berbew | 8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
Size

93KB
MD5

b8aa2c79119e5226bee8a2baac798200
SHA1

6d454c4f35533ebcb95eb94f33001a0d8b632175
SHA256

8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2
SHA512

5e876f7ebc44639c3d03c69995da607598d5217bc2f90dc40945c27266c902fba81edf29b507aa2e65d4193a210d9f01debb8237aec5bb293f3ca546dc1d8f3e
SSDEEP

1536:D41n8AffidgBxTaq1BIQfbeOjp2wrxxbxxnxxbxxbxx1xx1xx1xx1rxxxxxxxxx1:6idixTamBRbzxxbxxnxxbxxbxx1xx1x1

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmamdkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnghdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqadmagh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqfmhacc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aamchpmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncoihfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqakfdek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnopcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnamib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnamib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepnqkai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npabof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bncqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Minglmdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqonpdgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhokgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjjalepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicdncn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfjmkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domldpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acicol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeioio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqcgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjqeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmcqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkbagd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnphnke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcppimfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdgnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajoaqfjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfqmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcodf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgdfim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqdqbaee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dagoel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcdhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgjmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpgoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffkleae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeiojnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bappnpkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpoofo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pddmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeiojnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bappnpkh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dailkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnggk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhocegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhdghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnjejgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njlcmk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
3348	Llnggk32.exe
3536	Lbhocegl.exe
3656	Lefkpq32.exe
1148	Lmmcqn32.exe
3812	Lbjlid32.exe
3120	Liddfolf.exe
2148	Llbpbjlj.exe
3088	Lbmhod32.exe
4760	Lekekp32.exe
868	Mboeddad.exe
1780	Memapppg.exe
1368	Mlgjmi32.exe
4884	Mgmnjb32.exe
2660	Mljfbiea.exe
4980	Minglmdk.exe
3704	Mpgoig32.exe
216	Medgan32.exe
3152	Mlnpnh32.exe
2420	Mdehof32.exe
2164	Mgddka32.exe
4412	Mibpgm32.exe
384	Mplhdghc.exe
4876	Ngfqqa32.exe
1896	Nidmml32.exe
1840	Npoeif32.exe
3956	Ncmaeb32.exe
1340	Neknam32.exe
4372	Nnbebk32.exe
4268	Npabof32.exe
5088	Ngkjlpkj.exe
4184	Npcodf32.exe
3272	Njlcmk32.exe
5016	Nljoig32.exe
4548	Nlllof32.exe
3932	Ocfdlqmi.exe
2500	Ojplhkdf.exe
4992	Oloidfcj.exe
4112	Odfqecdl.exe
4340	Ogdmaocp.exe
4456	Onneoi32.exe
2168	Odhmkcbi.exe
1264	Ogfjgo32.exe
3448	Onqbdihj.exe
2972	Oqonpdgn.exe
924	Ogifmn32.exe
3544	Oncoihfg.exe
2548	Oqakfdek.exe
2700	Ogkcbn32.exe
1468	Pqcgkc32.exe
4580	Pgnphnke.exe
60	Pnghdh32.exe
4004	Pqfdac32.exe
2012	Pcdqmo32.exe
4128	Pnjejgpo.exe
1656	Pddmga32.exe
3036	Pfeiojnj.exe
3092	Pjqeoh32.exe
944	Pqknlbmp.exe
1128	Pgdfim32.exe
3592	Pnoneglj.exe
4608	Pqmjab32.exe
2736	Pggbnlbj.exe
2948	Pnakkf32.exe
2696	Qqoggb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oelfff32.dll	Oqakfdek.exe
File created	C:\Windows\SysWOW64\Ieaplbcc.dll	Aqdqbaee.exe
File opened for modification	C:\Windows\SysWOW64\Bhqnki32.exe	Bagfooep.exe
File created	C:\Windows\SysWOW64\Bjokgd32.exe	Bhqnki32.exe
File created	C:\Windows\SysWOW64\Llnggk32.exe	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
File opened for modification	C:\Windows\SysWOW64\Mpgoig32.exe	Minglmdk.exe
File created	C:\Windows\SysWOW64\Djkqof32.dll	Mgddka32.exe
File created	C:\Windows\SysWOW64\Oqakfdek.exe	Oncoihfg.exe
File created	C:\Windows\SysWOW64\Mldkjlpl.dll	Oloidfcj.exe
File opened for modification	C:\Windows\SysWOW64\Oncoihfg.exe	Ogifmn32.exe
File created	C:\Windows\SysWOW64\Bjjalepf.exe	Bfoelf32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfjmkc.exe	Cndinalo.exe
File created	C:\Windows\SysWOW64\Aamchpmk.exe	Ambgha32.exe
File created	C:\Windows\SysWOW64\Bfoelf32.exe	Benidnao.exe
File created	C:\Windows\SysWOW64\Clpghg32.dll	Dokpoq32.exe
File created	C:\Windows\SysWOW64\Kojdhh32.dll	Dailkl32.exe
File created	C:\Windows\SysWOW64\Liddfolf.exe	Lbjlid32.exe
File created	C:\Windows\SysWOW64\Odhmkcbi.exe	Onneoi32.exe
File created	C:\Windows\SysWOW64\Dddkqjen.dll	Pqcgkc32.exe
File opened for modification	C:\Windows\SysWOW64\Agpedkjp.exe	Aqfmhacc.exe
File created	C:\Windows\SysWOW64\Dhfqmf32.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Pqfdac32.exe	Pnghdh32.exe
File created	C:\Windows\SysWOW64\Cegooa32.dll	Aqfmhacc.exe
File opened for modification	C:\Windows\SysWOW64\Aqijmq32.exe	Ajoaqfjc.exe
File created	C:\Windows\SysWOW64\Fdkhpc32.dll	Baicdncn.exe
File opened for modification	C:\Windows\SysWOW64\Mdehof32.exe	Mlnpnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfqqa32.exe	Mplhdghc.exe
File created	C:\Windows\SysWOW64\Lilanhbp.dll	Ojplhkdf.exe
File created	C:\Windows\SysWOW64\Oqonpdgn.exe	Onqbdihj.exe
File opened for modification	C:\Windows\SysWOW64\Pggbnlbj.exe	Pqmjab32.exe
File opened for modification	C:\Windows\SysWOW64\Bfmhff32.exe	Bappnpkh.exe
File created	C:\Windows\SysWOW64\Npokka32.dll	Cnamib32.exe
File created	C:\Windows\SysWOW64\Dhokmgpm.exe	Cepnqkai.exe
File opened for modification	C:\Windows\SysWOW64\Lbhocegl.exe	Llnggk32.exe
File created	C:\Windows\SysWOW64\Mnbocibh.dll	Mlnpnh32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkjlpkj.exe	Npabof32.exe
File opened for modification	C:\Windows\SysWOW64\Pnjejgpo.exe	Pcdqmo32.exe
File created	C:\Windows\SysWOW64\Ogdmaocp.exe	Odfqecdl.exe
File opened for modification	C:\Windows\SysWOW64\Ogdmaocp.exe	Odfqecdl.exe
File created	C:\Windows\SysWOW64\Bcggopbf.dll	Agpedkjp.exe
File opened for modification	C:\Windows\SysWOW64\Acgfil32.exe	Aqijmq32.exe
File created	C:\Windows\SysWOW64\Ongbko32.dll	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
File created	C:\Windows\SysWOW64\Lbjlid32.exe	Lmmcqn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgmnjb32.exe	Mlgjmi32.exe
File opened for modification	C:\Windows\SysWOW64\Odfqecdl.exe	Oloidfcj.exe
File created	C:\Windows\SysWOW64\Bmpjpg32.dll	Aqijmq32.exe
File created	C:\Windows\SysWOW64\Kmohdknn.dll	Badiio32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfqmf32.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Bmkjnp32.exe	Bfabaf32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlid32.exe	Lmmcqn32.exe
File created	C:\Windows\SysWOW64\Llegpbnp.dll	Medgan32.exe
File created	C:\Windows\SysWOW64\Odfqecdl.exe	Oloidfcj.exe
File created	C:\Windows\SysWOW64\Pddmga32.exe	Pnjejgpo.exe
File created	C:\Windows\SysWOW64\Ejbnnpll.dll	Qcnccm32.exe
File created	C:\Windows\SysWOW64\Lmmcqn32.exe	Lefkpq32.exe
File created	C:\Windows\SysWOW64\Keqnmjbl.dll	Mplhdghc.exe
File created	C:\Windows\SysWOW64\Nnbebk32.exe	Neknam32.exe
File created	C:\Windows\SysWOW64\Nlllof32.exe	Nljoig32.exe
File opened for modification	C:\Windows\SysWOW64\Dalhqlbh.exe	Domldpcd.exe
File opened for modification	C:\Windows\SysWOW64\Medgan32.exe	Mpgoig32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcbn32.exe	Oqakfdek.exe
File created	C:\Windows\SysWOW64\Hnnamhjg.dll	Pjqeoh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfoelf32.exe	Benidnao.exe
File created	C:\Windows\SysWOW64\Bappnpkh.exe	Aeioio32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5936	5852	WerFault.exe	214

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njlcmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnoneglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhdghc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npoeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnbebk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhckqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chlngg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhcdhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bepeinol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkfhcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anedfffb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdgnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnggk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddfolf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagoel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dailkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odfqecdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anhaledo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagfooep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npabof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknlbmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bappnpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcioha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbpbjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljfbiea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpgoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgmnjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkjlpkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqijmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acicol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicdncn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnamib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeiojnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqadmagh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqfdac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agniok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnopcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepnqkai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celeel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfjmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekekp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memapppg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajoaqfjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkleae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfqmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minglmdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcodf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqcgkc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnphnke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbkkm32.dll"	Onneoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bepeinol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkiip32.dll"	Llnggk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmilige.dll"	Ngfqqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhqnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dagoel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domldpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afebeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhokgme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfmhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmlfgcq.dll"	Bjokgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhcdhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llnggk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhplg32.dll"	Mboeddad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfggia32.dll"	Oqonpdgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgqmpg32.dll"	Anhaledo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkbagd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aamchpmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpbmggk.dll"	Mljfbiea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keqnmjbl.dll"	Mplhdghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpqabb32.dll"	Nidmml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahhkpfm.dll"	Odhmkcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhjebj.dll"	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npokka32.dll"	Cnamib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlnpnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfpig32.dll"	Nlllof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odhmkcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnamhjg.dll"	Pjqeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnljnol.dll"	Acgfil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmebn32.dll"	Aamchpmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmfjh32.dll"	Memapppg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkjlpkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odfqecdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcmheej.dll"	Onqbdihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaplbcc.dll"	Aqdqbaee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbko32.dll"	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Minglmdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjckan32.dll"	Ngkjlpkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgdfim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjhlpgpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhcdhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mboeddad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlgjmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgedglll.dll"	Oncoihfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgbbfa.dll"	Pgnphnke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pddmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knobie32.dll"	Pqmjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfciocm.dll"	Pggbnlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgfbo32.dll"	Bfoelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onneoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll"	Cfhhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokpoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqijmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llnggk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 3348	416	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe	81
PID 416 wrote to memory of 3348	416	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe	81
PID 416 wrote to memory of 3348	416	8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe	81
PID 3348 wrote to memory of 3536	3348	Llnggk32.exe	82
PID 3348 wrote to memory of 3536	3348	Llnggk32.exe	82
PID 3348 wrote to memory of 3536	3348	Llnggk32.exe	82
PID 3536 wrote to memory of 3656	3536	Lbhocegl.exe	83
PID 3536 wrote to memory of 3656	3536	Lbhocegl.exe	83
PID 3536 wrote to memory of 3656	3536	Lbhocegl.exe	83
PID 3656 wrote to memory of 1148	3656	Lefkpq32.exe	84
PID 3656 wrote to memory of 1148	3656	Lefkpq32.exe	84
PID 3656 wrote to memory of 1148	3656	Lefkpq32.exe	84
PID 1148 wrote to memory of 3812	1148	Lmmcqn32.exe	85
PID 1148 wrote to memory of 3812	1148	Lmmcqn32.exe	85
PID 1148 wrote to memory of 3812	1148	Lmmcqn32.exe	85
PID 3812 wrote to memory of 3120	3812	Lbjlid32.exe	86
PID 3812 wrote to memory of 3120	3812	Lbjlid32.exe	86
PID 3812 wrote to memory of 3120	3812	Lbjlid32.exe	86
PID 3120 wrote to memory of 2148	3120	Liddfolf.exe	87
PID 3120 wrote to memory of 2148	3120	Liddfolf.exe	87
PID 3120 wrote to memory of 2148	3120	Liddfolf.exe	87
PID 2148 wrote to memory of 3088	2148	Llbpbjlj.exe	88
PID 2148 wrote to memory of 3088	2148	Llbpbjlj.exe	88
PID 2148 wrote to memory of 3088	2148	Llbpbjlj.exe	88
PID 3088 wrote to memory of 4760	3088	Lbmhod32.exe	89
PID 3088 wrote to memory of 4760	3088	Lbmhod32.exe	89
PID 3088 wrote to memory of 4760	3088	Lbmhod32.exe	89
PID 4760 wrote to memory of 868	4760	Lekekp32.exe	90
PID 4760 wrote to memory of 868	4760	Lekekp32.exe	90
PID 4760 wrote to memory of 868	4760	Lekekp32.exe	90
PID 868 wrote to memory of 1780	868	Mboeddad.exe	91
PID 868 wrote to memory of 1780	868	Mboeddad.exe	91
PID 868 wrote to memory of 1780	868	Mboeddad.exe	91
PID 1780 wrote to memory of 1368	1780	Memapppg.exe	92
PID 1780 wrote to memory of 1368	1780	Memapppg.exe	92
PID 1780 wrote to memory of 1368	1780	Memapppg.exe	92
PID 1368 wrote to memory of 4884	1368	Mlgjmi32.exe	93
PID 1368 wrote to memory of 4884	1368	Mlgjmi32.exe	93
PID 1368 wrote to memory of 4884	1368	Mlgjmi32.exe	93
PID 4884 wrote to memory of 2660	4884	Mgmnjb32.exe	94
PID 4884 wrote to memory of 2660	4884	Mgmnjb32.exe	94
PID 4884 wrote to memory of 2660	4884	Mgmnjb32.exe	94
PID 2660 wrote to memory of 4980	2660	Mljfbiea.exe	95
PID 2660 wrote to memory of 4980	2660	Mljfbiea.exe	95
PID 2660 wrote to memory of 4980	2660	Mljfbiea.exe	95
PID 4980 wrote to memory of 3704	4980	Minglmdk.exe	96
PID 4980 wrote to memory of 3704	4980	Minglmdk.exe	96
PID 4980 wrote to memory of 3704	4980	Minglmdk.exe	96
PID 3704 wrote to memory of 216	3704	Mpgoig32.exe	97
PID 3704 wrote to memory of 216	3704	Mpgoig32.exe	97
PID 3704 wrote to memory of 216	3704	Mpgoig32.exe	97
PID 216 wrote to memory of 3152	216	Medgan32.exe	98
PID 216 wrote to memory of 3152	216	Medgan32.exe	98
PID 216 wrote to memory of 3152	216	Medgan32.exe	98
PID 3152 wrote to memory of 2420	3152	Mlnpnh32.exe	99
PID 3152 wrote to memory of 2420	3152	Mlnpnh32.exe	99
PID 3152 wrote to memory of 2420	3152	Mlnpnh32.exe	99
PID 2420 wrote to memory of 2164	2420	Mdehof32.exe	100
PID 2420 wrote to memory of 2164	2420	Mdehof32.exe	100
PID 2420 wrote to memory of 2164	2420	Mdehof32.exe	100
PID 2164 wrote to memory of 4412	2164	Mgddka32.exe	101
PID 2164 wrote to memory of 4412	2164	Mgddka32.exe	101
PID 2164 wrote to memory of 4412	2164	Mgddka32.exe	101
PID 4412 wrote to memory of 384	4412	Mibpgm32.exe	102

C:\Users\Admin\AppData\Local\Temp\8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe
"C:\Users\Admin\AppData\Local\Temp\8633f070b18761349345e3a200c6118d240a527eb2a82b417a095afb5529d5b2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\Llnggk32.exe
  C:\Windows\system32\Llnggk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\Lbhocegl.exe
    C:\Windows\system32\Lbhocegl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\Lefkpq32.exe
      C:\Windows\system32\Lefkpq32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Windows\SysWOW64\Lmmcqn32.exe
        
        C:\Windows\system32\Lmmcqn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\SysWOW64\Lbjlid32.exe
        
        C:\Windows\system32\Lbjlid32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Liddfolf.exe
        
        C:\Windows\system32\Liddfolf.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Llbpbjlj.exe
        
        C:\Windows\system32\Llbpbjlj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lbmhod32.exe
        
        C:\Windows\system32\Lbmhod32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Lekekp32.exe
        
        C:\Windows\system32\Lekekp32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Mboeddad.exe
        
        C:\Windows\system32\Mboeddad.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Memapppg.exe
        
        C:\Windows\system32\Memapppg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Mlgjmi32.exe
        
        C:\Windows\system32\Mlgjmi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Mgmnjb32.exe
        
        C:\Windows\system32\Mgmnjb32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Mljfbiea.exe
        
        C:\Windows\system32\Mljfbiea.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Minglmdk.exe
        
        C:\Windows\system32\Minglmdk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Mpgoig32.exe
        
        C:\Windows\system32\Mpgoig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Medgan32.exe
        
        C:\Windows\system32\Medgan32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Mlnpnh32.exe
        
        C:\Windows\system32\Mlnpnh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mdehof32.exe
        
        C:\Windows\system32\Mdehof32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Mgddka32.exe
        
        C:\Windows\system32\Mgddka32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Mibpgm32.exe
        
        C:\Windows\system32\Mibpgm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mplhdghc.exe
        
        C:\Windows\system32\Mplhdghc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Nidmml32.exe
        
        C:\Windows\system32\Nidmml32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Npoeif32.exe
        
        C:\Windows\system32\Npoeif32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\Ncmaeb32.exe
        
        C:\Windows\system32\Ncmaeb32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Neknam32.exe
        
        C:\Windows\system32\Neknam32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Nnbebk32.exe
        
        C:\Windows\system32\Nnbebk32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Npabof32.exe
        
        C:\Windows\system32\Npabof32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Ngkjlpkj.exe
        
        C:\Windows\system32\Ngkjlpkj.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Npcodf32.exe
        
        C:\Windows\system32\Npcodf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Njlcmk32.exe
        
        C:\Windows\system32\Njlcmk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\Nljoig32.exe
        
        C:\Windows\system32\Nljoig32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ocfdlqmi.exe
        
        C:\Windows\system32\Ocfdlqmi.exe
        36⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Ojplhkdf.exe
        
        C:\Windows\system32\Ojplhkdf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Oloidfcj.exe
        
        C:\Windows\system32\Oloidfcj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Odfqecdl.exe
        
        C:\Windows\system32\Odfqecdl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Ogdmaocp.exe
        
        C:\Windows\system32\Ogdmaocp.exe
        40⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Onneoi32.exe
        
        C:\Windows\system32\Onneoi32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Odhmkcbi.exe
        
        C:\Windows\system32\Odhmkcbi.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ogfjgo32.exe
        
        C:\Windows\system32\Ogfjgo32.exe
        43⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Onqbdihj.exe
        
        C:\Windows\system32\Onqbdihj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Oqonpdgn.exe
        
        C:\Windows\system32\Oqonpdgn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ogifmn32.exe
        
        C:\Windows\system32\Ogifmn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Oncoihfg.exe
        
        C:\Windows\system32\Oncoihfg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Oqakfdek.exe
        
        C:\Windows\system32\Oqakfdek.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ogkcbn32.exe
        
        C:\Windows\system32\Ogkcbn32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Pqcgkc32.exe
        
        C:\Windows\system32\Pqcgkc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Pgnphnke.exe
        
        C:\Windows\system32\Pgnphnke.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Pnghdh32.exe
        
        C:\Windows\system32\Pnghdh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Pqfdac32.exe
        
        C:\Windows\system32\Pqfdac32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Pcdqmo32.exe
        
        C:\Windows\system32\Pcdqmo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Pnjejgpo.exe
        
        C:\Windows\system32\Pnjejgpo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Pddmga32.exe
        
        C:\Windows\system32\Pddmga32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pfeiojnj.exe
        
        C:\Windows\system32\Pfeiojnj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Pjqeoh32.exe
        
        C:\Windows\system32\Pjqeoh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Pqknlbmp.exe
        
        C:\Windows\system32\Pqknlbmp.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Pgdfim32.exe
        
        C:\Windows\system32\Pgdfim32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Pnoneglj.exe
        
        C:\Windows\system32\Pnoneglj.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Pqmjab32.exe
        
        C:\Windows\system32\Pqmjab32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Pggbnlbj.exe
        
        C:\Windows\system32\Pggbnlbj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Pnakkf32.exe
        
        C:\Windows\system32\Pnakkf32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Qqoggb32.exe
        
        C:\Windows\system32\Qqoggb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Qcnccm32.exe
        
        C:\Windows\system32\Qcnccm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Qjhlpgpk.exe
        
        C:\Windows\system32\Qjhlpgpk.exe
        67⤵
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Qqadmagh.exe
        
        C:\Windows\system32\Qqadmagh.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4800
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Aqdqbaee.exe
        
        C:\Windows\system32\Aqdqbaee.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Agniok32.exe
        
        C:\Windows\system32\Agniok32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Anhaledo.exe
        
        C:\Windows\system32\Anhaledo.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        75⤵
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Ajoaqfjc.exe
        
        C:\Windows\system32\Ajoaqfjc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Aqijmq32.exe
        
        C:\Windows\system32\Aqijmq32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Acgfil32.exe
        
        C:\Windows\system32\Acgfil32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        79⤵
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Ampkbagd.exe
        
        C:\Windows\system32\Ampkbagd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Acicol32.exe
        
        C:\Windows\system32\Acicol32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Afhokgme.exe
        
        C:\Windows\system32\Afhokgme.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Aamchpmk.exe
        
        C:\Windows\system32\Aamchpmk.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Aeioio32.exe
        
        C:\Windows\system32\Aeioio32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Bappnpkh.exe
        
        C:\Windows\system32\Bappnpkh.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Bfmhff32.exe
        
        C:\Windows\system32\Bfmhff32.exe
        87⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Bncqgd32.exe
        
        C:\Windows\system32\Bncqgd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2336
        
        C:\Windows\SysWOW64\Benidnao.exe
        
        C:\Windows\system32\Benidnao.exe
        89⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Bfoelf32.exe
        
        C:\Windows\system32\Bfoelf32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3364
        
        C:\Windows\SysWOW64\Badiio32.exe
        
        C:\Windows\system32\Badiio32.exe
        92⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Bepeinol.exe
        
        C:\Windows\system32\Bepeinol.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Bfabaf32.exe
        
        C:\Windows\system32\Bfabaf32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Bmkjnp32.exe
        
        C:\Windows\system32\Bmkjnp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Bagfooep.exe
        
        C:\Windows\system32\Bagfooep.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Bhqnki32.exe
        
        C:\Windows\system32\Bhqnki32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Bjokgd32.exe
        
        C:\Windows\system32\Bjokgd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Bnkfhcdj.exe
        
        C:\Windows\system32\Bnkfhcdj.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Baicdncn.exe
        
        C:\Windows\system32\Baicdncn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Bhckqh32.exe
        
        C:\Windows\system32\Bhckqh32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Cffkleae.exe
        
        C:\Windows\system32\Cffkleae.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Cmpcioha.exe
        
        C:\Windows\system32\Cmpcioha.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Ccjlfi32.exe
        
        C:\Windows\system32\Ccjlfi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Cfhhbe32.exe
        
        C:\Windows\system32\Cfhhbe32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Cmbpoofo.exe
        
        C:\Windows\system32\Cmbpoofo.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4908
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Cfkegd32.exe
        
        C:\Windows\system32\Cfkegd32.exe
        109⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cnamib32.exe
        
        C:\Windows\system32\Cnamib32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Chjaag32.exe
        
        C:\Windows\system32\Chjaag32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1536
        
        C:\Windows\SysWOW64\Cfmamdkm.exe
        
        C:\Windows\system32\Cfmamdkm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Cndinalo.exe
        
        C:\Windows\system32\Cndinalo.exe
        114⤵
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Cabfjmkc.exe
        
        C:\Windows\system32\Cabfjmkc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Cjkjcb32.exe
        
        C:\Windows\system32\Cjkjcb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Cepnqkai.exe
        
        C:\Windows\system32\Cepnqkai.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Dhokmgpm.exe
        
        C:\Windows\system32\Dhokmgpm.exe
        119⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Djmgiboq.exe
        
        C:\Windows\system32\Djmgiboq.exe
        120⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Dagoel32.exe
        
        C:\Windows\system32\Dagoel32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Ddekah32.exe
        
        C:\Windows\system32\Ddekah32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Dfdgnc32.exe
        
        C:\Windows\system32\Dfdgnc32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dokpoq32.exe
        
        C:\Windows\system32\Dokpoq32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Dailkl32.exe
        
        C:\Windows\system32\Dailkl32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ddhhggdo.exe
        
        C:\Windows\system32\Ddhhggdo.exe
        126⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Dhcdhf32.exe
        
        C:\Windows\system32\Dhcdhf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Domldpcd.exe
        
        C:\Windows\system32\Domldpcd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Dalhqlbh.exe
        
        C:\Windows\system32\Dalhqlbh.exe
        129⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Dhfqmf32.exe
        
        C:\Windows\system32\Dhfqmf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Dkdmia32.exe
        
        C:\Windows\system32\Dkdmia32.exe
        132⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        133⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 400
        134⤵
        Program crash
        
        PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5852 -ip 5852
1⤵
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ampkbagd.exe

Filesize
93KB

MD5
8a1e1c75c081f86b40d20a067e64dd93

SHA1
45fdabed6ec5ec13d7bc77dd62c3ea89bac5c047

SHA256
037cf0bb604188bd92327efe7324aa7759a27de6f627b7da78c3906277b4ae5a

SHA512
70e66e02b484beaecdd69c16731703fb830a976e9e86351b7de7e2441a256c81a7df483e36822cb024668cf560c78ee13eee34a85188be75c115f20718455e66

Download Submit
C:\Windows\SysWOW64\Anedfffb.exe

Filesize
93KB

MD5
4411c307256bea19d33a3dc083a51061

SHA1
663debb57424a9488317d1220cac77de6d8f6c01

SHA256
17d16168c332cb99d88c78813aaeca85d16bf432bde6f9779e9d1a4a2fbe7f59

SHA512
ebf2328798abb34574b758db153f12449cc4ad9ef26de795431f0085a619021d8ccb2631047b302ca267ad882bb7019d67e5a4b77f64037bebda27d9dc120c98

Download Submit
C:\Windows\SysWOW64\Anhaledo.exe

Filesize
93KB

MD5
a230bbce93a25ca1b8c5098c0bb0dee6

SHA1
189ab7a4a1d91b6722020d4f4fe0eedb3a79e77b

SHA256
644559a9258e33b45941f61d1b6da2d267318a22bf5d8fcfc89706f14448d96b

SHA512
6d69e54ab3cad7662d678699b866dec9b50777a5028e1f79b139233537a23273f75053d1ff57766561e5e343ff63cbb8ae26ee8069edd57f23239ab3a2c12fe1

Download Submit
C:\Windows\SysWOW64\Aqijmq32.exe

Filesize
93KB

MD5
e29e0407094500e0ddd603a76e843eb6

SHA1
f73de083b7c1466f242a2121c9fb5fd8052fa368

SHA256
2fe3ccbdd36e025f3e22b3cec21341feeec018f63c6a8f5308f6b2d5ddf9c536

SHA512
e037db9287683e4f9d4bdc7e5fa2aca9130d264460af6463ea43770a19de082fe28bb7c68964666edc3163522f9e907b855b79685c375ff55626104aeaa44268

Download Submit
C:\Windows\SysWOW64\Badiio32.exe

Filesize
93KB

MD5
322e0c9ccec0b940bd75f331bbc2cc40

SHA1
4b095e1330d0186940acd9b4bb15e53a0777e034

SHA256
f7c12a21ff09715783ac6012b36f3d2a503246e12725aca5aeb8e2c8c5113688

SHA512
2a4fe95a16976697980981dd176bd05cb264166dde74a8d47838b5007bc4ff06a426b627f425fd9b5687542b4483793c93db5b1cc40226e7270df950d5fa805b

Download Submit
C:\Windows\SysWOW64\Bappnpkh.exe

Filesize
93KB

MD5
6458bbf6c20f1ee4082f39cfdf080045

SHA1
8b72c08501066ea42969052b03d9fc2a2c4e002b

SHA256
b2d8cd3d643c7e2070878f0e90a18e79be57507ac851d06a80fcaa6a8b7a1464

SHA512
b86c5a8fc9a7ae2dc2e17900c41fd762c93f9a4013f04037c957ef09b653f5e0be26be6f8b3d48cd6d264618e200dffe3093eadce3430c813581461a712daad7

Download Submit
C:\Windows\SysWOW64\Benidnao.exe

Filesize
93KB

MD5
6d6eaca36217792ea0f50a93a8183938

SHA1
bfe1778f2feffc2a2bf6578522fcdd7361e2f38c

SHA256
4a1d487b066a15d8edbd6cb48b87a344f7a06c666b04b1c1eea9bb87bb27edf0

SHA512
d9b6082fc8a4024e87b0d01996a235a69d89eb7a96562fdbe27cc88d127f38719c7548993d0ab523dade95071fa4526ea0c7bf70e0f830c76c399242c3fbbd39

Download Submit
C:\Windows\SysWOW64\Bfabaf32.exe

Filesize
93KB

MD5
1418fc0caf301989eb1d2a5eaffc554d

SHA1
4bbb1e1d52d1e09b05769e3f13a0316d41839a98

SHA256
481539f9c6ec7f724d0dad8be5d348dfecf63bef75a09206734c3cabd83a06a4

SHA512
cf2f3813198206e714ac416fe56fa839c19531efa8d51c6f1bb89c88e1191c1d0a4624ccf2e28b69b1db592cf1c422c835775a0b041b3b5157420ae039d0c9c1

Download Submit
C:\Windows\SysWOW64\Bfmhff32.exe

Filesize
93KB

MD5
4ae95c6856ff2a538f3ce79f698ae04f

SHA1
56e3a683a388d97995b945722e234aa89ebad759

SHA256
92c11e6b5e84f338022e6ddb117e4dcb06823c806b9b6ff6d93aaf0648be3c5f

SHA512
61651f17d2a23ac4d883380a950d0b8a313368427e894f4fdb4bc9fb6da9faf995b791dfae95229863e309dc0149fd86b50bcab0b2f1ec394852413f86380176

Download Submit
C:\Windows\SysWOW64\Cabfjmkc.exe

Filesize
93KB

MD5
01252518186e592e0fc05409e06ba99a

SHA1
c4b8a936c249f974c9b6b6457feb6889286baf1b

SHA256
f0424588d9696d52f89bc2c9cc9829437fbf7f6420bfefa9b5a9310c1cc362e9

SHA512
bdaf1390130a3adadf8f1a178df8db35782c4568384ecfedcd52d1cec27891ec918ed1a56baf906e99256198942b9a5be10eb1de946e767bcc8b0eba5f615303

Download Submit
C:\Windows\SysWOW64\Cdlhki32.exe

Filesize
93KB

MD5
a2cc8b76d5c85a5a6898bf79c43325f5

SHA1
67619117ecd379c8f1d0f320ea69a0beceb37214

SHA256
519defc1d3590a07ac9acc48ec93bccbf9ebe9ed94aec6d63e290dc94c2cab4c

SHA512
736672c2f9d9a8f392f96a645ae7e83ceb64c97763e8ce648959151fcdaf2398327a39fcd565a2b9b989e5c4f9c36fba9cd9364032f95ac8438d24c2237ae675

Download Submit
C:\Windows\SysWOW64\Celeel32.exe

Filesize
93KB

MD5
0da65dcaf17c18a13ac564a694073b44

SHA1
a24504bb5c6d9088d78688f8b6fdd93aca370150

SHA256
77bdfb1ff935bb96765d8675f0bbce57ca635cac0c748a9043e1a5f205135526

SHA512
9b80ff1f0b0bea03892c8ee677334747b51a0f24ce26557636e5992b699b8e5b46e48943350d9390c7085a69a13e1bc8c5641294dbc801b47e9112da1b483e16

Download Submit
C:\Windows\SysWOW64\Cepnqkai.exe

Filesize
93KB

MD5
693556b8c7e00cd76b5d07ae2689bb3a

SHA1
0e114961b4abfdd460110e773f5249edf0a5997b

SHA256
7dd06f3e17da7c581dd3424edd843cb14c9b3d0f74a70640ae0d4aef2565a5ab

SHA512
cc866f8217fd670b333a5e2abd3814284b1ede5ba0f4ac7ab71ea7c2a2da20de336b08273d26f76e32fe52ee8dd795313e3d1b153c1287b4d0de15b548bd07e7

Download Submit
C:\Windows\SysWOW64\Cffkleae.exe

Filesize
93KB

MD5
e86488744c2fce16a621d33f56d74e75

SHA1
1797f9dfdf1608ad9b17bb174a9c8b4428a732a8

SHA256
a3457fbb45cbd53edfaea1ff383f41b474887ebec595f25b233d93b885f05cd0

SHA512
8a6178030a19ac61cb4d45f714c9797b27774a8d91528f80fdb7c91f21233d94e639cf8f5dbb9e194c743b9ef1d928ebc93adcd565b8025ca4c4246339bd408c

Download Submit
C:\Windows\SysWOW64\Cfhhbe32.exe

Filesize
93KB

MD5
b9bce77eee958a329640be27e60db37b

SHA1
cb65307ef100536d250b503a05f764c2e64c77cf

SHA256
1fb7cb52bb96ae3a094767be33174b0fcc3493d170bf76f061d04a9f22edadf3

SHA512
858211beddaada9ad100aaf0d2a528ae225d1230175b71cb54618d3e3bb0d09ad888e0380b68edba60f96bec03425b7e3b0bd4ddc6b927fc7b900bce689c470a

Download Submit
C:\Windows\SysWOW64\Ddekah32.exe

Filesize
93KB

MD5
f22047557c641fbe7f16727106f45598

SHA1
c130cffcfce95b9f1c5300ab7e966b16cf0475db

SHA256
a27720638465f76dd45f34b356cae1ff0b87d39230075491c1f351a7261da452

SHA512
c966f5937de3a1cdbb145b5a0a5af474f1e6761423d951d26f967407ad5ab94825c588df542cf53b76a90d095dc6d89440ce50e3e00863822fc81a11c238cf87

Download Submit
C:\Windows\SysWOW64\Dkdmia32.exe

Filesize
93KB

MD5
d75be16103596597c0ac0618ee237753

SHA1
81ebdb367e20588f16a7cf21a97e5a4bfc90c417

SHA256
3bc2548bcc6d0713028f0dff61815088868b7d88b6163e5e158cc4f1d01a5c3c

SHA512
5d31f16107a6aae7127c5c0c59550763693564ed0d7e3645d0401dd13211eb4de10577a169c2fec40492789e693488941af3f23d8c03ac1ec4f74ee735979785

Download Submit
C:\Windows\SysWOW64\Lbhocegl.exe

Filesize
93KB

MD5
42e740c57497e6b19c64379b17c4b1bc

SHA1
8c23bebf5c181f263ba89e22b97dfbd00092ab8e

SHA256
319b74a01c03320b79a2685c25afa13fb445cf7e7d6bfb03af5166a417919442

SHA512
33533433194ea3bc96a24e82823a16a6cbc96be107b336d317a86eb47940228b7d9594ccc803a8d2a73a0924f29a8547748062f54dca1811489c46a3f6750183

Download Submit
C:\Windows\SysWOW64\Lbjlid32.exe

Filesize
93KB

MD5
84053d7e932a1da3923458005067e266

SHA1
17a6f5558a5abb00214930e21c2c40eda9441fc7

SHA256
ea2eb811771ba725e9d55113d644e8fd3fa3ae18830fa76309d07b33b2d19f25

SHA512
5fef965dfc0288525337f51167d7b532314cb338a9a0390d72411c0b19371bb9662aee13d7b446956b4efc14c2dd310b96f0a5772b689f3809934215cff1f270

Download Submit
C:\Windows\SysWOW64\Lbmhod32.exe

Filesize
93KB

MD5
63cd92cfb89199ca90766c83c0b22fa8

SHA1
3483ac796b740f5fe8507fb49429bf33a7115272

SHA256
fa8ea1fcc4dc1bced2d895c3e28fc5f9783dc1c966cdf4aceb5166b113dcfe47

SHA512
c2c47b1165ebb41f1f1f5cb62e06318df95c9712c4a651a4a35c8c79572c4600b39bf659e45a377704dfc4e6089452b716a56624315cbac7e134b85e9e3114bd

Download Submit
C:\Windows\SysWOW64\Lefkpq32.exe

Filesize
93KB

MD5
9ae53f5e64a44afdc07aac6c248f8a61

SHA1
5e26dc4db07d4d44c4b6ed6db81c6861ca8bd8f4

SHA256
93085ed73442d4ffb0d6273175fe1f3da59acc2f9c39efebf1368cce1d59e8f9

SHA512
e04e5daa84cf81c0ab9f9a419d7debd638088a3b2fc997392edf96c4f4b79b0a1368bbb8e746427ae7a6cbd4d7947fd86cc36a71f8ec7cfb8bc8db7d8bbe62cb

Download Submit
C:\Windows\SysWOW64\Lekekp32.exe

Filesize
93KB

MD5
d3757f5a747e1f3a4002f180576de9ff

SHA1
89ff18c5aa020c7575fcea675211a175246541a0

SHA256
b9a84945fab413ec18a591d925de63402e87847c9479af873cb905f7073ecc11

SHA512
fb3e81aebc7b0e6f5623e17596bf8927a9d46397c8746d794f73babdf63746d9a980d5b19e893e18eaa1eb0a993efa304b8752e764f6b20d6ecc2bc720060d1e

Download Submit
C:\Windows\SysWOW64\Liddfolf.exe

Filesize
93KB

MD5
74b08c1a1caf1bb1e4d6942a502dc233

SHA1
3c5739eb0a4105055a93576c8a4ac35d283d9651

SHA256
eae3177119ab47598888c8c27ad2e466f4946b0e0abff95fdebfd109bdf1c238

SHA512
55233ec585684fa655bc955f7fce9f582ec5bbe3e786aac92ffc89f368b8cd3640e86882834a8e884037c66866f88c86c5959a586185469f7106e46508d1e739

Download Submit
C:\Windows\SysWOW64\Llbpbjlj.exe

Filesize
93KB

MD5
b7b00a028626aada7e3563185a9afbe3

SHA1
cb5cc0fa9236583b8da4339566dc73306c782875

SHA256
abf3e27475408e4b340a576e11e45ad89294ba93f65c5bd87ce638a40def611c

SHA512
bd56c490fbccbe5bc16a338b647c26d6926c209753f3e0f829cdd85e1138ed75c9f79d46948dfed1e21600e4cef669faf5990acf0a675ef354499fbd82453124

Download Submit
C:\Windows\SysWOW64\Llnggk32.exe

Filesize
93KB

MD5
dfb9d40ddc73515426ed84329b00e439

SHA1
9b725a11e1be70ad42f72e7d5b17fc0c1d575786

SHA256
cae12e9a8452563f18ac5bb8255ccd977d65594e25906c7a2cc70b5c9d483028

SHA512
1ef8915b44ae15c12704e5fd9557b9dd3c5a6f037f99a55bf8fbad6429445da8e7d62d250e22d5c3908d94515931993f75c3115e9fb417904b30dd50831460e9

Download Submit
C:\Windows\SysWOW64\Lmmcqn32.exe

Filesize
93KB

MD5
7fb37f1722a4feeef10ef358d9b413c0

SHA1
5a9f8c6c97b3cea6ea9e45b1acf1819785dc0f68

SHA256
c6b2d52e4c72aa1a89e6a6197d362efecfb365548f5e78d02611d5138fa7689d

SHA512
262e63fc9a97cfa15f5d5a54ba664edaf1cf24f97b62ccf0143b631f4baad5d95f4d8c01f5b69bab71e775c1965ccbe46e78c6e84f8f6bd32cb6eaac61c3410a

Download Submit
C:\Windows\SysWOW64\Mboeddad.exe

Filesize
93KB

MD5
3d1db14b979c4e3e020821f7b06ebcb5

SHA1
00ec1f26160470d10e3f7879240a6c89809ac61f

SHA256
ce8318d4c8fd57aa52978a055504ac98d611988a5a163c8ad6d98618161e7f0d

SHA512
0b106808773186dfb82b166b0fd534f8ed505ec22a0ba528b80285937a4804b1e553441f8191e184eed6964e2a47971af0d50f7df9b3f8b118e50a4b4e978819

Download Submit
C:\Windows\SysWOW64\Mdehof32.exe

Filesize
93KB

MD5
7993ccbfa9ec5453346c3d5a3fc2a424

SHA1
ff468966f764b9221f8de74da57b30090657594a

SHA256
7e402116f402182559ccb1468a54566cb665449bd9116f56cc4dd83496f11822

SHA512
5758af2f363d2ce890ac610effed1ad81b0075f11acf73c59c463573d016c34a28549f78c2dabd1a392afd0b7e9c1ab0c26800c62c3b28680214e6135f268de6

Download Submit
C:\Windows\SysWOW64\Medgan32.exe

Filesize
93KB

MD5
768730d08a73adf8a8ef7ed4c6918c91

SHA1
d157f4992f6f224789700d5924d911081347c656

SHA256
c2c348bd4b9d948022cb6b7ea89a4810840b720fd7a5cf1d54c8e5f4891e6d49

SHA512
8bb9a7d20b9575fe9061ed017e47323cbc6e2d8853c4120862edc4854ef38fcc70bdd0e74b35310f301692c7e0baee120a4ded8e4d54e8e3dd2caed939fd928d

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
93KB

MD5
ff3d3598cef70c4a15c713e7abe33eab

SHA1
c8092ea58fe66b44fc6f0e7c30ef1c9cae52c4ba

SHA256
48a6aace2521a706dd6c01764061a602de73a6f5072c704d8af42e78d6bc24fb

SHA512
0ec94aa97cfb8ef2e83bf85465f76eabea8156e9e31f7e8c478a7f1e48503d25cdc078dfc5e6f2899616421d796aea70b729a16d9924f433a2c298086efa1078

Download Submit
C:\Windows\SysWOW64\Mgddka32.exe

Filesize
93KB

MD5
2c2cb7f812eafde52c11fb8d4bc0a7c2

SHA1
663f1586d693f9f65de81c5f6608be150ec0ca22

SHA256
5f4d8373366c12e16b1122ae3dfd1771ebabbd0f709dffce6b7c2e7c226b0aa2

SHA512
94e7ceb9228be361a3a835bc6fdf43f1fe783de5045e9746a18e2ffd34cb021ea955ce20299a134476065da0b4facf7b2991756057d4d65d512ea166a6374cd0

Download Submit
C:\Windows\SysWOW64\Mgmnjb32.exe

Filesize
93KB

MD5
2f7f0dc767ce68e6c83fc24db9568518

SHA1
7726ae06a43efb736d8e23d89a0ead85590ab9cc

SHA256
05ba0b8ae3e5354d77224f06b814aa470d7760634b0c054d759911e635edba45

SHA512
223359573899fe096f1d0d2d9a766499528d04d0d385535966819f4738552355358832778280a49d91131ebe6a0c52df03642b9d3c0b1351dbbbfaea8845ccc5

Download Submit
C:\Windows\SysWOW64\Mibpgm32.exe

Filesize
93KB

MD5
4fe397a21a80a324e22753166e9c9814

SHA1
09a4fb1b25b952872ada8fe0c2d4c703747b04c2

SHA256
941720505d42e74d22c6119eaec9bf5de7fb5122689d3aee05f0fa443cd75c01

SHA512
a2fd764fe9252cff3b1cf7ffa2170c2e37d40a3e1e953ea5705c3594f31e094804a79d6b32d85f9fc2d44230f3eb04a534ecd50b4e66beedf9cd5c605f3b1e31

Download Submit
C:\Windows\SysWOW64\Minglmdk.exe

Filesize
93KB

MD5
bb7a56924b64670572e97710c00a2118

SHA1
60197dba6107c18ff9978c85a66eaf098213023a

SHA256
227755d3ec3516dcefaa7a607e1aebe6396d5651eb1a51ac751a81b2cc0343ac

SHA512
b4067cb1cf2870e60d868d360227c58df43cace5f99b10900fbc84413f46d38cd1e4747fc6d8cefdff24c95a84759a0e530d666a3c6bf030dca74570beb2c6e8

Download Submit
C:\Windows\SysWOW64\Mlgjmi32.exe

Filesize
93KB

MD5
fb2cc9c085cb707e77faf4b93cfdc592

SHA1
12c4993f56662c7fdf58696ee80bd37e138dd70e

SHA256
756a407c8ac4308fe3822e1b3ee00f579048c49c823547759da21cd46f883876

SHA512
82128023a4cfcee83292577cfb400318be99ee0b2f801be078beb9d5a55e63d7ab44ecbc4c5c47e3ebbd57673a4582c51a87f1810e8e4bdd7888a4b955faa491

Download Submit
C:\Windows\SysWOW64\Mljfbiea.exe

Filesize
93KB

MD5
d55b779d356af3cc45542be69c7e8046

SHA1
fdeb1396b1cf9296cc48b8b982932d75d148e4c6

SHA256
139704602ebf3f1a61f02346b8d6029ce36bc9031d25cbbc6107c0b79cd005d7

SHA512
4e6012d9edce4df21b9620a15def43a9254a7ed8c0401967e84e6315e3451e2ddaa965e5d1adb1aa0f533c6408e019f0be5eb92fb2fb8d8ac0fc2c9c4fe88278

Download Submit
C:\Windows\SysWOW64\Mlnpnh32.exe

Filesize
93KB

MD5
034fa20c360d41967778222487a98dce

SHA1
a2150b0f3105f881562572d0fe230dcbf15d01ae

SHA256
ddcc625e1204f4a3e36ca67a0fefaac9717d63e0fb92a84402aebb0c1c46dc19

SHA512
1e0b7608d91f0a6ce7271c8c5ffcbfaac3724ec78aefc27d0c1588c7fe8262a3c0d3f74e468e815f7854274f97c52d9fded51dcdced722e1c938c518fc2b6fa2

Download Submit
C:\Windows\SysWOW64\Mpgoig32.exe

Filesize
93KB

MD5
32ec855108eefc7a3b212629869c40ea

SHA1
c8591f2b3967663528fae82632059d77f89d5158

SHA256
47cee4881c0a5c29a5f474cbc3537ff007170a2137d25c2bf51590da31fa2c02

SHA512
66305ee9db0cb82aef4df09df01c97a7d970ebee35ae6f2bb38965c35013d383a2b43648128f5c950d0eb0cf9905b8a35e01d73e472616e1b81541c0881c36cd

Download Submit
C:\Windows\SysWOW64\Mplhdghc.exe

Filesize
93KB

MD5
ee9e5bfd6b495459f3883096c848c7de

SHA1
e128708e22bd9c9b8a3878725b556bab662a13a3

SHA256
f98b39ddf66eb5b82d5afe93b42091bde768cdafff10a48feb83153728a60dd2

SHA512
486001b5ad633ee09b849c0159b431b421eab53c81d09fd3587c546a39b46e1d05366df20333f4af9def098ed2e36027662b2f62f86c77a490b057da283318e6

Download Submit
C:\Windows\SysWOW64\Ncmaeb32.exe

Filesize
93KB

MD5
080bc3a22528b38d30b179913a73acc6

SHA1
891ffbb6b8edf901854165454d6f13dd82f4ae76

SHA256
d173ebfb911f7c9e7e5ee8bfbd44ae7ca469bbf628578f1eb7268077f9714d45

SHA512
ddc67be103c83300d637bdaa1cc7ce60ce7a1765f72dd533d8593ba0cc019a3ff9a8838f56ad74cc89f34076f57e7e903145aed9be4f5c42fbb9cf2ef799977c

Download Submit
C:\Windows\SysWOW64\Neknam32.exe

Filesize
93KB

MD5
c83f56d8249e634ba1904fbfd381efa2

SHA1
86a5d6221b34cac7eb304b50865a73062c574edc

SHA256
29bb776a1b444aabcd94b85b504b512c2b7010bf8d9867fbd8f32ddb14a9600b

SHA512
cc3460741c9dc473e0b735b7e259ef92f41e19b1f3884d04547a94f08f279c2eb7a8c9f02bf8d966f9e787357f3421f14ef25182678f2e7d3f4c059ba49bf687

Download Submit
C:\Windows\SysWOW64\Ngfqqa32.exe

Filesize
93KB

MD5
98bbd3da4cdbb5727733c7e83fa860bb

SHA1
b2fbd91eae89ae6136586a974ffaa9b1544f9c6e

SHA256
2d627caa9235a45356806ca418402d326b237d2fde7d82140c1f75b7220e843b

SHA512
3809f79a5a9161ae380367144bda3eccbb4d17d99a9c902837a46d21a3f04c43fed32c7ac6151d8d842a53b77b87f8f38593f18bb6a47bd9f0776a4bd14179ba

Download Submit
C:\Windows\SysWOW64\Ngkjlpkj.exe

Filesize
93KB

MD5
12ba2a7ed3d8b5d005ac7b777914cb8b

SHA1
229cfa159a4862092284f53162d66c258567dab2

SHA256
6863e5dbf7982b8139a2fb246cc9b9eb4ce7d2905cf23850313c56240214b9bd

SHA512
b0f6448e30d2aa93b4a8eebf99ba882c78a0645cfb7e5227bdd67a80b98281dca69ff4262e9821eb9cca8142f3016c98d26160c1c856eb1013e9beff4bdfd309

Download Submit
C:\Windows\SysWOW64\Nidmml32.exe

Filesize
93KB

MD5
5511d907620c760b5746131a6f0e6b67

SHA1
3a62aaeefcebd63c8ef894e4d6bc2ab4b0e32f9e

SHA256
9987096f6814f135b5d48a9bd6d1eb9cdb3b9b431678f13c7a16757601d0aec9

SHA512
8ac0842d49467fe224ec60362e1707434fe3a06f18a93a09c4d66e8155915fdc2757452b89f67e9ca5e9da94db8065fc2def63361fdcbfd705cbc3a292725e4f

Download Submit
C:\Windows\SysWOW64\Njlcmk32.exe

Filesize
93KB

MD5
89a4e477d23c74e45c653a6f6d4fab11

SHA1
3d1b7925d1851f45ff44766355997c2d0715bb1e

SHA256
1c5efd75fcece6052db8ec44ac05394f1bc30650632d97afc2a918057a761d4e

SHA512
22df5f80e925876de575a588f602b71f85219a5697a2fea8b42ee6ecff581635f877b74acfa2f29e5818a41b69d1f2731cf63dfd9a0245dedf7eac90c3386003

Download Submit
C:\Windows\SysWOW64\Nnbebk32.exe

Filesize
93KB

MD5
4ed00bd41d3ef0d3d5107ebdc3b2e8c8

SHA1
bbb4da3922826a096717502e3bc756bd7ffec758

SHA256
43f329987f61e377ad8aecba93fd7d9a09cd33bcc48d297d7827f60caefc69a6

SHA512
8337c7cc586c591a6c76833aeed7ceec34b3a6f9428c68a3d489d2a3bf8e856b184a4f536a583d6d45608a96517d6db41594466e2292d83f84b462cfc30b38b0

Download Submit
C:\Windows\SysWOW64\Npabof32.exe

Filesize
93KB

MD5
c149ac1378fc342943b5bab0d7850147

SHA1
9fbbf724d197f1e9601824041b5d78f6323aed43

SHA256
10b3ba60ef521c16eb5919c870778a7b308317abdbe9f67acf3fe201f6eb6226

SHA512
3a1e52b042df754a2c1af34d18818ca3f677dc560b8bd4be7c72e5b272ef34efe35a89cb10e25d2e57bc33eaee21244ff165c2704cb58d1a4b8bcb8c518d3fcc

Download Submit
C:\Windows\SysWOW64\Npcodf32.exe

Filesize
93KB

MD5
efc2a57210fcebdc8bfe21b6e019a86f

SHA1
7637b7f59462ce7894a64933c947ebc9c2b59aba

SHA256
80e961eb88d338a34a936d0c2181ba8aec33b3993244fdae1afc7a156d0ffa05

SHA512
fc4ce3ec792b0b50a0e256c49b3a764f14f0a0fc582859da317e7f8971297aecd9bd33d8ae83be73bffa233c7af563d5efdcb22bbb47be9227b43423321d90f5

Download Submit
C:\Windows\SysWOW64\Npoeif32.exe

Filesize
93KB

MD5
51a16ead0028b49eec0e51a467dcb585

SHA1
834888467d5cdf05049ee8eaa20b0285e0a7bb4f

SHA256
284cb7f7906f271eeac794eafa6a6e1a57e7a9f2cc80e917362fbcb118d7841a

SHA512
886485678236fd3f77b1555161874d5ea901e7ae499c1c051af92646b0bf40a619ce8c518bb3b6dc913cb1b06fea5dceb2c81e5f3f7422dc52b9b8ddbb02e554

Download Submit
C:\Windows\SysWOW64\Ocfdlqmi.exe

Filesize
93KB

MD5
73bffb692ebe320c3a8e8da7e6c50b94

SHA1
48d34bedebfbc791bcc13ea74a52f3652ec5ac36

SHA256
13d4bd4b8d546cf86623a8eb3414f23f87c9617a72ed415e7955a6d12afd9e14

SHA512
eb14364fea3a2fc966fb8378ff174d5832ff6ff677552b4aab039746ba7698de7a966b62eb7faef80eb100acc702323e048991e45ef5693b6a17d00ec636a25d

Download Submit
C:\Windows\SysWOW64\Odhmkcbi.exe

Filesize
93KB

MD5
9b81d2e60370d7a38a3c65f55dcdcdca

SHA1
a1834e4705d71b59598a2422fd4b97214836bcac

SHA256
6718e9801c77a3002fd6833eee7170be594b8f820fe294c32087e0f3ad0712d8

SHA512
e558ef53b687036b95dfe95a30e978fe84baf882c5bc4430cadca17792df19922a9911048d2c98fbbf86084b420faea979f6e5f95caad5d7d1337b7e2bcacd79

Download Submit
C:\Windows\SysWOW64\Ogifmn32.exe

Filesize
93KB

MD5
77bd394551ec76f7be43db28c25c02db

SHA1
9a064e3720624bf5c75a0ee8a4e1e6c0d3223709

SHA256
2fedf550f692f037b9a0979c7dfb675907f81681b0458a6ab860895c41d1e893

SHA512
cc995eb03e7d61238aaef800f87ba922b50d514bdfb902c8272c1aa1927a245b72907d77dfc4811aa19e0d2b095b806964b0ba263b02cab86ec0bfcc3ce16b2c

Download Submit
C:\Windows\SysWOW64\Ogkcbn32.exe

Filesize
93KB

MD5
4d787455c3054e675b28e54203fcede4

SHA1
b0d1b572ab6d90a9dda6074cae98d19315d3aba1

SHA256
ac1d76f09bcaa8dcff980573ce3d9b2b7a8ddcc44350465a9caaa786945f51fb

SHA512
70274756d3a5cb793af04f809730671ae1c5deb4ebe7ee745ae483a29fd5d4202a2f43d6365ef6a2607805b8a7286a7f38d0676046370519fab3dd1bedf3f81f

Download Submit
C:\Windows\SysWOW64\Oloidfcj.exe

Filesize
93KB

MD5
a9aa1e0d2af592727b7dd1cfa313c44b

SHA1
7331b64e624b3d7887cd5c30ecaf4692c6f54726

SHA256
03c5ee5926ab079ba729960e95aa6eebd4c5401435f88c727d005d0e4f2acc05

SHA512
80ca40dff5b4a3a6eb9a43e2104d9ccd0691593815958b0220ac9472ba3b7871adc669eb5d521945998fd4473b51ce764e7b89f82e3ead137c1cdc09229db6c7

Download Submit
C:\Windows\SysWOW64\Onqbdihj.exe

Filesize
93KB

MD5
5bb5c34bb97c66c6b6b384007263ad32

SHA1
0f9addb0c6c83271a9c8ad1f46739c8632dae553

SHA256
63e7f1cdf54b8d7c620e2494dd3d092adc579b597badc455bf8cd024742c0e5d

SHA512
909d9f527db3a6b253ccc9c42424f9ae2fe2109de8846d9427edb715a5fd49a272208aa51d53a5eb2db0d2c890f447f163c16f779f284205e85f44944bddbcb8

Download Submit
C:\Windows\SysWOW64\Oqakfdek.exe

Filesize
93KB

MD5
6c995c33e9b1bb662c4ad799c214113e

SHA1
257ef07b80bbd58077987664d34c6a7f886797af

SHA256
b96db4fdbddc7a681e9fa03b6ea6a7d2479481c81ba4fce5860c78b34910d536

SHA512
c90d2e89a0c55ded91e074aac4035ce364b2ebe72f3dcb3d37746821d103c4515e4274b893ce40e8fd98ae4659e22afc6c9bb04e5a0c761f9957c4178004aef9

Download Submit
C:\Windows\SysWOW64\Pgdfim32.exe

Filesize
93KB

MD5
8570561624ad61701fe9263aae9a2fed

SHA1
c5777300ccff664615294a599658ef003fe4c83f

SHA256
0b09195aa7225dcac0a0328776118f672bb7b0b72827877812f8569057d911e6

SHA512
621f233d79db1877555e77a83bf88fdaa2553e06343ad5b317a560f41d89eda725786ac4c3f047ea4a9b870d70e23a544197ec4167f3970666e76f9038fd7aac

Download Submit
C:\Windows\SysWOW64\Pgnphnke.exe

Filesize
93KB

MD5
eb0ee4733787d4ac77059cedf469dd86

SHA1
688f122092396a6ae8090aeef1f78b61b9ec665f

SHA256
57cd5d3062911d4f5257e7ff534c74a2edb6a154342391e12c3327bd07cb944f

SHA512
9ecaa9154bfad3c438e8913ff6943645a81f58e7d507aab81cef8ec3a803a108aaca893fa44c1051bc8318778c99efc1cb0ebba76583ca4eb9711b5ce6d55145

Download Submit
C:\Windows\SysWOW64\Pnakkf32.exe

Filesize
93KB

MD5
3246e1071adfde9719fe5283da66e101

SHA1
48c818ed0e6b74eec46a4b6b3e191b13dd1b9534

SHA256
04c5e614a7936b1f302b6d4232cafbf70fc8f5d3200cbed324b2324102ef195d

SHA512
97f3071f4b5e29c7ee4f93f18b82fa9f57bc255a0708844ee8f43fc815d3b4d873c68b1029ab7135137999476806e0f85fc8a613aeb70969ceb07d2cd2c86d3d

Download Submit
C:\Windows\SysWOW64\Pqfdac32.exe

Filesize
93KB

MD5
dbcccd0fa83687d20d149db19aa4ca67

SHA1
d40536398b5371d815a17f1a4f067d9bd38f43b0

SHA256
05cf1b97a7f6d785c35e02bd735be3c81a3a294ce7864c2d32c07cbb29a67b17

SHA512
e4050c6b9f8594654433fb2f6a9a4fa91e975c6f8ab54a29ea9fd05d714d1daed73b2dd09266b245c69202063103bb17c3204426a09d82468c919b96220b9f50

Download Submit
C:\Windows\SysWOW64\Qjhlpgpk.exe

Filesize
93KB

MD5
34b635c214ba2eb0453e67fc99904a83

SHA1
54db7f5266455acf0b90315a7dba5b311cb3a778

SHA256
93f4e2a6f73ad7f4e9e8dd1964f0beb6e7a213f01d523f08010a0617208b64db

SHA512
1a7d9cf5429eb5e2edea701b9fb9b67622688e62e85e57d789e3134068b86deeac958514d73c002dab8f2fbf306f708f5f76e103ed7a9602bca174e67ab845cb

Download Submit
memory/60-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/416-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-938-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-957-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-1013-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-982-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-1021-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-1017-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-937-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-934-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5764-912-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5852-909-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads