berbew | edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570e

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
Size

96KB
MD5

dc6bd5d14b701e77260ce6223ff412e0
SHA1

922e0d85ddf22eb24b5eb5a7c9d7aacba9aaa5d0
SHA256

edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570e
SHA512

4e85814b8ba7e11b02e7e0a4b9bd7ba9fccd778925ff6a825cf31066005f4751c1f2dfcf5d3099b130bc502fd87661ebaaa3f71ecdaac9499d4cbc7c811482b3
SSDEEP

1536:nCFNWBIkxht5AL4oskdcdrWALFrmUoSoNREa2LN7RZObZUUWaegPYAW:nCwF5u4tkdcdrzp4SoCNClUUWaeF

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akejdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alicahno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbknb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiojqfdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lophcpam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnefiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqpgll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enagnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjlaod32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdpcnfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmdff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdbdgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcignoki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpkhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alicahno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoilcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eekpknlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghnaaljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdajff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgbcha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqamaeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnefiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjand32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enagnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkiiom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlncdio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpijgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpijgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiojqfdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifelfni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phphgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddmkkpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhldahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmamliin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffcbce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goemhfco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgbcha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmppm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgchckl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gemhpq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkiiom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oemfahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlgna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akejdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cqfdem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeicenni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foacmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghnaaljp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaffja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdciq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfemdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djcbib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjdpcnfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foacmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddjmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcignoki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oifelfni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlgna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlncdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gemhpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjgag32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001c850-457.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
2148	Kiojqfdp.exe
2900	Kbgnil32.exe
2772	Kiafff32.exe
2700	Kjdpcnfi.exe
2836	Kkiiom32.exe
2716	Lddjmb32.exe
692	Lcignoki.exe
2440	Lophcpam.exe
2032	Lcnqin32.exe
3024	Mdajff32.exe
2980	Mgbcha32.exe
2444	Mpjgag32.exe
1488	Mpmdff32.exe
2176	Mnqdpj32.exe
2204	Nqamaeii.exe
1280	Njjbjk32.exe
820	Ncdciq32.exe
1288	Nmmgafjh.exe
2624	Onqaonnc.exe
2432	Oifelfni.exe
440	Ojgado32.exe
1064	Oemfahcn.exe
2008	Ojjnioae.exe
2316	Ofqonp32.exe
2404	Ogpkhb32.exe
2092	Oahpahel.exe
796	Pblinp32.exe
1428	Pmamliin.exe
2788	Pnefiq32.exe
2904	Pjlgna32.exe
2868	Phphgf32.exe
3052	Pmmppm32.exe
2684	Qmomelml.exe
2036	Amaiklki.exe
1188	Akejdp32.exe
1260	Alicahno.exe
1992	Abbknb32.exe
2468	Aoilcc32.exe
2352	Bnafjo32.exe
2056	Bkgchckl.exe
2112	Bcbhmehg.exe
2384	Bdbdgh32.exe
1532	Bnjipn32.exe
2392	Cfemdp32.exe
2552	Cblniaii.exe
1752	Ckgogfmg.exe
1800	Cdpdpl32.exe
1712	Cqfdem32.exe
1868	Dddmkkpb.exe
1652	Dnmada32.exe
2480	Djcbib32.exe
1460	Dggcbf32.exe
1548	Dqpgll32.exe
2540	Djhldahb.exe
2880	Dpedmhfi.exe
1660	Emieflec.exe
2784	Enjand32.exe
952	Eipekmjg.exe
2448	Enlncdio.exe
3008	Elpnmhgh.exe
2964	Eeicenni.exe
896	Enagnc32.exe
1212	Eekpknlf.exe
1872	Fmfdppia.exe

Loads dropped DLL 64 IoCs

pid	Process
572	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
572	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
2148	Kiojqfdp.exe
2148	Kiojqfdp.exe
2900	Kbgnil32.exe
2900	Kbgnil32.exe
2772	Kiafff32.exe
2772	Kiafff32.exe
2700	Kjdpcnfi.exe
2700	Kjdpcnfi.exe
2836	Kkiiom32.exe
2836	Kkiiom32.exe
2716	Lddjmb32.exe
2716	Lddjmb32.exe
692	Lcignoki.exe
692	Lcignoki.exe
2440	Lophcpam.exe
2440	Lophcpam.exe
2032	Lcnqin32.exe
2032	Lcnqin32.exe
3024	Mdajff32.exe
3024	Mdajff32.exe
2980	Mgbcha32.exe
2980	Mgbcha32.exe
2444	Mpjgag32.exe
2444	Mpjgag32.exe
1488	Mpmdff32.exe
1488	Mpmdff32.exe
2176	Mnqdpj32.exe
2176	Mnqdpj32.exe
2204	Nqamaeii.exe
2204	Nqamaeii.exe
1280	Njjbjk32.exe
1280	Njjbjk32.exe
820	Ncdciq32.exe
820	Ncdciq32.exe
1288	Nmmgafjh.exe
1288	Nmmgafjh.exe
2624	Onqaonnc.exe
2624	Onqaonnc.exe
2432	Oifelfni.exe
2432	Oifelfni.exe
440	Ojgado32.exe
440	Ojgado32.exe
1064	Oemfahcn.exe
1064	Oemfahcn.exe
2008	Ojjnioae.exe
2008	Ojjnioae.exe
2316	Ofqonp32.exe
2316	Ofqonp32.exe
2404	Ogpkhb32.exe
2404	Ogpkhb32.exe
2092	Oahpahel.exe
2092	Oahpahel.exe
796	Pblinp32.exe
796	Pblinp32.exe
1428	Pmamliin.exe
1428	Pmamliin.exe
2788	Pnefiq32.exe
2788	Pnefiq32.exe
2904	Pjlgna32.exe
2904	Pjlgna32.exe
2868	Phphgf32.exe
2868	Phphgf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djhldahb.exe	Dqpgll32.exe
File created	C:\Windows\SysWOW64\Kiopjgdl.dll	Foacmg32.exe
File created	C:\Windows\SysWOW64\Mdajff32.exe	Lcnqin32.exe
File created	C:\Windows\SysWOW64\Abbknb32.exe	Alicahno.exe
File opened for modification	C:\Windows\SysWOW64\Enjand32.exe	Emieflec.exe
File created	C:\Windows\SysWOW64\Pmmppm32.exe	Phphgf32.exe
File created	C:\Windows\SysWOW64\Enlncdio.exe	Eipekmjg.exe
File created	C:\Windows\SysWOW64\Lcegdl32.dll	Djcbib32.exe
File created	C:\Windows\SysWOW64\Qmomelml.exe	Pmmppm32.exe
File created	C:\Windows\SysWOW64\Kpmbqj32.dll	Cdpdpl32.exe
File created	C:\Windows\SysWOW64\Eeicenni.exe	Elpnmhgh.exe
File created	C:\Windows\SysWOW64\Njjbjk32.exe	Nqamaeii.exe
File created	C:\Windows\SysWOW64\Fhlnomha.dll	Lophcpam.exe
File opened for modification	C:\Windows\SysWOW64\Eekpknlf.exe	Enagnc32.exe
File created	C:\Windows\SysWOW64\Lophcpam.exe	Lcignoki.exe
File created	C:\Windows\SysWOW64\Pnefiq32.exe	Pmamliin.exe
File created	C:\Windows\SysWOW64\Pmamliin.exe	Pblinp32.exe
File created	C:\Windows\SysWOW64\Bnmhejjl.dll	Pnefiq32.exe
File created	C:\Windows\SysWOW64\Dnmada32.exe	Dddmkkpb.exe
File created	C:\Windows\SysWOW64\Cjmfag32.dll	Elpnmhgh.exe
File opened for modification	C:\Windows\SysWOW64\Mpmdff32.exe	Mpjgag32.exe
File opened for modification	C:\Windows\SysWOW64\Abbknb32.exe	Alicahno.exe
File created	C:\Windows\SysWOW64\Kdabhkob.dll	Abbknb32.exe
File created	C:\Windows\SysWOW64\Dddmkkpb.exe	Cqfdem32.exe
File created	C:\Windows\SysWOW64\Eebnhbbq.dll	Cqfdem32.exe
File created	C:\Windows\SysWOW64\Lindbn32.dll	Enjand32.exe
File created	C:\Windows\SysWOW64\Ahqedfmd.dll	Pmmppm32.exe
File opened for modification	C:\Windows\SysWOW64\Dqpgll32.exe	Dggcbf32.exe
File opened for modification	C:\Windows\SysWOW64\Gkgdbh32.exe	Foacmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kkiiom32.exe	Kjdpcnfi.exe
File created	C:\Windows\SysWOW64\Begpdg32.dll	Lddjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Onqaonnc.exe	Nmmgafjh.exe
File created	C:\Windows\SysWOW64\Ckgogfmg.exe	Cblniaii.exe
File created	C:\Windows\SysWOW64\Nlgqod32.dll	Dqpgll32.exe
File opened for modification	C:\Windows\SysWOW64\Fpijgk32.exe	Fjlaod32.exe
File opened for modification	C:\Windows\SysWOW64\Goemhfco.exe	Gemhpq32.exe
File created	C:\Windows\SysWOW64\Lgmcjjhp.dll	Kbgnil32.exe
File created	C:\Windows\SysWOW64\Odkjhonl.dll	Ofqonp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnafjo32.exe	Aoilcc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnjipn32.exe	Bdbdgh32.exe
File created	C:\Windows\SysWOW64\Hjgefg32.dll	Ffcbce32.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Gaffja32.exe
File created	C:\Windows\SysWOW64\Kjdpcnfi.exe	Kiafff32.exe
File created	C:\Windows\SysWOW64\Pjlgna32.exe	Pnefiq32.exe
File opened for modification	C:\Windows\SysWOW64\Aoilcc32.exe	Abbknb32.exe
File created	C:\Windows\SysWOW64\Cqfdem32.exe	Cdpdpl32.exe
File created	C:\Windows\SysWOW64\Fpijgk32.exe	Fjlaod32.exe
File opened for modification	C:\Windows\SysWOW64\Fooghg32.exe	Flpkll32.exe
File created	C:\Windows\SysWOW64\Mpmdff32.exe	Mpjgag32.exe
File created	C:\Windows\SysWOW64\Bnafjo32.exe	Aoilcc32.exe
File created	C:\Windows\SysWOW64\Ggfehlqg.dll	Bdbdgh32.exe
File created	C:\Windows\SysWOW64\Lkfibnjf.dll	Oahpahel.exe
File opened for modification	C:\Windows\SysWOW64\Djcbib32.exe	Dnmada32.exe
File opened for modification	C:\Windows\SysWOW64\Flpkll32.exe	Ffcbce32.exe
File created	C:\Windows\SysWOW64\Nbbfjogd.dll	Kiafff32.exe
File created	C:\Windows\SysWOW64\Gmgejpfh.dll	Fmfdppia.exe
File created	C:\Windows\SysWOW64\Oifelfni.exe	Onqaonnc.exe
File created	C:\Windows\SysWOW64\Kiafff32.exe	Kbgnil32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjgag32.exe	Mgbcha32.exe
File opened for modification	C:\Windows\SysWOW64\Mnqdpj32.exe	Mpmdff32.exe
File opened for modification	C:\Windows\SysWOW64\Kbgnil32.exe	Kiojqfdp.exe
File created	C:\Windows\SysWOW64\Nofnglhg.dll	Ncdciq32.exe
File opened for modification	C:\Windows\SysWOW64\Oahpahel.exe	Ogpkhb32.exe
File opened for modification	C:\Windows\SysWOW64\Alicahno.exe	Akejdp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1196	1708	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnqin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmomelml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgogfmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpedmhfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emieflec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhlhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgnil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdciq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oahpahel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggcbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqpgll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjand32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elpnmhgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiojqfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqamaeii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onqaonnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgado32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoilcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgchckl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enagnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffcbce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkiiom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmamliin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fadmenpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpijgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gemhpq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghnaaljp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjdpcnfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lophcpam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmmgafjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifelfni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfemdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeicenni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eekpknlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcignoki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmppm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akejdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnafjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjgag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqonp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooghg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alicahno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmada32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjlaod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkgdbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjnioae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpkhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnjipn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblinp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdbdgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foacmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdajff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqfdem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnefiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlncdio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlgna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djcbib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flpkll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goemhfco.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qigefa32.dll"	Bnjipn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpdpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckflh32.dll"	Fhlhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhid32.dll"	Gkgdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpaknfnf.dll"	Goemhfco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lophcpam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnqdpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelnjj32.dll"	Emieflec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lindbn32.dll"	Enjand32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eekpknlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbgnil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgogfmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhlhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjlaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiopjgdl.dll"	Foacmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmmgafjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll"	Dqpgll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elioal32.dll"	Nmmgafjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpdpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdajff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnheoak.dll"	Mgbcha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqpgll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emieflec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhfjaph.dll"	Fjlaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gemhpq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oemfahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicbdnjn.dll"	Dnmada32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cqfdem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmada32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biamam32.dll"	Enagnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lophcpam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oahpahel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnefiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokold32.dll"	Bkgchckl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnllf32.dll"	Dpedmhfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigmoadp.dll"	Eeicenni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goemhfco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgado32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgejpfh.dll"	Fmfdppia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkiiom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amaiklki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggcbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqpgll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjnioae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhjg32.dll"	Qmomelml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmhejjl.dll"	Pnefiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbfjogd.dll"	Kiafff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmeqilpj.dll"	Kjdpcnfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmppm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goemhfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmphmlf.dll"	Njjbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqedfmd.dll"	Pmmppm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeicenni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgefg32.dll"	Ffcbce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmbqj32.dll"	Cdpdpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enlncdio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fooghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdpee32.dll"	Onqaonnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjdpcnfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgmncb32.dll"	Aoilcc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2148	572	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe	29
PID 572 wrote to memory of 2148	572	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe	29
PID 572 wrote to memory of 2148	572	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe	29
PID 572 wrote to memory of 2148	572	edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe	29
PID 2148 wrote to memory of 2900	2148	Kiojqfdp.exe	30
PID 2148 wrote to memory of 2900	2148	Kiojqfdp.exe	30
PID 2148 wrote to memory of 2900	2148	Kiojqfdp.exe	30
PID 2148 wrote to memory of 2900	2148	Kiojqfdp.exe	30
PID 2900 wrote to memory of 2772	2900	Kbgnil32.exe	31
PID 2900 wrote to memory of 2772	2900	Kbgnil32.exe	31
PID 2900 wrote to memory of 2772	2900	Kbgnil32.exe	31
PID 2900 wrote to memory of 2772	2900	Kbgnil32.exe	31
PID 2772 wrote to memory of 2700	2772	Kiafff32.exe	32
PID 2772 wrote to memory of 2700	2772	Kiafff32.exe	32
PID 2772 wrote to memory of 2700	2772	Kiafff32.exe	32
PID 2772 wrote to memory of 2700	2772	Kiafff32.exe	32
PID 2700 wrote to memory of 2836	2700	Kjdpcnfi.exe	33
PID 2700 wrote to memory of 2836	2700	Kjdpcnfi.exe	33
PID 2700 wrote to memory of 2836	2700	Kjdpcnfi.exe	33
PID 2700 wrote to memory of 2836	2700	Kjdpcnfi.exe	33
PID 2836 wrote to memory of 2716	2836	Kkiiom32.exe	34
PID 2836 wrote to memory of 2716	2836	Kkiiom32.exe	34
PID 2836 wrote to memory of 2716	2836	Kkiiom32.exe	34
PID 2836 wrote to memory of 2716	2836	Kkiiom32.exe	34
PID 2716 wrote to memory of 692	2716	Lddjmb32.exe	35
PID 2716 wrote to memory of 692	2716	Lddjmb32.exe	35
PID 2716 wrote to memory of 692	2716	Lddjmb32.exe	35
PID 2716 wrote to memory of 692	2716	Lddjmb32.exe	35
PID 692 wrote to memory of 2440	692	Lcignoki.exe	36
PID 692 wrote to memory of 2440	692	Lcignoki.exe	36
PID 692 wrote to memory of 2440	692	Lcignoki.exe	36
PID 692 wrote to memory of 2440	692	Lcignoki.exe	36
PID 2440 wrote to memory of 2032	2440	Lophcpam.exe	37
PID 2440 wrote to memory of 2032	2440	Lophcpam.exe	37
PID 2440 wrote to memory of 2032	2440	Lophcpam.exe	37
PID 2440 wrote to memory of 2032	2440	Lophcpam.exe	37
PID 2032 wrote to memory of 3024	2032	Lcnqin32.exe	38
PID 2032 wrote to memory of 3024	2032	Lcnqin32.exe	38
PID 2032 wrote to memory of 3024	2032	Lcnqin32.exe	38
PID 2032 wrote to memory of 3024	2032	Lcnqin32.exe	38
PID 3024 wrote to memory of 2980	3024	Mdajff32.exe	39
PID 3024 wrote to memory of 2980	3024	Mdajff32.exe	39
PID 3024 wrote to memory of 2980	3024	Mdajff32.exe	39
PID 3024 wrote to memory of 2980	3024	Mdajff32.exe	39
PID 2980 wrote to memory of 2444	2980	Mgbcha32.exe	40
PID 2980 wrote to memory of 2444	2980	Mgbcha32.exe	40
PID 2980 wrote to memory of 2444	2980	Mgbcha32.exe	40
PID 2980 wrote to memory of 2444	2980	Mgbcha32.exe	40
PID 2444 wrote to memory of 1488	2444	Mpjgag32.exe	41
PID 2444 wrote to memory of 1488	2444	Mpjgag32.exe	41
PID 2444 wrote to memory of 1488	2444	Mpjgag32.exe	41
PID 2444 wrote to memory of 1488	2444	Mpjgag32.exe	41
PID 1488 wrote to memory of 2176	1488	Mpmdff32.exe	42
PID 1488 wrote to memory of 2176	1488	Mpmdff32.exe	42
PID 1488 wrote to memory of 2176	1488	Mpmdff32.exe	42
PID 1488 wrote to memory of 2176	1488	Mpmdff32.exe	42
PID 2176 wrote to memory of 2204	2176	Mnqdpj32.exe	43
PID 2176 wrote to memory of 2204	2176	Mnqdpj32.exe	43
PID 2176 wrote to memory of 2204	2176	Mnqdpj32.exe	43
PID 2176 wrote to memory of 2204	2176	Mnqdpj32.exe	43
PID 2204 wrote to memory of 1280	2204	Nqamaeii.exe	44
PID 2204 wrote to memory of 1280	2204	Nqamaeii.exe	44
PID 2204 wrote to memory of 1280	2204	Nqamaeii.exe	44
PID 2204 wrote to memory of 1280	2204	Nqamaeii.exe	44

C:\Users\Admin\AppData\Local\Temp\edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe
"C:\Users\Admin\AppData\Local\Temp\edf26cc758b9483d4c2803daf1c1b1995f92eed4420160fb4f78cfd1631d570eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\Kiojqfdp.exe
  C:\Windows\system32\Kiojqfdp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Kbgnil32.exe
    C:\Windows\system32\Kbgnil32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Kiafff32.exe
      C:\Windows\system32\Kiafff32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Kjdpcnfi.exe
        
        C:\Windows\system32\Kjdpcnfi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\Kkiiom32.exe
        
        C:\Windows\system32\Kkiiom32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Lddjmb32.exe
        
        C:\Windows\system32\Lddjmb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Lcignoki.exe
        
        C:\Windows\system32\Lcignoki.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Lophcpam.exe
        
        C:\Windows\system32\Lophcpam.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Lcnqin32.exe
        
        C:\Windows\system32\Lcnqin32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mdajff32.exe
        
        C:\Windows\system32\Mdajff32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Mgbcha32.exe
        
        C:\Windows\system32\Mgbcha32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Mpjgag32.exe
        
        C:\Windows\system32\Mpjgag32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Mpmdff32.exe
        
        C:\Windows\system32\Mpmdff32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Mnqdpj32.exe
        
        C:\Windows\system32\Mnqdpj32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Nqamaeii.exe
        
        C:\Windows\system32\Nqamaeii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Njjbjk32.exe
        
        C:\Windows\system32\Njjbjk32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ncdciq32.exe
        
        C:\Windows\system32\Ncdciq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Nmmgafjh.exe
        
        C:\Windows\system32\Nmmgafjh.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Onqaonnc.exe
        
        C:\Windows\system32\Onqaonnc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Oifelfni.exe
        
        C:\Windows\system32\Oifelfni.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Ojgado32.exe
        
        C:\Windows\system32\Ojgado32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Oemfahcn.exe
        
        C:\Windows\system32\Oemfahcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ojjnioae.exe
        
        C:\Windows\system32\Ojjnioae.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ofqonp32.exe
        
        C:\Windows\system32\Ofqonp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Ogpkhb32.exe
        
        C:\Windows\system32\Ogpkhb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Oahpahel.exe
        
        C:\Windows\system32\Oahpahel.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Pblinp32.exe
        
        C:\Windows\system32\Pblinp32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\Pmamliin.exe
        
        C:\Windows\system32\Pmamliin.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Pnefiq32.exe
        
        C:\Windows\system32\Pnefiq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Pjlgna32.exe
        
        C:\Windows\system32\Pjlgna32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Phphgf32.exe
        
        C:\Windows\system32\Phphgf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pmmppm32.exe
        
        C:\Windows\system32\Pmmppm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Qmomelml.exe
        
        C:\Windows\system32\Qmomelml.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Amaiklki.exe
        
        C:\Windows\system32\Amaiklki.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Akejdp32.exe
        
        C:\Windows\system32\Akejdp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Alicahno.exe
        
        C:\Windows\system32\Alicahno.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Abbknb32.exe
        
        C:\Windows\system32\Abbknb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Aoilcc32.exe
        
        C:\Windows\system32\Aoilcc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bnafjo32.exe
        
        C:\Windows\system32\Bnafjo32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Bkgchckl.exe
        
        C:\Windows\system32\Bkgchckl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Bcbhmehg.exe
        
        C:\Windows\system32\Bcbhmehg.exe
        42⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Bdbdgh32.exe
        
        C:\Windows\system32\Bdbdgh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Bnjipn32.exe
        
        C:\Windows\system32\Bnjipn32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cfemdp32.exe
        
        C:\Windows\system32\Cfemdp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Cblniaii.exe
        
        C:\Windows\system32\Cblniaii.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ckgogfmg.exe
        
        C:\Windows\system32\Ckgogfmg.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cdpdpl32.exe
        
        C:\Windows\system32\Cdpdpl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cqfdem32.exe
        
        C:\Windows\system32\Cqfdem32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Dddmkkpb.exe
        
        C:\Windows\system32\Dddmkkpb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Dnmada32.exe
        
        C:\Windows\system32\Dnmada32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Djcbib32.exe
        
        C:\Windows\system32\Djcbib32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Dggcbf32.exe
        
        C:\Windows\system32\Dggcbf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Dqpgll32.exe
        
        C:\Windows\system32\Dqpgll32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Djhldahb.exe
        
        C:\Windows\system32\Djhldahb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Dpedmhfi.exe
        
        C:\Windows\system32\Dpedmhfi.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Emieflec.exe
        
        C:\Windows\system32\Emieflec.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Enjand32.exe
        
        C:\Windows\system32\Enjand32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Eipekmjg.exe
        
        C:\Windows\system32\Eipekmjg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Enlncdio.exe
        
        C:\Windows\system32\Enlncdio.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Elpnmhgh.exe
        
        C:\Windows\system32\Elpnmhgh.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Eeicenni.exe
        
        C:\Windows\system32\Eeicenni.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Enagnc32.exe
        
        C:\Windows\system32\Enagnc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Eekpknlf.exe
        
        C:\Windows\system32\Eekpknlf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Fmfdppia.exe
        
        C:\Windows\system32\Fmfdppia.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Fhlhmi32.exe
        
        C:\Windows\system32\Fhlhmi32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Fadmenpg.exe
        
        C:\Windows\system32\Fadmenpg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Fjlaod32.exe
        
        C:\Windows\system32\Fjlaod32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Fpijgk32.exe
        
        C:\Windows\system32\Fpijgk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Ffcbce32.exe
        
        C:\Windows\system32\Ffcbce32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Flpkll32.exe
        
        C:\Windows\system32\Flpkll32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Fooghg32.exe
        
        C:\Windows\system32\Fooghg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Foacmg32.exe
        
        C:\Windows\system32\Foacmg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Gkgdbh32.exe
        
        C:\Windows\system32\Gkgdbh32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Gemhpq32.exe
        
        C:\Windows\system32\Gemhpq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Goemhfco.exe
        
        C:\Windows\system32\Goemhfco.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Ghnaaljp.exe
        
        C:\Windows\system32\Ghnaaljp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Gaffja32.exe
        
        C:\Windows\system32\Gaffja32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        79⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 140
        80⤵
        Program crash
        
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbknb32.exe

Filesize
96KB

MD5
b720f01c9d0a5442a941fa0bf1bc8b05

SHA1
bb4bf833c3c719bb7ec9dfec6dbc003a0e6acf0a

SHA256
394cbb7b02cdc98e0dcf6398ea5bf1aa18af66d82b2395b7815ac38fcd90ce7f

SHA512
b8d445dd83fd4765419f3f480ccfb0e9c172cb293f6f92de1ef4a0e6df4d7e93cfbbe49075eff06e96b29a2b50c2d5eff1d67f8e3f4388c41d59feb5bd5d506e

Download Submit
C:\Windows\SysWOW64\Akejdp32.exe

Filesize
96KB

MD5
5c8dcfc8bf62554dd6f2ecabd14fc14d

SHA1
a5994104d32ba20b1b58c246ea9f157f3466c264

SHA256
7d32bed18de0e5e1b2ff0ccf460d7bb8d3e571a7e5cb582afeb193e40a1b8f0b

SHA512
bfb098cc22524c9f5c0cf99cd1a067d01cf525b844781aba58726fd73aef893d6827a5346268d53ec17af9cb66ccd2bbdf45a1226131f5dbd9844a0ac450e3d3

Download Submit
C:\Windows\SysWOW64\Alicahno.exe

Filesize
96KB

MD5
69ac0722a59944cea4843f4932594168

SHA1
d80997b9b9a12f502c8a1fbf67cbe43acd354b48

SHA256
915265ee7f924ce66701089f92580e19692858d3abb68ffdf47d5bb706e04611

SHA512
a20357fa3cd57966747d02dff2c765897a9685b7555fa49422f1d40e88445b3eca214dc76899737a961b666f04aadf273e75c86268066269eb5706b426149d18

Download Submit
C:\Windows\SysWOW64\Amaiklki.exe

Filesize
96KB

MD5
2289f8a471a6fd742df28bdbb56a2c54

SHA1
b146a300e971b36d8b11e90123d7d5ca5d24374b

SHA256
1df5670940a18f1acb47ab12be5c2c9aac9f73ea049fac1e2e08575daadde667

SHA512
154c58add16da9022d3096f34e5bdb84588e8c879073b4dda557cc736c3a7552cc89c6ed58863a94a79fe336a64a399388d758ae1369531085b19374a2053dce

Download Submit
C:\Windows\SysWOW64\Aoilcc32.exe

Filesize
96KB

MD5
c906ed89bd8852c60248a60c25f2dc76

SHA1
57aca0ea2881a9a2bd926abe8dd8fc28963b073a

SHA256
7827044f57dda359eb5b007f80a0d406d3c29bc2b45b775bdec161a8f14ec24e

SHA512
7f17e9a8f9cd3d72d551ba66a9253e757077ef309ac38e20ca5ed874e58c21544c94b80a796a8a47f2a15487ac342b0a0a9d8aac239141327b2590c3e8aa3887

Download Submit
C:\Windows\SysWOW64\Bcbhmehg.exe

Filesize
96KB

MD5
681468bebe7a3754ffbd036831fb6eda

SHA1
04ad334a9f6bc80ac6e364909f51fb589b5ed370

SHA256
efb10e96a8a2f972b5740523b879ecde7db4336488163d652d94847fb86c9178

SHA512
881f2f1125303d410148e340a550be3f5838bd93e34d399e8bcb05361b6fe55716c3cf5279d1136f027c355d9cba4d490698808088230e4603cac46811e60bf8

Download Submit
C:\Windows\SysWOW64\Bdbdgh32.exe

Filesize
96KB

MD5
4579acec7329422e2f0e09c32327c373

SHA1
bab0ec96b4213630a626ed93412cce86f50ec837

SHA256
0489751e0fe3012ae64dfffe9c0377331eef5078a34223f452819c735ee858ef

SHA512
3620531d5a225e30041d3dd62d2e6da191698a88ff90c71510162a591b5e3d86cb0df1c2f86616fab0fb6c39b06fdca8ab3d2d08594ea8b7144bf956dc68c8c4

Download Submit
C:\Windows\SysWOW64\Bkgchckl.exe

Filesize
96KB

MD5
cbd14125c8e0b9de6eb133c64f7f24a9

SHA1
50f333a26b7df04a1eced853c7c8a414a89ed245

SHA256
600c5cf27d860fdaee631f01372d6abede5237053c398a05cf345304b5f75238

SHA512
6dd5af4728d7523c614a2b9641efb2dbc178c862f0f38cf7d07fba222b3386c88e9b78bb2f49d6b0738a7be2915db304c4ededd9410ebdf57e95db713d20e8af

Download Submit
C:\Windows\SysWOW64\Bnafjo32.exe

Filesize
96KB

MD5
a492eac98613886b3fa7afb5710595a7

SHA1
9f24b716027942fa6f15ab8ccafba5441cb52dbb

SHA256
f3b823b2c41734e3f991a8c2131567f7ba894d2b3f887daa9bb848010f344a75

SHA512
3fc1e29807aa3352f065c018028e089189d92a66688221ef449c247f7107dd54ae1b14a4d046fb35b0e6591ec082eeeb863131d977a88eea141b1b5ae4723ec9

Download Submit
C:\Windows\SysWOW64\Bnjipn32.exe

Filesize
96KB

MD5
d691443d5e3895bb4fb0f72e349b0d03

SHA1
68b5ecaf8296bd32cd07feece71f0ea6eed13607

SHA256
a1eca1d7493b47c43e971125c0897ecd9b962957f5e8dd8f020015c89e6fcac5

SHA512
3952104b2167d38c1cd04c3b213e44142261377e876962b5b7fc95f3e3e53d6ddd5ea669500888df069188e3aa45d648e60b86df91f60d19c2d104e71be67d4c

Download Submit
C:\Windows\SysWOW64\Cblniaii.exe

Filesize
96KB

MD5
856b629d46f1ccf724afc927032e6b87

SHA1
10d5a14802dc8c2344baae16b28a6980be66ebe2

SHA256
983dbd83e30b525fbc2c55d29aeecbaf6f8de741a0a5583256c81e0933bff5f0

SHA512
a12d5a0797c66e24e22d985db8cb1b2a00eb256fc1e62928d46b48f23ee8c35b24493d8c866892397a04826c23dfd9987df88cce7c4b9bf89af622282b27f401

Download Submit
C:\Windows\SysWOW64\Cdpdpl32.exe

Filesize
96KB

MD5
752a7d74c58695083c7c0aa279e96d3a

SHA1
0f142b645eab1bf3f5c856fcdd12597e2b294674

SHA256
1d27611f7edccf1a61e9ae3f14d2aab50bc8f2d0bcb00c1af2030ea8793451ca

SHA512
d542e11689eb4cb90aaf035df7cf50da018d85ac24b384550c520d04c57011f163c07b622f4830a6d6d619c8ad8d8eb3c75e44d80c4e234383da81e233f86315

Download Submit
C:\Windows\SysWOW64\Cfemdp32.exe

Filesize
96KB

MD5
701fc2b1bf50d1cbf1bf0522eff3490f

SHA1
dc90b94848dba47d5a9ec79a94bfcb6aba55490b

SHA256
5017afefe2f5d3571c25b310c599f61a9505055aedf63c592bc1e37d4bd5d061

SHA512
b2587dfc8d2c3a61c225bb3ffabe393f6e808d91bb5f33aec8ea963415e0af14c528ad451eb90256fab571b45105b69ec4699763b3f68fe4490e6bfff52ee15b

Download Submit
C:\Windows\SysWOW64\Ckgogfmg.exe

Filesize
96KB

MD5
1bd0c9224eec1fb6160fca159c009902

SHA1
5bfd22f8aa2bf539725313a992c0d55979c36c1f

SHA256
987492c28e8938330c4d776c4427ede2975dbc8fbf848d914413b2629daada17

SHA512
4663615c36b1fe915271fbf0a8595bea58764ca551c3f0a624f50cadb2c4c1dd032382d46c6c31c744c6360ad1019d9f80269bd74dea507c52d5da97d908d081

Download Submit
C:\Windows\SysWOW64\Cqfdem32.exe

Filesize
96KB

MD5
52796f692f5748794af641f4dbbdeaf1

SHA1
82a96f7a3ae0cc5c1bd52bb399f76101e8310f19

SHA256
1123869c9aace0236ecc4389a98d57346984584447f12dd3bad260d33e575b2a

SHA512
f52af61bb7df9b857e35668030be271a200732396258206189f654718acfee5b8433b8aab6fae91aa7976bb1a59503436a745a0658c67ff011509426e94403d6

Download Submit
C:\Windows\SysWOW64\Dddmkkpb.exe

Filesize
96KB

MD5
33427e4c88e9ee3fac48dfc28222944d

SHA1
9a5516bab7c85305b8589cd1361afc10f1ce5c8b

SHA256
ce463fc8f3dbb16d8657f089ec07703e90f27bff6fb839ff93b3f3ea658008fa

SHA512
5d5ef966d352b5479cc9e75d49864b82511157a25cfc309656e98c23cbe37cef4149637fe568765878fa573ec7facf2f317827eed175fc6118941458bdfefeac

Download Submit
C:\Windows\SysWOW64\Dggcbf32.exe

Filesize
96KB

MD5
52169a8235024d3377aea3b3e34287d2

SHA1
bf53238efeec4ea3804cee51e1081116b4ea0538

SHA256
d96d1a8cb1367e828cf591bac083c92579ace38b4a09bdf26f5850d3b065ba14

SHA512
698009380bc88e15efe577efbdc420aaa62e32f8bdad8651d6afcc303d0038e3e01ccb87db99472b3f6ddf0942ca950129b46db1e3db7ece4529236c2fe57ffb

Download Submit
C:\Windows\SysWOW64\Djcbib32.exe

Filesize
96KB

MD5
e7f63ab75689a2757497dc5b8cf0f358

SHA1
d90cb351debfe24a5c911408f5c58896dd485fb4

SHA256
d3d7937c115c10967ed1aa2810c266134bb52f5e4781395d5c91431839d3525c

SHA512
219becf01ac0d95c2fa40d1b959b5d4f33101cfeb2feb2976dad00f3707d12905502272c8b9c54044c26bff44f7b87038d7ac2933ba1968572d13104dcb61a97

Download Submit
C:\Windows\SysWOW64\Djhldahb.exe

Filesize
96KB

MD5
7c7f66e0436524262457cd66f07e7351

SHA1
0972bf6f24f357b892a72c296b47bf17fcf33e9b

SHA256
30d23c2e66098e631d5d6277a55ae437157b7c733fa0e4f301c3f99e8cbe0a0c

SHA512
46d536fafc11c223fe95bb7d8ec733d4607463077eeb7c9418169a0c38a288c27a2cbcf0709bffa37d216f9408623a584774d538f8916eee950c585e663c2c98

Download Submit
C:\Windows\SysWOW64\Dnmada32.exe

Filesize
96KB

MD5
e7d49036a0fd71d8a05aa60b161e772b

SHA1
2af88a7cfa569015b9647b04e8e2f642561a492f

SHA256
39b7dab02ce7adc17b0d40adce7a3523b0522edaf6625460eb85d01fba7cb0b6

SHA512
fefea462329c38cf229628677d1e241f9384302399db61335a1810710866bd935cac49e92a80b346e3154e2976918643a4e2000fea854a6aa9b605c5cec2fbb4

Download Submit
C:\Windows\SysWOW64\Dpedmhfi.exe

Filesize
96KB

MD5
4ba5c5a62cfc2574c7b78b894abb46b5

SHA1
4310cff2d57ccab292fe813903dbbd71ccad76f4

SHA256
3ec4325732bf2a92a4cac4e03ab9438237fd58b55ae521aafff42f87a3463b02

SHA512
d130006938371589c04ebc053e2fdd71b1fd33017c14ed90388c96fc18eaaf092930d70f101cb9ec0117486a4c5e18de68aad995582a8bd278bbd3332f79177b

Download Submit
C:\Windows\SysWOW64\Dqpgll32.exe

Filesize
96KB

MD5
97b810acd652fb9b792d48b899c90720

SHA1
4ead28360fb4e932cb9ea8563903b46ffd076e33

SHA256
17efad382db33dcbbc5f9a869784dcba8f6d773aec2379447bc60847d6b5c938

SHA512
281edf6fd9039b3abeedba07db42ca5f8761456efe09f6ca3f7e6d625c578fe07068c21090a5cfc3c40566c04354fe5e7c9682e432032ffef8dd0f53dbc62abc

Download Submit
C:\Windows\SysWOW64\Eeicenni.exe

Filesize
96KB

MD5
9e6b88da294c9b83f88d6f910135d8c7

SHA1
847909bce55d2bf701f06011c3ae8586cf2023dc

SHA256
95db03368022840d0fe3f348ae137d8c1d0196ba18b020f8805459aee470abc7

SHA512
489353cd50ab2fda5da0c7ae7208068d4b791db9c1995f716679b6cd0c3f8e63f4c2ae8244330558e5c6af7646d23f9e5669851371f990bd01217b8292745026

Download Submit
C:\Windows\SysWOW64\Eekpknlf.exe

Filesize
96KB

MD5
935aa94202bce89fbc32400ba7c7760a

SHA1
ace773c5b975d588463960981324fd7531b932d1

SHA256
3c96ce349befe7b95dca450eb418153f8ec7e861fbbf83a5ffcb6034817f10ab

SHA512
6644d6047c13da0ff7bf11576ebfe0888c2b2209e3279f987688d30e7944f60b8a798ddc41c8c477a59de2f3514834fcf7a6b7e8edc556b295eb0e608bfcca27

Download Submit
C:\Windows\SysWOW64\Eipekmjg.exe

Filesize
96KB

MD5
ff36d88b302a1ad0aa5b10a26d24ac2c

SHA1
1b302e0327c0f3b4021d41fc3795bbad942522b3

SHA256
8647b5e17e12f9582fde796a01aa0ec222e000a12989ca0b3a9fb1b4d585a157

SHA512
9ea7f1c42de75a33045262b32f75c02758b55c229cb210e35351b0f7bb80cb57ac45917f91d93d4ca3a6eedf3c96edde7505b1ae16f4df380054ebe9f110eeb5

Download Submit
C:\Windows\SysWOW64\Elpnmhgh.exe

Filesize
96KB

MD5
3b107d7f182285197c6ffca5136029d6

SHA1
df2f97d68bf12c06e7b9bbcbfc983e22ce087ea3

SHA256
8d80602e1ed9da26c8175ebb96b80e6cfbddcd0b56918adac2509c122313327d

SHA512
8ec383a7105abcd2dd12a78363bc99667727618a55b2f4b525569c6fc534959b40a1e2f142906212dfd394e3aa64926d991b957cf97175dbccc6ae26ea02a488

Download Submit
C:\Windows\SysWOW64\Emieflec.exe

Filesize
96KB

MD5
363dcf1d54ebe8786bf95f9aa6fc6d82

SHA1
d73a4012699797564bac104eb6e1d3248a2950d4

SHA256
11418c47c0415008d848020c546f86f74baced9a448d69882de5d62911b1a911

SHA512
f97b490ef437aaa2d8f0329a1608d820b390c1edcc7f7f807c5eb36168a1e741e794da65150668fb2c7ef46046b81c8119b016ca52514932cefe441e5923a6f9

Download Submit
C:\Windows\SysWOW64\Enagnc32.exe

Filesize
96KB

MD5
eda2c03ba86a1d913c8855e3b7f9257a

SHA1
eb7ad061a08484e05801f15727817bb498335578

SHA256
c19f346ea42b83d89fb1a28e8eabcb8d6f667baf118f83c22ca8e3d596819840

SHA512
72964972ce930f11af68d255d670c7687d4523ea489a49ee6fe002749d6e8aa99f67a1eeeb364ece34914d5865b725dff2f77bc96142ec1fa505201966fcc02b

Download Submit
C:\Windows\SysWOW64\Enjand32.exe

Filesize
96KB

MD5
b0efcfe7fd7cfca6f0124a293ce7ebb8

SHA1
5980c2ad0ba332c7ee233167a2a2fe59b6392075

SHA256
a8e531ec9a397ff678572258b012bba300e3941b4ebdf39a3ce3507b9d96ccc4

SHA512
68572968adc8f048ec972743eeee73020b2311ef73689bcaed25a47990e641d6913233b338380ec51642a48b4b475fd4dd4c2f821ee7ee3fd32573ce712b08a2

Download Submit
C:\Windows\SysWOW64\Enlncdio.exe

Filesize
96KB

MD5
3fb7271bc4a4b5788be8e6f234b9d97d

SHA1
3574bd95052cb62573158d34634931d26fefc6a9

SHA256
0edf2aa362f034ec29c649af144d8a7f34aeaaf76941357ffa5878813621b8ac

SHA512
6076e21c6f319abe7ff83acb1858b0ebf30ecf87700bbc684afe1033351d49de04ddf342f079f2bf88e63551167e5d28ee73f1051cd5e32edecd9321a9f99fbd

Download Submit
C:\Windows\SysWOW64\Fadmenpg.exe

Filesize
96KB

MD5
e2128accc35b9e9607bb703dd6b5a091

SHA1
50701eae01f01d59b99101cedea99748c765eb8c

SHA256
f3d590e4006a08c8df27cc2f9431e589bf889f7394979198908686f5927edd22

SHA512
4a346e85aedd4c8be475903e733e42b75ea90c6b30c103f6caa54c117507688043cbe8d110c7ea6ce12ca8587e3a87c5a48edffaaddb31192c494b24ce2de65e

Download Submit
C:\Windows\SysWOW64\Ffcbce32.exe

Filesize
96KB

MD5
015e03b0907ad8d8c7508eed4930ec43

SHA1
efd7d15ba6aaadddc15c72c4137362500ef2c6fb

SHA256
28f7b39e3f7a449cb52f17fa5750b317baf102d14f747eaab810da9cd5b10fbf

SHA512
9d4099809b20364462abc48ba64f858eb2ccca2c03514b62d0def374cd8e8224632ed6bba1dd61dd62859723529a53ae065f6787a8050dfe79fb0692b5603ac3

Download Submit
C:\Windows\SysWOW64\Fhlhmi32.exe

Filesize
96KB

MD5
fa4f304d721007977612f2788e490f4f

SHA1
c5d787e928b20f8d7a3f1a83266cede90e142267

SHA256
52c6db65adcaece361c6f732ec5a63c13c5a1166a5c2bd0a09c82223a1242087

SHA512
512a73bff58acd0dd35fbe8037c1c19eb964aa22751bb48e302e2fbdbd07a240828b55eba1194345dcf9c24536787b4c4975f9254104639bdb6b72d791970aeb

Download Submit
C:\Windows\SysWOW64\Fjlaod32.exe

Filesize
96KB

MD5
220c4e7cdc882ec3977d751e8adf578e

SHA1
c7375a66387a53918c93ccb53dd2e23c73430f71

SHA256
5ba5bdeb51fce97f78f6c498738a11089403bc2fc471c2ae16bf4d000b48ff45

SHA512
0b8f0c1c7a9df2f438dd9a8a917c0307de63e73f64cda6de8d48b4d829c6af2f889888370d13354b9c937ca89aab73511ef298675feb5b4a002e1e6c29d52318

Download Submit
C:\Windows\SysWOW64\Flpkll32.exe

Filesize
96KB

MD5
220856d63fb251fad00cbfbf760975cf

SHA1
c5a77388a1481c84a078e313b34015e162832fd4

SHA256
92fdfa61477ae6d4fee9bac9998110c846d878007ee252a113976100279725d2

SHA512
438e1df32ca3a510fb3d0eb2c6621d6fd64e1438428ed40709cdf511cc749470b6bea2ef7237131358c8bd5fcbad8f2455beb8bb85fcb8095104684d7dd40ddc

Download Submit
C:\Windows\SysWOW64\Fmfdppia.exe

Filesize
96KB

MD5
e7363009ba8491338b10fe2458ef55eb

SHA1
80afab309f39634d46350979f32b9cdb6522129e

SHA256
ab81d77db7a3a5ee802568e41c1b79c17c29d8f043ba8c79f335817e9d30e8f8

SHA512
dedb117656aa4585800b336d3e1f2309a2c1beb1ae8f199f8fbc4326603132d1b4cae72539f95884d63f78c76a01a92fc231a74d41a2516747f0e303235c2c3a

Download Submit
C:\Windows\SysWOW64\Foacmg32.exe

Filesize
96KB

MD5
b1545048e1c08b9c6c3314baf6e29e61

SHA1
0f6aa9111375dbef34577adc06acc29127eb0fae

SHA256
56fe8f5561bcba8a0e6bca14b09771011069669131494a7267d770b8ad3accff

SHA512
879a28e466c7230bc16d4e5e1ebcd1f34e46e9be4b91bc1f55a31a61796f7627854270b3c7a6f8efba18c7ae7777b654eaa5ca0dac5eb111747c07e19a21d411

Download Submit
C:\Windows\SysWOW64\Fooghg32.exe

Filesize
96KB

MD5
bc3157f72688bc4851f807ef234bacf8

SHA1
e3ffd4a8e8d211e269e86e8c87c2497fe45bcb52

SHA256
b5ad769fff08ac024c7482cc2ba2ff39db3a71998ef8040dca3d0927c9ba134e

SHA512
87056c19b2af88c2a1e3fcd0063c8cbbd1f80ccc25a075349c7a756eaa815326fc6f08d93531f6d3fd5effeba85d97979a05998525bf4be38faea3560131869c

Download Submit
C:\Windows\SysWOW64\Fpijgk32.exe

Filesize
96KB

MD5
c91643b2134f8b047c5b114482e93a7f

SHA1
c77fbb0229248d35d11093ac8af5a7acde71caf0

SHA256
0518c6e35f6c90f0f9ef5818df30ec3f0a75353b3ac5dbd33d4c3e839a095792

SHA512
90bcc9468535a2763b7b652a516fe17fbd9a95fc3b3a7c87d4ffa5a7a0739d051b971d468b209e764559bdb8e37a245f065e5201d9d44f3e17518933a9a59d6d

Download Submit
C:\Windows\SysWOW64\Gaffja32.exe

Filesize
96KB

MD5
840a6a9d958cd4a58c47b29b53013154

SHA1
ba6ad890a9f4c3a0a3e73f2daae60b13f8cb9acc

SHA256
d859250dbc2a26bf7e136548efb7b1dc129674519b6d4d0295d3b7fe05e0520f

SHA512
4a55e23378071d0c4a83c6b044b2e0013ee4694e2501946d6a8fd531cff3318ba2ab4678db79654de767c70fb9eab6007b18f69f214eb5fba7912b01ec161220

Download Submit
C:\Windows\SysWOW64\Gemhpq32.exe

Filesize
96KB

MD5
6f037de1cf1e70dcaa4bb32555aca50f

SHA1
854bccda8333b46cf0deef550f96bf68ba5a090b

SHA256
d06f6d27e2f8c28622b615638f048d0dfabc1893b777dcedda469bd6fc96e543

SHA512
4f2eec25d127537ec87e60d5eb81dcabbd193a566d5ef733ced23f53a70622e1a00b1d9de6385a6be152d4340ab4a0b041b5664bc643205df63f139dce1ed60d

Download Submit
C:\Windows\SysWOW64\Ghnaaljp.exe

Filesize
96KB

MD5
19d203024e2204662c20bd8d00638c42

SHA1
020f0d2dba4a7349bd7568e342392a2224a89e5b

SHA256
7f292f85a700b97dcad8c1b13382e9103e5e4aaf99e85cef8d50916aaeaf499d

SHA512
82469f711e324b010e7065e72efb7d71464a2fcd2799eb2aa5befea198f195827e6107ef957f28de68c762106432bebe0b229d208d7a8db5828d7c512480c805

Download Submit
C:\Windows\SysWOW64\Gkgdbh32.exe

Filesize
96KB

MD5
d098af3ef9e6ed072ca93c24742a99c2

SHA1
c3f7e0542b815404a6cb0a991a7cfbe13f3c68a3

SHA256
1f3af931480f3778eccf7996a5fabd60950b5ffe030a0f2a87e11425b8d79556

SHA512
18a7b8dc8661323a39fcf5f971df46c80a88c0bda878284a27f1c0ef7690dcf2d7a7294332157d40f4253ac7d782f86037cb26d57ee94f320215b2b962a65b17

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
96KB

MD5
3e68d30ad4c22c1bbeb17122e51bf4dd

SHA1
26c757bce4dca9b00cc99161ea9467efbed0e01e

SHA256
46ba7137412ba54c2091163cd6c935a19bf59ff248d1f01858c135e1e884ffd7

SHA512
4e77be3ca790dac391c71af2bf09ff0503933947abc4e05ba411d651b86086d0df45777ebf10d1ff5449ee1813490959def544c1b7a1cd5034c027ae8fea6b43

Download Submit
C:\Windows\SysWOW64\Goemhfco.exe

Filesize
96KB

MD5
09ad849a2bbade9641f05e4b3ac1275f

SHA1
f196e2fcd8085f8eb4c3523badcec7619ee7a0c1

SHA256
48e25788033878f815ad37b09705df033fecb180e6e8bb1cf4592b39452ef482

SHA512
f30a2f8a67fb36ac458825e26cdfc492587e31ae75b847ced9316c8a971252f6dafb1885e62f3af6131a003fe3b27ab364fa55450ea4303a3aa9bb7d8d465d46

Download Submit
C:\Windows\SysWOW64\Kiojqfdp.exe

Filesize
96KB

MD5
f05174ad250e7411cb61f637588c20ba

SHA1
a71a13827a86a1441a43369deea8ba156c32d577

SHA256
a6f7a4e26f7a506346359130c64b241ca0d59c2cb80a22798f06c836013b5b19

SHA512
d86f9dc3a842c9ef94012f162cf33ca9f392651c3845657472109e3655bb3336923eda14b6b19166cc0327440abc6103b432a71ddbead6d5b2e090a55237ee12

Download Submit
C:\Windows\SysWOW64\Kjdpcnfi.exe

Filesize
96KB

MD5
f5a52226dc6e73999506f5110e3d0fcc

SHA1
6ba7d5b4f656529b6cf2f646a890a23a90b19934

SHA256
b3ea20724ac361e7ecf5876b00581aa4e65a9f50e61a0ccbb0e47f0ba2985519

SHA512
61f1bba2e5b68ba85dc4dee187470c80d522368bcce2a40d27d08b627efa83e0a1b7ce964f4cbecdd477e6c0dfb12556b9bd845fb08cb4552c5fdbf02eb9600f

Download Submit
C:\Windows\SysWOW64\Mdajff32.exe

Filesize
96KB

MD5
dc9bad563a6cda1cbc7d438d9b3ef674

SHA1
579ad409ab8b8e14321ac24d0277af8ca6b81e5e

SHA256
2a724c2ed71deb9b87fed7deff6833d23e7d51e4bf9637510007fce9e2cd2319

SHA512
96e04e0c82cd8c851131de9001bb476760b8e66e21c246d4b27ea1913710dc930d5d2d739a835a87c292aef6808ff933bebd6648bffa90141fdbc4d9233a2af3

Download Submit
C:\Windows\SysWOW64\Ncdciq32.exe

Filesize
96KB

MD5
0b051244fb02a17305ed9002d7d9c93f

SHA1
eb4162bdd88411d163d0e68e43e31ca2fe9742f6

SHA256
700891efe2e32696881fc1983393977060672aa697f63afb4898c4158c8452c2

SHA512
59a5eff4f72cdea695d987f54744d7d1bdaa76a111bcad1aba053a70b54e27b14714f8fd8ecafa036386c28d69068856dab150ca365476a2424ddcd57a42f4b6

Download Submit
C:\Windows\SysWOW64\Nmmgafjh.exe

Filesize
96KB

MD5
7d9b39b2fb00b0ac0984724a839add84

SHA1
58916ee4a1b926d591351a9895b6c485f1dace6a

SHA256
557bf22d4863059646eebee95caae6bed9c4b67b266dd6ef363e1dde9a5baa3c

SHA512
dbd74fd69b8032a5aa0d7e0975a6cb3010e296cd76c7793698bc882670a9b8a53d3b5dcf4e92d28152d8e2d8aa25420170fbc421dcd823a6933e796931d2685a

Download Submit
C:\Windows\SysWOW64\Oahpahel.exe

Filesize
96KB

MD5
c0c20a070a83c18c4d3cbf0bbd5199cf

SHA1
18577d331d7dac58f7d800d4d4dc93072cb98cb0

SHA256
4d5755f81dbf4da1c07cb26fe0641092d87e177f5f3fbf69ae7b1834e8f3b184

SHA512
c94c442b8dee1c9fbb4bd973cc755d54e67fedae394f44210e97f2fa76a08e5cebd8eb656d91af79300a36dcbe4a4db424f70e81439e70ad430a18f447d51ab2

Download Submit
C:\Windows\SysWOW64\Oemfahcn.exe

Filesize
96KB

MD5
1d27fce4419e608b76106d48949cb25c

SHA1
b825f4677984ec8c724e8cacd745fb8cb75bb712

SHA256
2b9d27202cbd2f557f89b7b1538b0e65a1a82fa626b44ac7a4ccce5ec6b4f791

SHA512
7c39bfbb03ad79aeb85360a2bde944078d56bf929532d0fac4188c8a4f46777099bcad188b3604596f05541c8de28f2b098d849eca4f72a3c8e209d8dd96deca

Download Submit
C:\Windows\SysWOW64\Ofqonp32.exe

Filesize
96KB

MD5
19b3349e6bdf955291d1dcfd3ef89a8e

SHA1
ddb7303c42d8ad95ad4c5984b0d8d17611b77ec1

SHA256
735b7a5970b977dd7709219c1ae6428c35fb31598aeb1b968450dfe605680720

SHA512
a9617b537f4077a722c6e34cf70895573fea71bebe65b5fa7d966dd9b136f073b1d1d16b7923daab55ba2e466659d63c1ae21a97634d9f90db81d0ef816b5df3

Download Submit
C:\Windows\SysWOW64\Ogpkhb32.exe

Filesize
96KB

MD5
b17b6ac755ed31c71e063a619ab1b6dd

SHA1
2e7c476dc64b02b38658fd1148fcf4ce0ef361ed

SHA256
35a068e99505f7fa1abfda180e2d8b23020098ce126cf29bf35cc82d7ef3c889

SHA512
bc24890fda412b1c9310140de1026980e90856087107b03e558fc252c2fa563acdd79d97440ee726a4dc8cb1e28b0915ee63c132e5a4bcd5c88fe646b29d3ca5

Download Submit
C:\Windows\SysWOW64\Oifelfni.exe

Filesize
96KB

MD5
cd163a8632664ef923a04020e0d20793

SHA1
426526ae6c45575e312ec089a86c04f947489f9a

SHA256
e4dc51c6e5d879394b92ea6bc5296f4a0692b2aa9c8eee24b7b953fa9ae4d226

SHA512
8cd5cd9af3139725fe8846db18c7678bdbfbf7d2a920d8e87142013eabacdf4182df72128c7df403de08d52f3fbdcd0a29d57a3a7118630d2b3ba1cc9969d41a

Download Submit
C:\Windows\SysWOW64\Ojgado32.exe

Filesize
96KB

MD5
e7c24ac31c8f533c736d71d94a632af7

SHA1
ed32d1ac40d432740bd704ef672cb019b1517d2f

SHA256
f16e94ba51b652771211aa49360fa9d6fc2563dd8313f6c50e37e8511480ad74

SHA512
1c7b735c729f1131110ff2779e24b8223d314ffaba92a623f27ffa11d2584242652f5f62f97434fc86551ac1c68e06972377a6fb850a4c16d8cec68ee9e1e43c

Download Submit
C:\Windows\SysWOW64\Ojjnioae.exe

Filesize
96KB

MD5
45a61711b3238697ee0c6b791e5ae023

SHA1
5d2c8a71b6015fd6cc962a1aa4c764b6202d8c85

SHA256
a1cc1dec6c783861d245aef3bdf9e42245a3d6edc2f9677208c7440c072d0177

SHA512
7845d76d65333b0abc6a0f95dfb26a53bb488bc71c0daa3103c18d99c05758695807f0af07688412bf8111c1c74bd050ffcfdb8c67fec27119fd0b23a7133be5

Download Submit
C:\Windows\SysWOW64\Onqaonnc.exe

Filesize
96KB

MD5
7886bbf30dff53f520c3834f304f4f14

SHA1
9a0eb0ca9e901fa49a12076909ce119b571effb5

SHA256
18cafdf77c4b29ae8f197174cc0c8fe4b7c5e92d8907483bbc246b40454c0d9c

SHA512
4700d2eac94d45ee32f2a27b87927a5e8f881c2c312d654e442439d7a94c2c34b06ef27ce4b41305b215842d2d2dbea80dc089c8d4302681eceeccad7ba98540

Download Submit
C:\Windows\SysWOW64\Pblinp32.exe

Filesize
96KB

MD5
36bb4fdd3230f6d4c4506e2b07968dc8

SHA1
33a8edf170ed98f1756eb6248f04c84c4dec59ba

SHA256
1257043ba5e5c400c2bb52781d835dfa1fcda169ee5c0086f6991c4b84218eee

SHA512
64b5d725105a6ed13e62a9f99a9de50778b9bf55c6db88b400c00f1aa23f86739b83694378dac55e7716627dd27e9d0cc41ec64c40a17efceca7434731e12cc3

Download Submit
C:\Windows\SysWOW64\Phphgf32.exe

Filesize
96KB

MD5
5bf69e85148102bbd34ac916972a0e7d

SHA1
fb116bcbee6470fa8b0351f576e43503cc006ebb

SHA256
41c5e1e57b3159ab16c33d5581e372fafa119f7903d799fb3367d294c2188a2d

SHA512
53c27d18a464a3d8e932051d513f2f3dc9af0849fff74b35006454f87a0d2049580902cd764a5bfb3e81b8c32e52fbd796374a504bca526297265a30dbc66dcb

Download Submit
C:\Windows\SysWOW64\Pjlgna32.exe

Filesize
96KB

MD5
16a6ba76e79a3157d2ea783075e708a3

SHA1
c210790bb8c04487d38d290ae0ce62141a755458

SHA256
fe126cd35f90af675cb718d0e4cefda5d65b0ee4bc903bd7ea276658b6858fd1

SHA512
89f9db59a31ec89331725132698711a072a9d537bd2feab5369d9d1ce85c0da4d3999d89cd1a0a123411e4fce199d46b59ec776db80ac597fb5ffdc5d5694069

Download Submit
C:\Windows\SysWOW64\Pmamliin.exe

Filesize
96KB

MD5
fea6b9289bcc77cba62f47ca8169c25a

SHA1
39b172d3ea27d5fd48d7f6e9ea4b0b6793c583d6

SHA256
e103db31b912bf2b97bb5031fef530db9d1003254e6b9db108448ff923eb0669

SHA512
d23c621c81686000c249933861bcd25b1abaf0cf180c267ec897b65f1148bc823a585b56f8147d6b2a6fd5205740ee79fee558f4b64f5f121c434c26f26829ba

Download Submit
C:\Windows\SysWOW64\Pmmppm32.exe

Filesize
96KB

MD5
8e9c416582915f670e01ea44b97fcb74

SHA1
8fee09e35d3ef93e04d6a2764d871f7422d4f021

SHA256
94102c68a5aff1adc77eea990dd3630e892c363b9ac824e1d1fb2672c218f84b

SHA512
25c9e6929bef6a55c8c0b28ef0ce57fb34bb0901fc461432281c1cf18ae6a41b82149267493faee8bb74604e963e80fe70dd954cfe12305f4f987f6ecbd56ae2

Download Submit
C:\Windows\SysWOW64\Pnefiq32.exe

Filesize
96KB

MD5
4b65861d0a5119c014c5523caf60a69a

SHA1
931147b52976ba7178aef62c11e74c70dffd41ec

SHA256
8da3a74927e35d15444dd93059b270f942e15d70c7e69ecf9071c9f35f9dc6b4

SHA512
b081f37b645c8c3b89d2cf21c1b21a5854fd91f5b16b3b5d8d379a7f64c33ba529987ca907a14c43e43f52c5c5ed840e08e2c6c03ea24435e8cc4dda206cb5b1

Download Submit
C:\Windows\SysWOW64\Qmomelml.exe

Filesize
96KB

MD5
98df26d74654a9691c2ff3d3055df7c3

SHA1
349c1caddce60e8a99b587bb6c3b8adb1d4d3077

SHA256
02950ff7bbe5c7db2360bd5113c9ec9750e24d061724aa27fab91ca0154ded11

SHA512
d94a89108147825709d9658c09eb6521ffb9f0d91c102b5aa788ea40632048f8ff83c68de570ac9f49fa8f1ce27889d0798a5c2bfc23e540d9cd4cacb9ffff5e

Download Submit
\Windows\SysWOW64\Kbgnil32.exe

Filesize
96KB

MD5
c8a7845ba26deffaa4d0ca6aa5e23874

SHA1
f6bb339b0f5d9af1be7a97564950a16684ad2fb4

SHA256
19521c9557ae802bbca59bfd2899aa86a99428f2d4c381d2db2645e4a3737a1b

SHA512
14f38284afac0125997abfe9a836abe1f1c94369180410419cf379d04a94cc90a945c617be6edbda1ee10adaaabf3216a8b4de77aba632a9bfa2f23580943305

Download Submit
\Windows\SysWOW64\Kiafff32.exe

Filesize
96KB

MD5
1bfa6d92998febf862350394cad30c0e

SHA1
64477c5966bb75a28ae25b7ed1b787d2a6c19ddd

SHA256
39613d807443918e9d31c28c4fed9a4041bd735a524bd13eda1eff48d327595c

SHA512
47c25ce514e78a6a32865e10b45b88e712b4bf751654af5c0ba7813ae7edddb14d1995a59d51e4c2f66def84b67260c7eeab24c9b39143ad13e7580cfa376595

Download Submit
\Windows\SysWOW64\Kkiiom32.exe

Filesize
96KB

MD5
85b34e97053ed4b5ebb6f0e2d30478af

SHA1
f99ac7be72fe28d04b0b17b1026dafdbb1f786f7

SHA256
5e7f55ac3acb0edfd86e97494aab6c8b398712e6768ebe8775552e8377924420

SHA512
39f16dcaa42a9e180c1a2a47f7b831639858c3ca41645ac5026260d7851ed19d2f62c19ee80168c4f4f36802aa3a803d6bef0799323736d9a45c619c56ac6b13

Download Submit
\Windows\SysWOW64\Lcignoki.exe

Filesize
96KB

MD5
f0eddcc3282ad45b69832b44cd25600f

SHA1
99efea3ea7ae160021558e6e81257c62cc6502d3

SHA256
f621336cb703e6caf7850943761dc34d204f9d3085a26d0ced5267887e7f4b44

SHA512
d36393e5757df4133bc850e82104b88b156befe3237a84090b118c1d3c7b77c854dac3df41b4743fcb7c58c1acca39f0fac41f2920f895e86a719528a5e8c81a

Download Submit
\Windows\SysWOW64\Lcnqin32.exe

Filesize
96KB

MD5
e08d883e7895b9f3c6df7915909c4b1c

SHA1
6ae40bf7fdc423cbb73be3e0b2e95180a440722b

SHA256
cbb5358b900dd45ac6087c6b4e03320eabee1b854f79594d2c633d07a76c5320

SHA512
ccbbd8a7a751578c132c0c41081c3aafe083d681a841327c3a6f85677fb62527ed5e46d73bc5ca4ec63ef0c65090dfb1348a09b91ef318fc6f5af7b0d8c850f7

Download Submit
\Windows\SysWOW64\Lddjmb32.exe

Filesize
96KB

MD5
58bac56c8facaab5387e0d3dd12d9c1d

SHA1
b074da500ad1a1e670631b91711b6c7bea88ca32

SHA256
a405393e4135bdc19ae42262f97973d13409bc97d1326b6c7bd862a64bba3dc6

SHA512
b75aecfd5280504ed9af6c35e91dc1d1c34406bfddb1021c5136d915ca251728a1e308878fc80855f8422860e930c9f1921fa734d336d0d275092e281053328f

Download Submit
\Windows\SysWOW64\Lophcpam.exe

Filesize
96KB

MD5
ba7b25fde113b786338722d5f3a812b7

SHA1
1f265c5b75378158ccd7b9d81ab53f126a9a01e9

SHA256
a12b7d34a99b95e6e7c4db88a9388d70076d9aeb0cfc39c07d9b1522f0f87a1c

SHA512
27fd713079f890ad5ce8904cebd7c1fa7cb8a67d39bc3d72e3c2b7038e625c04cfa507865447559b90e27755b1763e2a3dbc720d89353b4da8210d5dfb7b0abf

Download Submit
\Windows\SysWOW64\Mgbcha32.exe

Filesize
96KB

MD5
55f0aabb899bcd839629376245594eae

SHA1
6b5bb5c5de83f87f521465219a3bbeba174f11f0

SHA256
d7d0aeed486cf2632f600e9739b71e073debd2390826175c3a794580d7db4ded

SHA512
f04885e2b227a37b1e50de9164e2ac0d8decdd4cfe838a2491cd53866a6c02763591ba66a0f787f4773d18b3b3d0a58dcf352e33c6940b341617bfbafb53a9a8

Download Submit
\Windows\SysWOW64\Mnqdpj32.exe

Filesize
96KB

MD5
fd8d7cd45985cc33b9b58f4c5e14b222

SHA1
d5cb4ff5087b569009de8eece04002ad73d81597

SHA256
643dfe36cffd9c3e2e54444820af59beae62602ade8ecb339b956b9d5feb99b3

SHA512
80a1d6e5414bb6cbcedc91f3b50246ea275d563e56d965bfb8071f5a6fac7f05a6db2ca79af8ef2a26ed33afc068611df7f2f672c0421c8fbd446dede1382f58

Download Submit
\Windows\SysWOW64\Mpjgag32.exe

Filesize
96KB

MD5
8dc5c9ebb2a2e56cf66343014261f3c4

SHA1
ae8f0d3f8add0bab0ef58a6e5d91a0229e72557a

SHA256
72d6bffa6df6c68a6fdc72160f9df69a8b33bcd0298fd837caacf170da059db0

SHA512
64cb1cbe9c9d0988232c174edd10dbdf54c4c264aaf6d23f30b78d167033e88524db2621790a1b885af145f36d8a83bd74f98d1499f13ff87414c5ff46038295

Download Submit
\Windows\SysWOW64\Mpmdff32.exe

Filesize
96KB

MD5
33e0949286a15cb9741f8daffe082070

SHA1
ae32e2e42bbbcea2a58f2354ab317ab418d3ef24

SHA256
c6e75c1b6751b9a3f7bf1df36bcaa85de1cb8863ebba1c5c3c2ee06c9735e999

SHA512
92e590a5c6a4c858be776a489d89519b2a6ea11c1f6ee10774e0609af7cc7b3469e41d5e59618185be49107638a5acecdd4186a98e660304b71107a9b1fedc43

Download Submit
\Windows\SysWOW64\Njjbjk32.exe

Filesize
96KB

MD5
619b26969dcea241e7e356d06d854465

SHA1
49d21f0bbf97700334e6a0e621bbfb4ae81f9ef2

SHA256
90344cbd72c16a9194202ae8193d722499ddcf0d777db9c168d5a99b92f398d2

SHA512
36acf39a37cb22c495457df1c3dafa8f7b61b7ef465892f914dca1ba4c375cc91c0d4f40ceddab3f06c9db08b4cf614dd43d8c01bf229eb79e59f89501215a25

Download Submit
\Windows\SysWOW64\Nqamaeii.exe

Filesize
96KB

MD5
35753a5fd47b11af295f5b1c19803e52

SHA1
5d78d53f47870585b7cd1a4b8b4436e64244ab3b

SHA256
e62e06b949d5a97f6c35bd32b13abd62ea3ad907df81f76e9286bf035f04dd55

SHA512
e999319f19a84b4193d6318277c8ce70e4c78b9f3cd1b6a951e0d2c2bb856458f2802a4bb363d5c0bd41efcf457e6ffe8eff776dd50ec14e0053d46c8abc9f92

Download Submit
memory/440-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/572-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/572-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-324-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/796-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-328-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/820-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-335-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1428-339-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1488-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-181-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1488-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-498-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1532-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-531-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/1752-532-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/1752-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-543-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1992-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-435-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1992-437-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2008-285-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/2008-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-286-0x00000000003B0000-0x00000000003E3000-memory.dmp

Filesize
204KB

Download
memory/2032-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-317-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2112-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-296-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2316-297-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2316-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-459-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2384-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-488-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2392-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-307-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2404-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-447-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2440-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-119-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2440-114-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2440-436-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2444-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-394-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2684-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-61-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2700-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-87-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2716-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-371-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2868-372-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2868-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-34-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2900-360-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2900-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-40-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2904-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-358-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2904-359-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2980-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-155-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2980-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-383-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3052-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-382-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads