f3d31f22

SHA512
34e8b5ef83fc46c211c1c299573eefd1a83d0353de0897e80b94c0bb6c3f42900da252184f9cafccfda46d032121b954bca4ecd030067a7879296ef2324a1c25

Download Submit
C:\Windows\SysWOW64\Jehmjchq.exe

Filesize
322KB

MD5
fd51beb3c6e09dc435593feca3de7064

SHA1
38785b682ddb3b847d4049d01183774029f13a7e

SHA256
5ca96684c3261dab2ffa4f1c7fa8379c010d61bec70f2e3570cc8a2f76eb952a

SHA512
72a78dd9d9704f268d96cb1f8efe15bf304b0de3ed5098724da49b0dde3fd5fdd27bf0cf85d51bd49294f5f7a3ab7ee32d34f935154a2aa29ae346f22251b53e

Download Submit
C:\Windows\SysWOW64\Jhfifngd.exe

Filesize
322KB

MD5
02b188d2b255b44ec8770be746a9b372

SHA1
3371c8224b6133c96f5cd9072075fa258d8a06c1

SHA256
b9f52a4a07b37ccb09819a220f36b827520042c3db1431291f49e75e9b0ad467

SHA512
e855adc3ce4148b4e7c0d5dbb322f9e8a9ff892f199d55195b613426a50afb238d6968b741c0b57d957de9406edf0d80d5c1443bc076390bcc5baf8748391511

Download Submit
C:\Windows\SysWOW64\Jlbefm32.exe

Filesize
322KB

MD5
911d364ad8bb3713b57a2100bf199645

SHA1
faa8aca82a5f5160afff55eee19965f6552b8e43

SHA256
0f05bda81a127c135a2b83e79d422fb6b2d38b7483c98285b5095fed374870c3

SHA512
d33320cc6dbb486e65ab6905f534911e25679ac325dd4a3ac3a6e277804f2db727890746633e7b57e0d73e96311ec921195724c6d0a8cd3864bd6fc67945e05b

Download Submit
C:\Windows\SysWOW64\Jpnagl32.exe

Filesize
322KB

MD5
cb57ed38948d0b233e67c703f47e5e18

SHA1
d3b3c7bddb3c933c0611499a1685f2841e23995f

SHA256
fb5f06dde02d8ffa90afcd8d9fe125f435a83d90c2acecd1fa08511b4cce4759

SHA512
0dcaf13cec6c1b41177f60ced14f2511319aa63102fd97a9a98688429810eed1af62bdb110b0d73ce2b8cbbe9965458f9e31d25adf41077856d3bf90d906410f

Download Submit
C:\Windows\SysWOW64\Kaajdckb.exe

Filesize
322KB

MD5
7365571e6e4a1d3ad041dc14f2b0b1d8

SHA1
2f7dfaccd5c3bc53f9f9c8f676486ed369e34ffd

SHA256
ee7ba5533e2e9f8dd704f384f47bcc23f602438820bc091c134fc7f8b9ec4ca2

SHA512
db1723e55ef4822a43dcca487f39d19ec224b1cda282f6b4436c74965dda4f93b7f4a16ac5fea9b0674262de72c7cb25f3b10e111200fd741d65ea3f7910943a

Download Submit
C:\Windows\SysWOW64\Kaonodme.exe

Filesize
322KB

MD5
b060926d5c0ec9a517f84f26559033cd

SHA1
26e9341d6b2b52724d29abe57b3e967481de1b3a

SHA256
231ea6255e9f0c666c0f12d94447dd979a5092ab19adbaac66a3e1d41b2c173d

SHA512
80c221ffd44bcd5e0d59ae7468345a8c01d21df56bb2413db2339dd3f0330fd670a38d339ea46c80c74471ee5c730bcb6c3a1d93a46b1191daedc2d8073f6cba

Download Submit
C:\Windows\SysWOW64\Kbjanacc.dll

Filesize
7KB

MD5
1f0e378abd6721721d421354cffa07d6

SHA1
cfe121d9278a761b4a00a01b96b44bb869b9d7ab

SHA256
32e00a431683813ae2667615ae1384d0e64f7006df258551627381053984a253

SHA512
886eaa20b6ed54df2085aede9263dfe39934233a247e1a37e3f59fc592152653ce6c6f6c5a80293ea5d552163aa2303453607728ccf6b29dee81e2da88da6a39

Download Submit
C:\Windows\SysWOW64\Kblmcg32.exe

Filesize
322KB

MD5
1341e441bfa29afdd4fad97bae6ee218

SHA1
45b676e585a6b320170a3fc94cc6c8d7d3ccc97d

SHA256
0318fa5fca0f3d0d10436633987e7c6da19484f5089ad6285c69c3db5554765c

SHA512
02aaa6c6c55e3d6428c2f1fc5ae57d005f4b6cb7511ecfe3b55ada64081276b94f523c6cb1f75f482a3ab9cb31e9b8efd446554bc0b7bc9fe4dd4e29d3129c0b

Download Submit
C:\Windows\SysWOW64\Keappapf.exe

Filesize
322KB

MD5
e7b5c1fd4a82d84f6d3c0d6eb9fa1b9a

SHA1
1616779bb4f687c6a9fd20138505f4f7b53cff79

SHA256
2e898d0fa67afb7ae569d5669f2e4f132f2b10b2e8d5b9f6baeda0f55644067a

SHA512
0b8214a21d3d38c62a92febf4634c699b29338216d8755fdb00533361520498a24e283c79eb874b8e10e2bd601924433dee875c247d788090efce5f440d24cd4

Download Submit
C:\Windows\SysWOW64\Kedlea32.exe

Filesize
322KB

MD5
ddd39d5e38b57fdaa990c3d65235d416

SHA1
d42ab8da09aa5ff34ecd4bb3fe6fd7f04a539890

SHA256
3c5346224d4d73929bb6e9778b372ff13dcf556856ab0716f1a993003c3005b6

SHA512
a818aa52ed34fbf65fa2a545ff4e4e1e1878ecf728e0b35f0d191b55e38a8599adf6a5bbdb03446638194c769cbe4572132074cd1cc4f248b0f23542e77ff9dd

Download Submit
C:\Windows\SysWOW64\Kemfeb32.exe

Filesize
322KB

MD5
8a8761a1fc2a0d160bd13ed995c90a10

SHA1
4f0dbceffa2df1a3f3e91e30e18cd33d0f5dc59b

SHA256
977868ee7e85ead3507c930b6ff9a1b38994ac2de55d4cded56bcfd23f488849

SHA512
5dbf334957f136714db30cd07f52f2f6f831bcdc9391948a5192a69a93af33d49c5241b1eb5669514a65758ade968146f44b13040176f9dc13e4ba7e89c5557b

Download Submit
C:\Windows\SysWOW64\Khifln32.exe

Filesize
322KB

MD5
36c939aa276c72a5ae4d58635b0bdec4

SHA1
a7f33e464557241e5a64698008175598f9f51267

SHA256
16bd6343ba1a7d9c8c6987598bbff5b7925951eb4d8d6e02da0d83b68046fead

SHA512
7074056444f6a62427e89bac2ff253a35ac11a2924df26240beb62aca38234a3526c5464308708cce396db66f59fc8c893769546321661c1e8feca4ecf317e7a

Download Submit
C:\Windows\SysWOW64\Klgoalkh.exe

Filesize
322KB

MD5
f7d65b22071e0a83ad72385c0531eac1

SHA1
3fc3c589aad09ef46adc995003e647d2e105515c

SHA256
687d7fccbcdde06b846c7af100e77463c18c6bb3c3ab7d89c2b7361258ca1d46

SHA512
799ed72c495f620746f538c7ce9dd694ee8caec61fc28093387e1aef7a7daf439c10fe776c752aeed28dd05276868286b2f1a1180bb7f114c95c6875d0a3d497

Download Submit
C:\Windows\SysWOW64\Kpdghkao.exe

Filesize
322KB

MD5
fa0526710ab5310a9b3b8fefbfc0a4fc

SHA1
46da9401a7f6f1e41c459aee23c84ae9dd7c629e

SHA256
4d9d1c24188b26f23a849c97907f01d7f80dd9a859191741f2d6fd6632fa1646

SHA512
9f3596ce1c14ecd64eec1956be7ee5d0546e6248fb3f6b47b5d579cbcca6309ca6190299e8252036f26125ad9fd59b0d9ee6648ac3a01a0b27d92547a33c74bc

Download Submit
C:\Windows\SysWOW64\Kpgdmjpl.exe

Filesize
322KB

MD5
4ad2a0daf22177378715b17f1fd1a8c6

SHA1
04cdd8231cb8426bb20e1d20465724cb5901bb80

SHA256
f3bbb76f80441460adf930d4701dffb6b5b99f910681363cef9a61b6b56d8e92

SHA512
c551f3614a3ac3bd0d6d7549a90de6124d5b3c73d696a586074b289f14a2c0c0e5328d5a2908dd0a3ac069631f6951745bb41f0b207ef2f1c4de42750cca9345

Download Submit
C:\Windows\SysWOW64\Kppnmk32.exe

Filesize
322KB

MD5
c266ccadf4543ded6cfc9f50f5c97c03

SHA1
8e2809d62e96c4980b5b446aa24087fd9622d498

SHA256
260aeaa169469633ca44765890ff51ca6eda295139205a3000936ef93df67e09

SHA512
f486bdb0153964836b9d3462234647108d16392c3b4e850dc70ab5c2fa2d9fd6ffdd3f99cebc520a36b599816ed6c07f3bd752f5cb9763c399cadccd94a11ea7

Download Submit
C:\Windows\SysWOW64\Laacka32.exe

Filesize
322KB

MD5
31ceffa1e260960ddb814271b9ec4f3d

SHA1
6c4aeae967877d2fbd6b4768a2d5b1876f14046e

SHA256
da54c5d4fd4bf720170c9095c0d657f96178d127a600917c9381cbfc7247ed6f

SHA512
a88df142ecc22197b6bea8370f3b074c31e94051119c1fa70f361edec6a106788b659117390edd61c4f71745a94df2636c0487ba7d08d9e944f66bee8ebbe722

Download Submit
C:\Windows\SysWOW64\Lclfjehh.exe

Filesize
322KB

MD5
9d537fe6a199c6c252cd3b36c91f506f

SHA1
fac75f884f4c1c38403445f2f11052e5028fe977

SHA256
f8c17843ce9b334139d6a442f971b407164426f5ed249bd1a67780df31d7ba7b

SHA512
65d3abd3b7944022df56826f9ebadb8cc4ed947462ac6b115f17f5fa9ad66571e2918206f60d9469b61478fbc74b2293d38bf9526fc4b128a7fb492936a8a365

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
322KB

MD5
1bb085000e181c2a591623d8a54fdab2

SHA1
3cf35125d2e5562793fa172ab71651511a1825cd

SHA256
0bb8b3d67c18208e6d81bd557df20d769d0fee8c40153430b48d56da1ea2d896

SHA512
a3b219c47c08ca16618832ff81abaf1f54e2e89a8fe4d8eb511874722aa60fe8a324e0ee3d9e687f896f44f864fc2a333c34eb66bf6d3a7a70ae5979954820c6

Download Submit
C:\Windows\SysWOW64\Lfplap32.exe

Filesize
322KB

MD5
1e5140b34cad8bd3410330ee9c8af0ca

SHA1
1e45714f5e19e6b11d9b873567ec32b46051ad0a

SHA256
76c469c085a00a49183ba2c30d09b3c0079239c874a90b0fb91e662585b93c45

SHA512
1408e4e6b5323f92341f3387793edb74c25f1e8475cdf0f0a3281ec679e8daa544ce7006ab413dcbddc674e12c4e1169ee1fdb25abc2bc52337759c667559363

Download Submit
C:\Windows\SysWOW64\Lhioblgo.exe

Filesize
322KB

MD5
8f441a03d9a794121bd0d7cec2ff3908

SHA1
3743855dae5f4686a370fe3b43c7e4a4f16a7b85

SHA256
dcce1c36e25be620a9532a19d84bc83b06ebdd1b01f6309b0e921357cd2ef6b7

SHA512
9739f9c806d22050359183a63536f6e593b597bb623ea87ba17df433b0518a387e02235ad06ccf7a73a2c2f07f6bb37bc4a55288044852f0a9a68423e7f34f3a

Download Submit
C:\Windows\SysWOW64\Liaelpdj.exe

Filesize
322KB

MD5
53dfab267acc9592f77cfa964f10fd25

SHA1
a6db32a1af57ea352c2b967d228f55059b2877bf

SHA256
e7ee078a419b093ae8ee2a8d3857d02c5e433a6218d8c6c5d79923d7aac5d913

SHA512
a3fd8e4aad59a4f880e7abdd95bb97bde27a0560f71f49e7c21bcb2c2235e0795b6e932cd3a83c7576195e5b4080ff390ef2a09cd9e7def3512de7b924d12575

Download Submit
C:\Windows\SysWOW64\Llpahkcm.exe

Filesize
322KB

MD5
e640132cf3dab8ac9ff31b03f35518b3

SHA1
820818d875e884612fe4461523e0bd824fbe0432

SHA256
8d49d7831d1c2521ca5809ac0f468da8d0a15ec50267bfb42de7e666b76a711f

SHA512
63ba8477896be825bda588f35b52a9eea2cdfed35f9daad09b0c5a4fca595cf6ccc1f3743ea22ee65264111ca398e734e8d73ac06b07426d9fea5f948bf67f8c

Download Submit
C:\Windows\SysWOW64\Lolaogdd.exe

Filesize
322KB

MD5
2a2a7c26f952257028e7c915ccee42c7

SHA1
c44cb8994c474076898bc3fffe215c6a84df7aee

SHA256
8965644fd7286303a64bbaf641f72fe4408f9936bb35932e706e8efa3e54c6e2

SHA512
4f44d570188b421c187f377aeaa7ede563449730410525612c629b4a415c645de20411212fd8a7cf8a3d8e50025f92ca30f4a4d894a5d66e340fe6d744e0ef56

Download Submit
C:\Windows\SysWOW64\Lpbcii32.exe

Filesize
322KB

MD5
703e2833e2a1e85167e022152fadf8ae

SHA1
844d216171f9149412bf54bbe6993f5a51b5fa4c

SHA256
145367816978d898aa682c86dec6dc423c81e8fbc6f568389c526d5ccd891926

SHA512
e3a3884b123ec66b6119c4d403d0ea17515a1752e237f103253c957f8a28d72fd06eeedb8ad29905e7a7f8b5cd7563e92d3ba1b4cfb0a28a53aef24af0b5d7b7

Download Submit
C:\Windows\SysWOW64\Lpepoh32.exe

Filesize
322KB

MD5
e653690106c457de118088f7c29ed2db

SHA1
c442d63ec13db5d2ef545a7f98c345e0e69a033a

SHA256
d6bf84beb7a8d5935fdf9a6fd79354de94102c320f650b74f50062171599e49a

SHA512
8f6a913dce8bd63133049821b87da209acf5e01c098a014cf3a7f6bb2bc3070e619ae855a2628cb90f41a42f051cf792faa2fda89be183ea7edd1607e15f13c9

Download Submit
C:\Windows\SysWOW64\Lplmhj32.exe

Filesize
322KB

MD5
12afcf3ce15e792b53b9f5a3e38668bc

SHA1
10cbc01d30254dfc8827cd75be63493c7011b89e

SHA256
c1d44a48324c768b723dab1c2a3e3d39ceefa9a49e3b2c31ea724ae4b5ec70e4

SHA512
e1b1d8fd7e8e78d914d773ba7a4108addf2bc8afc2224faa5b9480a06a22755f9ab6b535e839a190496b82b13614946f78edde0cb3ef22e65f6b39fc9bc4947e

Download Submit
C:\Windows\SysWOW64\Mchffcnj.exe

Filesize
322KB

MD5
33a1ff4304f9ed859a92a67d77593948

SHA1
4e33500a05f8db1aff877c1440d9cf4e73de7b52

SHA256
65423588d35f6c0e014850586296f4800faf5a78f3596ff2a222c5527536d6e1

SHA512
e82195b5e347638c263875230726a6a5534ecb0870d5fc70a61ebde817d1459ab7c0fda8d9c3469a6e5e9d76774ee4c0f01a899c1360f2a1ce3bdcae920ac6a2

Download Submit
C:\Windows\SysWOW64\Mfbigo32.exe

Filesize
322KB

MD5
7e0e108780750792d218d7e5f02ca91a

SHA1
9a169e9ca4e4a7181b6220f17bd2a91a495919f4

SHA256
35b1ce244d8edb0c2c8866879b0fd34c5fdcff67364966ba46cfc4c6b4cc7b5f

SHA512
feeeb1d56c6ae5a0c54e2509f59a7efb069a594b301e4dd5ac8410336a43c2a2ba763ab6e831bcf376216f0d518c26f1d99a7d03bdc2b2e63e3f22dd43a48bed

Download Submit
C:\Windows\SysWOW64\Mhennjma.exe

Filesize
322KB

MD5
ba0f0e13bfd73d1123b59d5f9677998f

SHA1
3f234315a6775e018a4aba5d6a0dd119282ca9fc

SHA256
beba40adc51e9db7c4567e1de9ebf6ea3b5bb41e9ac717da5e4a822d2d46b818

SHA512
38ee70dcaf8582614fa2abd7398920fe32585ee33f12901744c47ab64aeb3cc1734068fa0991fa8bf6e18db24cbe8cb0bf15c2760ea1fd06aac6ae4d9569ca56

Download Submit
C:\Windows\SysWOW64\Mjmdgn32.exe

Filesize
322KB

MD5
ffb53f61db829db972d0f16d8d1b5e9c

SHA1
65b1728e7ffd7b0efd922909ad3764ab2adaa8ff

SHA256
39c5b8ff1328a6d29a93a94bade62a356614dd74d543ed84c1ede30f9a4b5831

SHA512
8524cfa15f46c0a0164b0f567a2debe3157973f5cedcef9a86ec57b4cb2cd53c91ea5c2832213a72f7cfc8757ab555090be3383506b1fcc330fa57fe51ad86ad

Download Submit
C:\Windows\SysWOW64\Mllaci32.exe

Filesize
322KB

MD5
a6abb5fd45fac23d4d186bc15932ede3

SHA1
2881a34759d44f0e67207ecf8a15c45a03a0db9c

SHA256
3b688e5d5a701c8cf3209551948bfcaba27cdc29f610dfc31bfd9a9e5f5bb589

SHA512
a16229272bd0ebd514d0ad84f631461e4639fb3cf3a8a304f73e03d043df8e4e534132870f6f46398c6c54cc367f98d7152bd9434766d330689dd81336e622a0

Download Submit
C:\Windows\SysWOW64\Nbblbo32.exe

Filesize
322KB

MD5
a0f38c12c09db13c8691bf896803ac38

SHA1
f615c3ee40eebbcf064ebeb9fd058b01b7675f9e

SHA256
4781b57504797a59929d9346d5b93409868736db10bb811a77eb63cb3a0aca39

SHA512
2477b1d56de9fe14d07c7b685f0b47e89df6581101f3241f75df17bdf551939d696af5a2a40b904140d477948f235d87818389db990f2a9ffa1a450eb7a23bd9

Download Submit
C:\Windows\SysWOW64\Nqeiefei.exe

Filesize
322KB

MD5
90d6380c29a592e47d587074eba7b661

SHA1
c270eff18c59180d74d0e642f937d3b9beb7eef1

SHA256
075b22063e5071c605c7758f141d88c79311661dc186fadec773c6220cc996a6

SHA512
4acda29571860b290f22b08afb98d4f9f775bc78c2b236ad8ce644bebed40b9aca73f08d7bedea41443341b8c2b057499752800790d2b66c0857d7988f687156

Download Submit
C:\Windows\SysWOW64\Ofpnok32.exe

Filesize
322KB

MD5
b709ddb91767c251d08a44c3f59b91c3

SHA1
e4804c87a2ed4dc2d9f17638a54264cfc7f23fb0

SHA256
01f5250f15dedfb377bb8ce7cfd5d27af7f08f267ea44f54362aedcc87cb3229

SHA512
77898f338126fabf802bfb93190c944af425545c33bcb32b8cb23989342fbb93b0f1b62f8b1a465bae9d411cc65eae94837804b6ee0768126a26b06ef346aaab

Download Submit
C:\Windows\SysWOW64\Oilmfg32.exe

Filesize
322KB

MD5
796f5efbe0b4991bea7e51956e4be8d1

SHA1
2e705588080350da2e93a5862cdb613a8f311e58

SHA256
69be3b098b67f408bb74e149fa5a4d2014e39e9e2d4d051e12774f35de7e1653

SHA512
15eaabfb6ca54a6a02b1ebe53c12a8228125d9e66e05a063b721b1359895360f19c7ec56f06626a6d0596e3212fc7e3f285bda6a494e181d3fcc5eee38753d32

Download Submit
C:\Windows\SysWOW64\Ojecok32.exe

Filesize
322KB

MD5
6812aee2017e8aa24157717ecae904be

SHA1
e1918aae85d7cd96e83424153621c32e8d5022f3

SHA256
71c337c14ce8427569bbcc82be000fdc8844c85875a85fc1511cb34a14eb8413

SHA512
6b3dbcfb7cfdf2b93c6b33ea06513f5f5822d7ef3c43d0f8ade1cd020837b92527976d201e077c65ae4813d6985377bea37c96343f3ad0854cc4462ca7552cea

Download Submit
C:\Windows\SysWOW64\Oqaiad32.exe

Filesize
322KB

MD5
b16f91e4ae2f83c3be000f87917dc01a

SHA1
2d132fb4e7515f4d3c36b1e369923e4cb959589f

SHA256
4ba768997b3cd019052bac1991ddc794762d80877b93f355976028cf4dd6c44b

SHA512
1e26f01b0f01439fd96f40103fc51dbae825f7ae9112bce8706f49501a9e9e7e7c090ff5fbfeaf8c4fb8f50be452198df4dbb57b1f0c4047201777f8e5acac5a

Download Submit
C:\Windows\SysWOW64\Pckdin32.exe

Filesize
322KB

MD5
c2eabc0dcabc4c4a4671634f10c2a0fc

SHA1
0f6ba54eea814247891eef6820e7eaf324c21706

SHA256
1d0867122dedbed364b5aedc43e376996a32dc7de49e76ff355d8ac0ba7be102

SHA512
b9b8808ef0d1c84537b8ed72f097b305d3e7131a1cefc25f7c04ee7bc6c3921a3ca651389d56f2ccb1bc23922e9ed06a1e79e114677cd1153395146f2c5058cb

Download Submit
C:\Windows\SysWOW64\Pcnaonnp.exe

Filesize
322KB

MD5
9d67ecd8a9a9f6e21f37a3a9b82848c4

SHA1
4bae56dbd738f67fd52a86c3f7c2a6095f1dd8cd

SHA256
850cc83f1abad5929ded312dffd9a23bc10457b3d6c7f4071ec4926f1232b33e

SHA512
9f5b4738d6b94d13fe1d2de63dd0228aff01c1e74676e52f514c38c507904e1997a21cf7defc4410ffd6614b6424423e8716796316fec4b058295768e75289f6

Download Submit
C:\Windows\SysWOW64\Pmmcad32.exe

Filesize
322KB

MD5
7be793e260379c047cc39b2cfa3abe96

SHA1
7b0df7dab8842e12ec4959fddfc58f24bb15758e

SHA256
1a86a7607152ae5054d91d46ae80f65c6a8558668c99a8f842e28e624d90ef2b

SHA512
bafbb2bcbbd3887e4ce8506eb22679f36864e0d3a19c72042dd0220a9edc62f7aecbfd4fce6258935b833c813868ae7e131002e9289748a79c475d3075f9a31e

Download Submit
C:\Windows\SysWOW64\Ppdbdo32.exe

Filesize
322KB

MD5
91baee064851b28b18564dba8d2e9de9

SHA1
801462612f4e4961c24b4a9a4ddbf9be9d8865a2

SHA256
09d04dc9793cf99532fe33c932c6c2beef8a59f7062b77b232531b941e80f7a6

SHA512
4d9e3916cb310d230b3e9b118c511a575ae4d0467114486fcea5cb1d842079fc004681376573df1963075a6c012287ad22c95302ff696951b902f063eec4c554

Download Submit
C:\Windows\SysWOW64\Qadnna32.exe

Filesize
322KB

MD5
84674de504f6b79c621208a59b513d38

SHA1
a5bbc0f4e363cd81ce0db7b35c4f229361c8d173

SHA256
434189bb2a5211a0f9dcb2131c054c863ee8b621246583f1cdac68b2434cdea0

SHA512
461519e301c2a9b13108489d0decb5620fa54d713ee0a146f6b148a7d4ecf02801eca639631c266558a45894d297e7e0b05f6291b1dc7d358979ddf593b541bb

Download Submit
C:\Windows\SysWOW64\Qbekejqe.exe

Filesize
322KB

MD5
d158bec04e6bad1eb6e160605492b661

SHA1
31359ce73ca44d26d03e3c34d97ff19c202715e1

SHA256
82c543c8815a3397824195c3d04fe48758bf50fd23c65d40873f0f0e5966b261

SHA512
4e309438146e267897abb5fec055a21aa20e535e623b424ac6bed054751a12b319dc1a3f27139a7faedc49a3a514c6d69a0c8d04046a4b7f958288b06935cef9

Download Submit
memory/8-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-908-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-915-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-881-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-873-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads