berbew | 9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe
Size

96KB
MD5

e4f6d4d8465e67d9243c36df49135e2f
SHA1

201836fcb13447dd5d6da5cad54db2dd3171cbee
SHA256

9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786
SHA512

17c1ff4a54db653bfec9fcd0de5c53df20e2c7034e04d2c4cc4fb3ee358521e9d6e94f7ae29a07f7a59c01e52aeb78c8f71984d20ffee1e55d8449d620968929
SSDEEP

1536:GpZ879I4qsUmbdG+J/V3+74V4GKkWvYyU2LX7RZObZUUWaegPYA2:GyK4qYbd3J/Vo4qdkEtXClUUWaeV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3276	Ldleel32.exe
4704	Lfkaag32.exe
3608	Liimncmf.exe
2544	Llgjjnlj.exe
2832	Lbabgh32.exe
4996	Likjcbkc.exe
2816	Ldanqkki.exe
1172	Lgokmgjm.exe
1220	Lmiciaaj.exe
452	Lphoelqn.exe
1352	Medgncoe.exe
3484	Mlopkm32.exe
2800	Mchhggno.exe
3268	Mlampmdo.exe
3240	Mckemg32.exe
3164	Meiaib32.exe
312	Mlcifmbl.exe
2660	Mdjagjco.exe
3120	Mcmabg32.exe
1284	Migjoaaf.exe
2556	Mdmnlj32.exe
1924	Menjdbgj.exe
4776	Mlhbal32.exe
2348	Ndokbi32.exe
3472	Nepgjaeg.exe
4668	Nljofl32.exe
2644	Nebdoa32.exe
4892	Nphhmj32.exe
2136	Nnlhfn32.exe
2352	Npjebj32.exe
1964	Nfgmjqop.exe
2956	Nlaegk32.exe
2792	Nckndeni.exe
4412	Nfjjppmm.exe
3360	Olcbmj32.exe
3928	Ocnjidkf.exe
4216	Ojgbfocc.exe
2448	Opakbi32.exe
4616	Ogkcpbam.exe
4980	Ofnckp32.exe
1232	Oneklm32.exe
4800	Odocigqg.exe
1856	Ofqpqo32.exe
4036	Onhhamgg.exe
3940	Ofcmfodb.exe
3452	Onjegled.exe
2964	Olmeci32.exe
700	Ocgmpccl.exe
2476	Pnlaml32.exe
2824	Pqknig32.exe
1016	Pdfjifjo.exe
5068	Pgefeajb.exe
2020	Pjcbbmif.exe
2312	Pmannhhj.exe
432	Pclgkb32.exe
4304	Pjeoglgc.exe
1108	Pnakhkol.exe
4120	Pqpgdfnp.exe
3664	Pcncpbmd.exe
4948	Pjhlml32.exe
5064	Pmfhig32.exe
1340	Pqbdjfln.exe
2440	Pgllfp32.exe
3992	Pjjhbl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5400	5192	WerFault.exe	225

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3276	4388	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe	82
PID 4388 wrote to memory of 3276	4388	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe	82
PID 4388 wrote to memory of 3276	4388	9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe	82
PID 3276 wrote to memory of 4704	3276	Ldleel32.exe	83
PID 3276 wrote to memory of 4704	3276	Ldleel32.exe	83
PID 3276 wrote to memory of 4704	3276	Ldleel32.exe	83
PID 4704 wrote to memory of 3608	4704	Lfkaag32.exe	84
PID 4704 wrote to memory of 3608	4704	Lfkaag32.exe	84
PID 4704 wrote to memory of 3608	4704	Lfkaag32.exe	84
PID 3608 wrote to memory of 2544	3608	Liimncmf.exe	85
PID 3608 wrote to memory of 2544	3608	Liimncmf.exe	85
PID 3608 wrote to memory of 2544	3608	Liimncmf.exe	85
PID 2544 wrote to memory of 2832	2544	Llgjjnlj.exe	86
PID 2544 wrote to memory of 2832	2544	Llgjjnlj.exe	86
PID 2544 wrote to memory of 2832	2544	Llgjjnlj.exe	86
PID 2832 wrote to memory of 4996	2832	Lbabgh32.exe	87
PID 2832 wrote to memory of 4996	2832	Lbabgh32.exe	87
PID 2832 wrote to memory of 4996	2832	Lbabgh32.exe	87
PID 4996 wrote to memory of 2816	4996	Likjcbkc.exe	88
PID 4996 wrote to memory of 2816	4996	Likjcbkc.exe	88
PID 4996 wrote to memory of 2816	4996	Likjcbkc.exe	88
PID 2816 wrote to memory of 1172	2816	Ldanqkki.exe	89
PID 2816 wrote to memory of 1172	2816	Ldanqkki.exe	89
PID 2816 wrote to memory of 1172	2816	Ldanqkki.exe	89
PID 1172 wrote to memory of 1220	1172	Lgokmgjm.exe	90
PID 1172 wrote to memory of 1220	1172	Lgokmgjm.exe	90
PID 1172 wrote to memory of 1220	1172	Lgokmgjm.exe	90
PID 1220 wrote to memory of 452	1220	Lmiciaaj.exe	91
PID 1220 wrote to memory of 452	1220	Lmiciaaj.exe	91
PID 1220 wrote to memory of 452	1220	Lmiciaaj.exe	91
PID 452 wrote to memory of 1352	452	Lphoelqn.exe	92
PID 452 wrote to memory of 1352	452	Lphoelqn.exe	92
PID 452 wrote to memory of 1352	452	Lphoelqn.exe	92
PID 1352 wrote to memory of 3484	1352	Medgncoe.exe	93
PID 1352 wrote to memory of 3484	1352	Medgncoe.exe	93
PID 1352 wrote to memory of 3484	1352	Medgncoe.exe	93
PID 3484 wrote to memory of 2800	3484	Mlopkm32.exe	94
PID 3484 wrote to memory of 2800	3484	Mlopkm32.exe	94
PID 3484 wrote to memory of 2800	3484	Mlopkm32.exe	94
PID 2800 wrote to memory of 3268	2800	Mchhggno.exe	95
PID 2800 wrote to memory of 3268	2800	Mchhggno.exe	95
PID 2800 wrote to memory of 3268	2800	Mchhggno.exe	95
PID 3268 wrote to memory of 3240	3268	Mlampmdo.exe	96
PID 3268 wrote to memory of 3240	3268	Mlampmdo.exe	96
PID 3268 wrote to memory of 3240	3268	Mlampmdo.exe	96
PID 3240 wrote to memory of 3164	3240	Mckemg32.exe	97
PID 3240 wrote to memory of 3164	3240	Mckemg32.exe	97
PID 3240 wrote to memory of 3164	3240	Mckemg32.exe	97
PID 3164 wrote to memory of 312	3164	Meiaib32.exe	98
PID 3164 wrote to memory of 312	3164	Meiaib32.exe	98
PID 3164 wrote to memory of 312	3164	Meiaib32.exe	98
PID 312 wrote to memory of 2660	312	Mlcifmbl.exe	99
PID 312 wrote to memory of 2660	312	Mlcifmbl.exe	99
PID 312 wrote to memory of 2660	312	Mlcifmbl.exe	99
PID 2660 wrote to memory of 3120	2660	Mdjagjco.exe	100
PID 2660 wrote to memory of 3120	2660	Mdjagjco.exe	100
PID 2660 wrote to memory of 3120	2660	Mdjagjco.exe	100
PID 3120 wrote to memory of 1284	3120	Mcmabg32.exe	101
PID 3120 wrote to memory of 1284	3120	Mcmabg32.exe	101
PID 3120 wrote to memory of 1284	3120	Mcmabg32.exe	101
PID 1284 wrote to memory of 2556	1284	Migjoaaf.exe	102
PID 1284 wrote to memory of 2556	1284	Migjoaaf.exe	102
PID 1284 wrote to memory of 2556	1284	Migjoaaf.exe	102
PID 2556 wrote to memory of 1924	2556	Mdmnlj32.exe	103

C:\Users\Admin\AppData\Local\Temp\9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe
"C:\Users\Admin\AppData\Local\Temp\9e24d94041cd08bf1d98d5b6be5f490f0e99f54383101b3e1cc06c414026f786.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\Ldleel32.exe
  C:\Windows\system32\Ldleel32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\Lfkaag32.exe
    C:\Windows\system32\Lfkaag32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\Liimncmf.exe
      C:\Windows\system32\Liimncmf.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        27⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        39⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        40⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        43⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        45⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        59⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        63⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        79⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        88⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        90⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        91⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        92⤵
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        94⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        95⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:532
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:892
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        102⤵
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        103⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        108⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        109⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        111⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        118⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        123⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        135⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        141⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 396
        146⤵
        Program crash
        
        PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5192 -ip 5192
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
413fcd19d93eec1c10ab9a9c7daf0f60

SHA1
72aab1ab4d2abcdf98e1b6a13ac1d74cf121b73d

SHA256
74b72a7f5c7f5c5824ca5f7aa3dd093f6379d824f06910144f22df347a21eb2e

SHA512
86671f336d8aa252f2f51d4d939d53aca2e9c98cc72ca404081d47fead0cccbfe41ccc33e3c6222c0708b4a512f36f862d4e54f4d06ca848556dad3c2c768b38

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
ad5d286be27d768df9f8564ea0960930

SHA1
55615f2dcacac0aaec514939ba29a8337b1db891

SHA256
875d74aac96e420c934e41c42270d1ef1e86062f964064a3361c3110e8d99adf

SHA512
3d793be18faf535d24b8badb39027f83574a1dd8d40559b30f278ceddef3e343daba63f29f3844de69662a38d1847f151e3cd898aac7bab68d837e00b650e7d6

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
085c99febc07d321fca9ee0fa64131b8

SHA1
471a9fca42201671acef0523f52846e6b5f10a96

SHA256
eb5856e704e7a1d753fcf979434c5677b6eb1d0dedf77e984cd7afecdb8a2dda

SHA512
3cd37e70b118f086497d0a7b8e422e568a0332806cb22fff42d7851508f9e3404139fa06fdcbe4dcbbd4b9289e26e9f31b8bdd5fbee3e172070f0170079b779f

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
83b551ad2dc33422e0d72657f683156e

SHA1
f88613eec5d1f40402c5da50e01710c6395753d6

SHA256
9ebf03c7bfea13308f1bda63c7a1ac448eb7f78956bd3c831acec99a5ce42460

SHA512
f7abf9bf0496090ed54dfc4f914be279b91ac890eb61e9e25bcde5398fe6633a1299dad47dc1e69abb030abcdc6257ccd8ec9a4a5d3b0c8517c435ad58eef640

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
fea03d593628f8ef4ed42d153a235abf

SHA1
042c88fd1c3bf905642675c193eb948f9e637317

SHA256
aea6699ad032f0ec20b1fd06df96eceb9633871e878427ba06353f7c5850858c

SHA512
79af3b16a795516f740d5da11ea6bd7cd67838a6d1d45a7706ad1234edb2cbe5f65332fa6d33dec035e8f405ee5e6f5a0b871c7ceb9f99bed2ac67870c9bc547

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
8ea83d61a2c91250e1cf9fafa72e47c8

SHA1
7d1565e09632bd1ffa784d4a64e60f5122bfd047

SHA256
034c8cd3d5e7cc9b6f30bbd0a803765e1002cff965234fcf2d46a4ed55f3a6c8

SHA512
7b18a23524ea51b4d23863e51c460bfdec1ff2bdc34233c8f9a6a343c3ec44dde162a8afdf41c1423f0675e136fdc2c14325d4f0a1b37c059935744cf0a91d79

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
ea2e02846fee9243d3f9ff32b7958003

SHA1
e422b3c3187c5384f2243d73262532e441a3d2f7

SHA256
cb4521d9f1e30bb445d9d5b8b0d7b21c063801f37d3ce5a2a1f6c6be492825c7

SHA512
e1b59091c5b9d8c4ffc0efddd430753d120ddf78c41756b61bc5b618b6e615479c2ef7d745f9113d77d89f7ded4f94e95331b544d4c984ead96f82fd3df601c0

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
a407de6766a1b7eaca08b8ab0c067804

SHA1
b22a40080fdcbc44ee59611d45d94f801996f8a5

SHA256
3cf90f70efa69c12b117ef02e8db52c23ccb9e19ed1fc09cc11ab9dab8aab28d

SHA512
d133d4fef310dc45785054979ece06bf0b755e7c003910e02d931aeb21a34c19c318b5d547c6ead061ee5f3a28e2c6d2953bfc852fc92e79dd66c07b763d001f

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
8d4aa24b0ba4dda080e3f53a404e0645

SHA1
74c56941d6529889225b9072744d94ebb09cfae0

SHA256
1632073ab5e844c634f32ed0921d10a4a2d5d2536b67aeee89f3de2b2d41df0a

SHA512
9b1c321de90d4e2d99566c4a077d1af7bb9324ede30251aa54782aca40867687d59388c7c8d608c56ab35cefc25a610f5733cbc67c6be0b39cbf449880df4550

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
349928bde07b3b7bd4ba8bf2c7b4c727

SHA1
ca996293f69f406377c6f0c255c662b31ed2abf5

SHA256
37d65cb5ddeb865668d35b150d8f65e4a198cc94da18ac97aa5f49536c3f8bbe

SHA512
e35a82303bafafe3e2af5b4654770e58ebbdea19d58e6bad91521c7e38d77d680c7e25b4d6b8078ed85df08c97d17af05d19bab316e3125db4665a8924ea0af3

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
96KB

MD5
c918ff211d08f118f564ce239d298130

SHA1
d90c0933196d8724dfa5957348d292e4aea9c866

SHA256
8dc215349319e6c7276ece78629c573b9ae094c6eeceed40bb8c6dd14a56d605

SHA512
e1560bb8ac3b0dcaf7fff2b32ff63435ea505444fce25d684ef9733053440bd8a1615c945686376aa3f3872ef046c026d965fe8caf1a8cbbd68d6feb11939ed1

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
2838c24e554ed46536b4348553bc59d6

SHA1
11a05eb3505a20f40a27da77e44b4e385f94a085

SHA256
2e9819f1c482d495d2c68643d5fd4e0f0c8580796a50cdbf56f7da847855ed4f

SHA512
b498ee72b65bac12aee092f4f66cee7785b248d2254e4797279e5f6738f16d763316ab6b6557ea03e73d9e360c51c58900d16a483dff2a359abce77b287a4d85

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
07e33c1747fe635b976a94aad980356b

SHA1
940d113d8c0613b16b5fb64677e714a1bdc38c99

SHA256
22baf5cd4295d2fc0968c94f0714d453ecd7af3789f40de528f9c7dcecd9a2dc

SHA512
41d8e2830b22d220e1c0d6ccea8a53ef0ea52b2ebd1ff21e4d34f859104f29852d377cd7d3a9d7f49e4ad7c0f7e4eb71a65f59c10e6ab83fcd52d0344baab054

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
29f98f36d1cbebacda96112359ad45d8

SHA1
e4436833eeeb11a5be9f79526fa06139d243c412

SHA256
56273053d7cf2c8b7e036de7c85ac7ea13257f41f2da10b35e886ee7a655553d

SHA512
32c0e16625d9cf48334d2dc1fe9780b36e5f1efefea69f316c16dc9ed45a0d70f9b7d2153548913537f7f61a31ff8537c0de4b987df0e345a52c6315fb30bb74

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
19e94b079de9fd415f1e228c1ee62113

SHA1
0458a85eab587f894911024a62c783fc25ff326f

SHA256
1eb421e5499d05a4ffdd46c15097e3ec7fe57da3e5710b690d6c5a8662c7e6b0

SHA512
c150be3b277b239d821e9ceb96d2e32fc3c5e89b72e33a33611ae23cf2a11201d3035ff87498cdd62e856c4034a217ef1a4054ff39fd87d7de237c9ab2556ee6

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
262be34e7ac44e1a8bfb3c554c19273f

SHA1
c2e8be7c4b20361ef599f0201d4584e8dcecb8b2

SHA256
4fcaa3196a3dc4616db53f0c339e424e1f17cae021a25d1074fcb9219d6f24c5

SHA512
647cd9be8ea476d708a7397be85997fc669137ea7684812bb8659db2b2870a2ba82429099789589ced3e09d3e1c0be3f9a9f84463b86e6849d415c08a032b886

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
17483b883d1aa0f9a804292efd60c75f

SHA1
20ad6c9cb684230e6905d760b71d0af93906d4d6

SHA256
c46e12e4b0ee6b94f93be80092acce1903459304484b06c190402da34645a2e5

SHA512
e18e4ac9e65c42dd377c6dabbdd680b1c9845067d8c6746965f9c4e83d8599f9d361208eb02f87175bc54a476382ebb96a971455a904ede6adc95bd30f254e6f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
28ff6d5804ee97f1b52e7b941cc07d77

SHA1
dae1ceb8f627d3c63dc373d0aaca9df06f73cae5

SHA256
e863bdab36ec4dfb2b3b6d84d385a6e310ddbbd2f3548de49c8bff3dc538b298

SHA512
b62a2d534a37d62f4c6f5611b669e72f58df2b21e853aebeefa202409eecc38085c464a0be91db684fe00c093fb6dd0427755164eba9ceac55af65247fd74861

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
6455fcc68ce16e8376acb0f564c8d975

SHA1
16e8ff16a0fca3f40475f0fb86b741229f743eac

SHA256
b4ca3f38cb56fb4dadeb82807d5df6748daaf028e736f93042cf65be4c141682

SHA512
d8eb7e92960529755a5dbe28717e0b21457844bd14aa346fda3ee32133da496159e6c16fff447f3a162bd9b81b303289996d6de2cf6776f74ec28552ede7b432

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
1db758d42a5ccbc798f622727e26371a

SHA1
2ba8bb4e9cadd593c940822df823f5f1b6d3bc9d

SHA256
5d6c3514d753261c06bc204493b74dd89bca94f1a3d3ccba3992ac3377c2171b

SHA512
1864c2bfd2832622917541608f0cf860bba2b596e54e7f249cc9e7bbcc0f272a7193684e02af8f342fe2e0611035d58dedaa5c939588ddae3c2ba5f139a0a0f7

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
91b599dab44a9d5a43142f8af626ee0f

SHA1
fca0e99a3f0c6f79b707e02427fe6c880f8159ae

SHA256
a14a49dd4ffaa7399c0c0df81c6e4b61739d76974ec8bef79914481310418e49

SHA512
f2a4d5470536b73c18ed12e7e0cd11ca8458d82947a3845be6355a1d7dc7872ed42e3155eceb98386542a6f1fb025c86b10ddb13ab14b64b23deabc6e0c11c3f

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
446a38ebfc9a183f2a67ee6786e93bb9

SHA1
5445f20bc6446f0a4cde8d394f90925977537d8e

SHA256
d3bd2863202eb8e1f3897f11aac3f98df59a29dba1df8758ecb951eb24d910db

SHA512
6a1fc9a0e4488a8eb632ba259421ebe5e94414491d73653c681f168cd26b8b5073d598c63c47d179a89e002a33f9f35902b2ab8ab4b24630769c447ecd7a2bb3

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
82bef4622ecd55d06ebd0f85aa08cdf2

SHA1
bb44d2b24bb0d776593183d53e66904688fc3edc

SHA256
90d052c8bc49443fa70e730a7756be776dd49a9f567a6f03fc8654289aac13f3

SHA512
ebbdedd5c98f525b516190f416e84c9d436e967f07ea4b86cd9f77b9381e2887f412d82797394658439568a9af17ccb2d2c05dc81079848a9aed79d1e1f90f0f

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
b55e03ccb68cd78d9b09524c85349be6

SHA1
ef7f729f2b6abdd2ac518a1cdb870825683a684b

SHA256
a64ca0ce6d76024d80e4fa0316d71b0e3cfa5224aeafed4b6328cab0b73b2812

SHA512
80d6da3be0f16d87c54388a59bdf2af854b90bd01940ad9f026d1a0ea88735166e8459336fd10dd95b2104fa372ae8e03aee6526cdd11297bdced5b6285903ee

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
68b3acdbedc9f1645d972fc0a2e90f3a

SHA1
86622169e54a1826935571e9c6bb5478fbf082c0

SHA256
b06eb2b0b4e387673ade47098ba7ea0ab360e2c9223386597988bf3a1fbdc755

SHA512
9879b7621204795a9c829aad8b7886e38e6606bbc73fb860789702118086de1c88443974103133e25953d65d2ec58215a5acb9e0e7c3df5b42d1924c5e43047b

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
46e31c3d0b26502aeaf5218687809918

SHA1
b7fdc60463ec4902b2397bf81d2ccf00262e14d9

SHA256
1de2c7f73a94bdc44d6cd4cfed8c169c1e3ba786f6f0d4fe7adaec8b83619d48

SHA512
4eb10f83da37070444a42a314e3f6d47a5e04fd2f1226032285f20a95d5d9d46435376991f250451639475805d3a83180d1070991dcd88b78185e372579956c6

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
297bfa781291849fa832f333295a3e1d

SHA1
fcbde8e69bdbe9cf7c70dbb103827e2a3427f540

SHA256
42c4eaef6f399f2898c68f80888c73177258193ef8b1275ad9c2a3948da5a170

SHA512
74eb29359763a0fda6eaef235662d1a09f4d6737d1f186a9da6a55f0834dd71d49a58fdb88749e87a74b4c201e2a969a1cefa82b92cad548251fb398729e7626

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
af871b46696390e1e1be59a6f5a57235

SHA1
5b930c6099e8358d7aa008355af2af1df7357392

SHA256
8b288fbf1ce8ea65f7822cf4147d07b619773b9221a992234b180f788c65818a

SHA512
690b3e3e49afaf94d3bcbfa45082d37ebb3adde08c997e6a67bb2ba447b925de5fffec531639184b25a8cfe57dac3529067e7ea5d7dd1f710fa86ecb8ec238f7

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
55c587a0d498690bbe25f113fc325fc2

SHA1
cc8c6d6f1a8ddaf3e69fe4c660127a718caf5c51

SHA256
c3c1e0ec3fe6be942d0e0a5a3b8bd484bfb2a8f033e2ae586eb244a1f07d7a72

SHA512
af72cfda983370dba2d60195a6c6b53538cfaa30afae17285e0a94f2a6218dfeff8e068415713186ac1eea4ded54fcf46841b761816470242151f007783f80b0

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
96KB

MD5
7efe1644854f7e168a5ad11b2687ef18

SHA1
546635dcd908b0dd657448b23e6e09d3b10cce12

SHA256
d988d70e88727fa3c83d70d8c5c40e5d9265fe6873216b9e2bd88012ec9ad5c1

SHA512
134423ab77c8a8641e31d99dcddd178989a40142e8fb4b63daa52ff39e383e7b99b47fc22211249d3d4d3c2ff22eccccd4184a8f3d3a2a6081398b316949919c

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
055fa4f3352e6626372744ae81c3bd92

SHA1
e98df63cc1b92b4c518f703dded4701276a269fa

SHA256
ac1e69aabb2d54a2aa175843ae6c2998dada8cb9ad82b05f37073ecc90fdc847

SHA512
e61350a10974d63e46261d92caa7e224c99da99664a34db8fbdbdc71cc6c847657453fcf8fe2f1e736154321c37be7fa9fd4b20ba113734c1af9ce90636efa4f

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
9885ccdf4de976324adfbb87d4e70c03

SHA1
c5edc7e3de44e0f01fc57de4e095a4ba1ead0da3

SHA256
eeda630a74ba7757f5fe5eaa5339f655dd0634b6981cbf24bdcffc87858ed1d2

SHA512
22a588d19f60e33f5dd91ff2788f89490b532a30274de8793d1b56431a3c8110ba7767fcd40853c7b5d377419dc36b817f545d4e8138e6fd37eb35a4e4c75028

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
aa1708d07ebab124836e8abb34ffa0f6

SHA1
799602fbe8d067c3427dbfef7c30ead42f26eac7

SHA256
beec1385ab5814e539c464b5db6f43a5419b0f395c35484bc71c0c8edd16ea0a

SHA512
2e6f20617164215625813f60d1aa76591cc6e70959527eaffd97f602ff5650cfd28a19e8dc7b82dd24668947401c459f6d2f8e24a98cee556c0c931a6ed5ba76

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
354b08cdf1c6278428fff93cb631e3e2

SHA1
6952983f89d5be48b726e095aa4ba81eceb70e7b

SHA256
8bc1ced46cb54dd2fa0cc2aee3d3bbaf08f04ae7b0f67180d96354135e852ebf

SHA512
c4362df7de98423309048a0183b9446632f40ce985b88b505414b48d8479f3561019d99462bc547f7d7610be81e06912dd3f7b1578d8237d99b69cdd5d8cb5d0

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
9d36b1b347488214c5fcfb0f5a244eee

SHA1
8eaab4fe8130f764ecfb27a67e48b0650bae0b0d

SHA256
29c104633da575cdaf781010fecc5e85f01670e6226d8bfe95b807b98000dc77

SHA512
638b2f36b3c28d2c5402e0d0ff9dc10bc4c44e13026a3651869613dbad13a07e2fc277135828c606c43be677914b516e4f5fae46d1590bdf97c8bef3583539d0

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
3d6b85d6f375bbf8144c155903e0068a

SHA1
9a4bc57164edbc83d77619109ac184287414bb78

SHA256
853ef7689f49aa709bfc2e9d086a0d9d404a90ab8eaab67b13b16f0b16eaa0b5

SHA512
1b88704e12b6a8bf2035393adc493b81a7633fb1fc5b227a8e5779286af792dcbc6b0d5c2930d4b58667a6baaec2daa30b6b943218b3fd5c7c9a21504c29a001

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
2ea7adf0455c676af4cf51e50a9b7bab

SHA1
644c8981e69e5118595e8632932650637518a53a

SHA256
25aa5bce1dd37bcbc09811bf82247f0d360908b9c0ae29a3e27f8046a6fa4084

SHA512
8b6def17e68409e21cdf4c5a26903fc0c2b3134b9133d1b52943b9e70eb01ee224568b5277bfd3b5854b5ca6fe524fa9001a8a3c27ddfd926fa35c887c6005df

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
0da0d1c81879376f8b6ad957d441b870

SHA1
ddfcded487e0c465d9be770cac0bf17276b4bc28

SHA256
e7659afa6c4a9e45c7799f96188153b9685579487f271567ca41fc784aebb765

SHA512
bb912e40f643d73fada8dac9b61e1ef1c62f8a2b0a5e3acbe6ea46cde9925b0737634ced4346d1832abd1b1fd3af81072cacef11c14bd2967918e130f345e60c

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
71b4836eecc8c6d703a79626214da729

SHA1
92567f7892d1c70904aabbde90e784e60604e49e

SHA256
d4b9fb1de84bceaa42dbb3eb58d09865be52b60bb56ceff800d88f363e76d7d6

SHA512
0a9d0f5f439816791155f704bfca71531e3f04ad60462aab6d6a4a5e10a135b8498a4eecd75d1329172687819db4e8f7c3afcb2e533ad9390db182c5d14c9eca

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
a23f3f63b316435cb1ff3e760e47f206

SHA1
d809d06d11e607c89b652f188107f3f1e5f4496e

SHA256
a744b7b4d01eb4b3da086eb9829fa8653020979cc1ef566c59f15cba6f3ee3ab

SHA512
25134736d61928c6297d63c279ee230617edaeffc73dbd22f1244887f30797b6f595c186aba75944009f4b484d692e8ea1a47313862920095fef08fd1c084113

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
b98403d407d5aba348146347eb1a55bb

SHA1
0cdcc001c2b7195c1c7931c31035fe5c1e318ff1

SHA256
229c94bd2401198c1391ea1d9d8e1999f3920ec4b32ef2b4f6e1791fe9342c83

SHA512
b2a58a1edb9ed2ec3fc3b0a25b17e1d6df54bb53ddfab9c8bffd3ca813fcf08b8f1bce8a416fad085eb64d673919ea255799c08d3599cf1d551d0b147ab00054

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
08ab30e0a82758fea79bbe9aab79e084

SHA1
2f84299070883ab630e941be6f6932df67ae9e5b

SHA256
41eb48fcecf1d26ef8fa5d6b4d1db22010bbbb533b9968bb9c25507a75138ec8

SHA512
6b57905e675d0d394d6d5199921603263d8788b762fd475ec0944469e36fa836bdbdb9b68f92592f3617393bb4ab90cd58c06459aa6e8de7928707c4a17bac39

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
c76e831e4fb8c149b9b90e0900b92ed7

SHA1
2d1e17fbc959161538a7fb5d8d69019faa7e7315

SHA256
808adca0561633e9837b6dbc722f7a650067d0c973aea51522884ad6f198440d

SHA512
6dc64e2d6fe51a6ad8da92e544c6d75fbc5cfc6e82cee16043a26ee4e93691d3e71078bb837f71ac81e9755126e3b4a73bae96aaa3231c20dc4c2ed36f210c16

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
ce36a5cd8b8c634e54c79cf2a2a87304

SHA1
d71def1fe27308d9209a9b443d31a10d0eccf7fc

SHA256
68cf1ec6b00314768f6027f4d3e344a2bd3a718759430142142c8015e8cccd7d

SHA512
06b09781c59f92e78f5c0ad1bd47714a5513ccd767ba77ce1db52f82745dc790bd635e2b6887bc06d1447af6a7ac1c27f4b4659cb75e39b85fdd2b38a2a1c610

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
96KB

MD5
40d0087bce736401e4401d24021a5bec

SHA1
62b4f118e9de348933e665ee98446fe0af96e6c3

SHA256
b0e287b98c75fed63014582f4dc5c2b0c92f7c9974deed272e6db8738b0be1d7

SHA512
86b780da78ca4e04a5d35ccca697593f4e3b163e5e3d75bcb68094ee8587b5b799a925439c2bc55a4e4b708e9498da619e2044627dd8c65caae9472c58214eb8

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
ded88f4a5bf18da54da917b9ca5b92f6

SHA1
30573760448b1d2c8b37251febf9a2341779e78a

SHA256
f56b84488798ac11677968eaf13bd5b5b906b3173721ef65077c1e04e86268bf

SHA512
9305168fa64ba56585dc23ae1c8a4c08e8f62b76d9649b742e32605258254f4ce446d19c75c1ef8169d2ad66a5d4def2e58d958043a2415efaa0331630ce89ec

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
78d1532b64c647f5348022f326bfbe1d

SHA1
6001c041473646185ccfadc16f3e7726c44b5c3d

SHA256
877c005afefc314a512ad282a4ba39d1fcdbe4767020e2c6e068af10f1c97219

SHA512
253c2093b3a38b77c15f003a0b59f35c297930948667859328c759738e0771df800eeba8ee705099f27fefb724f163d5a5e0f76e4fbe77290f84030334077fcc

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
f5711d4453b60aed86f315248d8175c3

SHA1
da6f1c0980b0fcb1ddfd9258dba54cf2e293ecf0

SHA256
7b8b6bbe63b4600d3e8bf55710fbc02d9efbada39bfb263014785715e9cfa350

SHA512
fa2c81056f23699bdab0d3155774fd496d6026c3ae692961b8f985b68c77f1b54676359b82d6ae2011bc81825057cd22a53146a339db52c793495e2bba667c26

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
05bf4dc500210942b125a5b2fbbbb78a

SHA1
32b8d97d5b8da9b3ee93f4c82738a19e72c0264b

SHA256
1cde33d220bff4e1328c48eb90997286feb5771016d898d6b1433c95804c025a

SHA512
132fe3366c0a0de70f86053614caeb053e568870126316de5d1cf2a883d44a1ac38d5711a288a5a9ca34ab534fc315f61b3b82f00a077d66426d946d532ffb77

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
59ac0c261d6cd0d6fb87c858e479b99a

SHA1
a5da7ac7655f6b4968609e73fe5caa36929d0843

SHA256
e39b664e18a1f9cd3ac02e3159c835411efc589ca19b0bd4f45085370a7c0d8f

SHA512
9701a2d6fc302386b4563458038fe598e7a9ad96bf12fad8a6f01ad50a4a770290d8c7943e6707672134f7de4761b13383e18c1f05b8500841539be0a55f15a3

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
242026ebc5d282089f4d5f61d6f24d23

SHA1
bdc8a56feee54fb664183701d1e01cd5a88f71f3

SHA256
94f9cfc2981594a902d59536fb5da4d98c2539691f3b938c017745b022da610b

SHA512
185d1d41d1ebd1217373737866e7dcbd2e1f51e6fc9536108471a6506904bcd52e5c34ed603a4c013ca62d0077e983cf0a087a452882d7f40537436bb23fe48e

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
0cd4e7a1eb9c3452c5e9aac4b2a96f94

SHA1
dcacc565c29707cf97d66ea2e6b7a38b70f0c335

SHA256
1e20eb74ddad5b9256458be9e9c6a0bd11091a9c589e3699233cb6ae1e4bbd72

SHA512
6d764c442633dd07b31f0283e48ae5737d1a0e8ae2176e88d03bd260a2689d5728a6bf81a3474ae9479e0ed5644a5c0b4bd18a0cbf532f36db790691d8c8f402

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
81cc9644472501ed92d144fd51be684b

SHA1
0d8c9c481617f7691499bd85825e6a6303746b14

SHA256
26ce20d889f63c8091788b053227dc24c69cf64c502b7b2d7bf04ea43ac2d22f

SHA512
247695f4da6df3f6c90d99950ff494d5aca6271b0dea08e21b04cc7e8509421bee1bafa95b87dde3891a22f4b96e1b2339516fd840e069ebb0cb4c8680896d2c

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
b9d0e5ddba6f46b9bf2552a3aa6dd1e6

SHA1
7f632a94f91063f4b0852ea24ae584913912d3a6

SHA256
9b10bb9cd447c8b0869b7c94ab84f47c0278c99e60f4a390c65bc2e9300e816e

SHA512
49310d410a2c1ef5f116a7e8c343777ef41bcf2b05aa8d7adc24e6f34216589aea0973d1dacc79bbdac344a1a32c19ef55452c30684e7a3c667da13b535a524d

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
cee3b27563655be74ec1e223197e466d

SHA1
73c7a616440770ae6128ac2506c652f44d112ec3

SHA256
04bc8219bf3e91862f69a7f6f7801c97b41b622824e9808d6c3345b13536b135

SHA512
09e27afb129069194b37dfec8eebd56d110f8515559cec1c02c596ce05af7186ea6b712de64ff2df7dc5b1cf6a783b64ca35a2a901923dc13a6bbfea5d738ce6

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
49638440ba6b10b3fbd57cc0d5ccd3e3

SHA1
e4b7bdc7602c4ce404b3a50fbfa933539843c5ec

SHA256
d3a7217d3da0463969200b22f541d5163391df5129abaef7c02dd4a36f855670

SHA512
8dff268a6a58ad0352bf23688c033dc58b795441a0763b86bd5f8aedf4adf3a735ed70f30eb4b55638a82d014e9b05c1e7eb7deec4d80eb054f53109d75362ce

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
64KB

MD5
35d02a06ddb7f7ec213fd1bb661bffeb

SHA1
2aa929f8ee76a835d1a18d7000420c190053298c

SHA256
0550c7b9a1801323cfbbdde666103cb143629c6c3b0bd88a6db53a380c8d5fa5

SHA512
724543cd9e85184bb65df817d91c790350ed90692675f0aead603abb788e38e5f5436970f856865341715aa5bcef2ec0b7d798d0031c25c0596dd2c65d3d6adf

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
f5b206ec631d7f2fea6bccd8b550a9bd

SHA1
db517aa5badda1e56bb8e609564bff5686dfcef1

SHA256
59868f5a359f80d0f9ee7df88adf7559223f6039024c230ad4919efc9a080f95

SHA512
7d7291b97e5cc64b5d83597bd0d71c02241549c7def0cdf1cb1523b32efb09dee9a86c9214285f18c0aeeb56f696cf8bd76d8dd21c6ad4425b6f4fe705f474ad

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
a505ca3c6127ed6e35b17c500f8a9c7b

SHA1
ed9b1873d1de80947613798bdd7713b36a6fb742

SHA256
514f908e1f14bb0bad138aced6fce26da8a568ec0efbcdefc06107888be3ecf1

SHA512
070da6a1a1f546f02d4b0541fabdfb553f71c3c455d52f0c299fd0a6dc302da9f7c84c963953b0aed81cddfb6c3382c1dd5b2a1c201b25e2a28cc4c95dc95dba

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
cbb7b02e0b7d8f0f79569f316fd59cf2

SHA1
72d2e080c502c66c8fd9ffb01ecbf20da27bc8cd

SHA256
93d4d88bca74159d6770c017ba75dfa0748d8b49eb1b728e217b85090702536e

SHA512
d016fcb141f383ee824cbaca880534931090a8035a65fb3fc48940bc8aafbfe152b34e46a2b0584a001ebb06e4f721557da06518b6157a78b6da2444197200fc

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
86ca9c1348f959fa4503b8eab48fded2

SHA1
c61eb7efd76bdc6b04f62212b8c79ddbcd8c6819

SHA256
4f99b0ff44df8dd518cc95a85c03e6dd8144e66f5a56cf2555eae3370d8b082a

SHA512
525ae6d2fb0b66deba922023622b921eb57a8b7dd8530b65e3933abbaa14598aabd60bacad3616eb9289b9bcaebc0cab59952e33841f0dca2427e9d04c795d45

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
013e61d8564f6125725c8033ca70a59d

SHA1
51dfdd6dc76b2e9f537901f525a5bf65a2bc1e73

SHA256
f42699305a10fc722c8eab218fee5b3ce102d1b2f3dc7adbbbe3c9ff3c1cae4a

SHA512
d90354ea1d5578f5b34e8816db7fd92b72973c3839858fc9438eb5a904183e7f2bde7fbdd340f62c41d70af0a0b54a1711eafb189d027bc3dc6099360d79780a

Download Submit
memory/208-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/312-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4388-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-1019-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-992-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-1054-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5576-1007-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6032-1024-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads