berbew | 408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4.exe
Size

128KB
MD5

a607b818f0eee5c855aaf9b7a621a925
SHA1

07438f9df2f86fe9be8484413de228de5aa87f5c
SHA256

408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4
SHA512

443012bdd5c56407456d211b62ad3a11b89528b1d86606661e4eaeb6c27c46379fbd92a17b54107d3503dead5d04c969b836d1d801a7234067d6973abe1a0f0a
SSDEEP

3072:DU7gcMBJ/4AIMQoQpQoQoQTQTQTQH9aIp2PKG7UDd0pCrQIFdFtLQ:w7pMn/LIMQoQpQoQoQTQTQTQElyG7UxK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4172	Ncianepl.exe
2632	Nfgmjqop.exe
1016	Nlaegk32.exe
4820	Npmagine.exe
4308	Nfjjppmm.exe
1060	Olcbmj32.exe
2008	Ojgbfocc.exe
4700	Opakbi32.exe
2980	Ogkcpbam.exe
3432	Oneklm32.exe
2576	Opdghh32.exe
1280	Ocbddc32.exe
2624	Ognpebpj.exe
1368	Onhhamgg.exe
1480	Ogpmjb32.exe
4992	Olmeci32.exe
4996	Oddmdf32.exe
1696	Ocgmpccl.exe
3632	Pmoahijl.exe
2180	Pdfjifjo.exe
5084	Pgefeajb.exe
944	Pnonbk32.exe
1384	Pqmjog32.exe
2772	Pclgkb32.exe
1912	Pggbkagp.exe
1400	Pjeoglgc.exe
3692	Pmdkch32.exe
744	Pdkcde32.exe
4424	Pgioqq32.exe
4012	Pncgmkmj.exe
4684	Pqbdjfln.exe
4864	Pgllfp32.exe
1964	Pjjhbl32.exe
2188	Pnfdcjkg.exe
4516	Pqdqof32.exe
2448	Pcbmka32.exe
3968	Pgnilpah.exe
452	Pjmehkqk.exe
4236	Qmkadgpo.exe
4988	Qqfmde32.exe
4040	Qdbiedpa.exe
1508	Qfcfml32.exe
1804	Qjoankoi.exe
2524	Qmmnjfnl.exe
788	Qqijje32.exe
3604	Qcgffqei.exe
3668	Qgcbgo32.exe
4496	Qffbbldm.exe
3948	Anmjcieo.exe
1264	Ampkof32.exe
4572	Adgbpc32.exe
2096	Acjclpcf.exe
2456	Afhohlbj.exe
2256	Anogiicl.exe
3704	Ambgef32.exe
3736	Aeiofcji.exe
2084	Afjlnk32.exe
1484	Ajfhnjhq.exe
1556	Anadoi32.exe
4860	Acnlgp32.exe
5028	Agjhgngj.exe
2644	Ajhddjfn.exe
3136	Andqdh32.exe
3580	Aabmqd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Poahbe32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7104	6972	WerFault.exe	258

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4172	1408	408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4.exe	84
PID 1408 wrote to memory of 4172	1408	408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4.exe	84
PID 1408 wrote to memory of 4172	1408	408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4.exe	84
PID 4172 wrote to memory of 2632	4172	Ncianepl.exe	85
PID 4172 wrote to memory of 2632	4172	Ncianepl.exe	85
PID 4172 wrote to memory of 2632	4172	Ncianepl.exe	85
PID 2632 wrote to memory of 1016	2632	Nfgmjqop.exe	86
PID 2632 wrote to memory of 1016	2632	Nfgmjqop.exe	86
PID 2632 wrote to memory of 1016	2632	Nfgmjqop.exe	86
PID 1016 wrote to memory of 4820	1016	Nlaegk32.exe	88
PID 1016 wrote to memory of 4820	1016	Nlaegk32.exe	88
PID 1016 wrote to memory of 4820	1016	Nlaegk32.exe	88
PID 4820 wrote to memory of 4308	4820	Npmagine.exe	89
PID 4820 wrote to memory of 4308	4820	Npmagine.exe	89
PID 4820 wrote to memory of 4308	4820	Npmagine.exe	89
PID 4308 wrote to memory of 1060	4308	Nfjjppmm.exe	90
PID 4308 wrote to memory of 1060	4308	Nfjjppmm.exe	90
PID 4308 wrote to memory of 1060	4308	Nfjjppmm.exe	90
PID 1060 wrote to memory of 2008	1060	Olcbmj32.exe	91
PID 1060 wrote to memory of 2008	1060	Olcbmj32.exe	91
PID 1060 wrote to memory of 2008	1060	Olcbmj32.exe	91
PID 2008 wrote to memory of 4700	2008	Ojgbfocc.exe	92
PID 2008 wrote to memory of 4700	2008	Ojgbfocc.exe	92
PID 2008 wrote to memory of 4700	2008	Ojgbfocc.exe	92
PID 4700 wrote to memory of 2980	4700	Opakbi32.exe	93
PID 4700 wrote to memory of 2980	4700	Opakbi32.exe	93
PID 4700 wrote to memory of 2980	4700	Opakbi32.exe	93
PID 2980 wrote to memory of 3432	2980	Ogkcpbam.exe	95
PID 2980 wrote to memory of 3432	2980	Ogkcpbam.exe	95
PID 2980 wrote to memory of 3432	2980	Ogkcpbam.exe	95
PID 3432 wrote to memory of 2576	3432	Oneklm32.exe	97
PID 3432 wrote to memory of 2576	3432	Oneklm32.exe	97
PID 3432 wrote to memory of 2576	3432	Oneklm32.exe	97
PID 2576 wrote to memory of 1280	2576	Opdghh32.exe	98
PID 2576 wrote to memory of 1280	2576	Opdghh32.exe	98
PID 2576 wrote to memory of 1280	2576	Opdghh32.exe	98
PID 1280 wrote to memory of 2624	1280	Ocbddc32.exe	99
PID 1280 wrote to memory of 2624	1280	Ocbddc32.exe	99
PID 1280 wrote to memory of 2624	1280	Ocbddc32.exe	99
PID 2624 wrote to memory of 1368	2624	Ognpebpj.exe	100
PID 2624 wrote to memory of 1368	2624	Ognpebpj.exe	100
PID 2624 wrote to memory of 1368	2624	Ognpebpj.exe	100
PID 1368 wrote to memory of 1480	1368	Onhhamgg.exe	101
PID 1368 wrote to memory of 1480	1368	Onhhamgg.exe	101
PID 1368 wrote to memory of 1480	1368	Onhhamgg.exe	101
PID 1480 wrote to memory of 4992	1480	Ogpmjb32.exe	102
PID 1480 wrote to memory of 4992	1480	Ogpmjb32.exe	102
PID 1480 wrote to memory of 4992	1480	Ogpmjb32.exe	102
PID 4992 wrote to memory of 4996	4992	Olmeci32.exe	104
PID 4992 wrote to memory of 4996	4992	Olmeci32.exe	104
PID 4992 wrote to memory of 4996	4992	Olmeci32.exe	104
PID 4996 wrote to memory of 1696	4996	Oddmdf32.exe	105
PID 4996 wrote to memory of 1696	4996	Oddmdf32.exe	105
PID 4996 wrote to memory of 1696	4996	Oddmdf32.exe	105
PID 1696 wrote to memory of 3632	1696	Ocgmpccl.exe	106
PID 1696 wrote to memory of 3632	1696	Ocgmpccl.exe	106
PID 1696 wrote to memory of 3632	1696	Ocgmpccl.exe	106
PID 3632 wrote to memory of 2180	3632	Pmoahijl.exe	107
PID 3632 wrote to memory of 2180	3632	Pmoahijl.exe	107
PID 3632 wrote to memory of 2180	3632	Pmoahijl.exe	107
PID 2180 wrote to memory of 5084	2180	Pdfjifjo.exe	108
PID 2180 wrote to memory of 5084	2180	Pdfjifjo.exe	108
PID 2180 wrote to memory of 5084	2180	Pdfjifjo.exe	108
PID 5084 wrote to memory of 944	5084	Pgefeajb.exe	109

C:\Users\Admin\AppData\Local\Temp\408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4.exe
"C:\Users\Admin\AppData\Local\Temp\408bd66b79458acedb3458df4bc953f3913aa3d30841c26c8860b350e741e6b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\Ncianepl.exe
  C:\Windows\system32\Ncianepl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\SysWOW64\Nfgmjqop.exe
    C:\Windows\system32\Nfgmjqop.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\Nlaegk32.exe
      C:\Windows\system32\Nlaegk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        23⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        27⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        31⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        32⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        38⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        42⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        50⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        53⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        55⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        66⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        67⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        77⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        83⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        85⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        87⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        90⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        91⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        97⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        99⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        100⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        102⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        104⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        105⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        108⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        109⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        113⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        115⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        121⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        122⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        125⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        131⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        134⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        135⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        137⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        138⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        145⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        146⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        151⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        154⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        157⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        160⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        161⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        166⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        167⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        169⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        170⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        172⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 404
        173⤵
        Program crash
        
        PID:7104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6972 -ip 6972
1⤵
PID:7072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
128KB

MD5
561832121471b6b688bf94cebf5a1975

SHA1
4a7c373cdbd7f5d3c3e4519d68c2decb9bdd234b

SHA256
8ffb12a102b14cfc8f5c19ba34c8c0de8ff47352bf89da035c20c07a9f624974

SHA512
bd751ecc3a81e87408c3f512ce11ba53f4d047dc8c14a2e0395fcdc79985339d5a87ccc09f09bbe68be2c9b11d89b8836559f7d44aeb4b92724f74d8839035f7

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
128KB

MD5
248b0a17cb5af6f0df41fea3c0a8e1c6

SHA1
205be73582b651931b07803bf0af18dfc22f435b

SHA256
ffce3b686b92b2962e44ba3ebd5691822dc5c5242101f343382b12f30efdb166

SHA512
5a0b9fe01cf1a616c63ae2925da9418efa34407c53a79deab2ed3e4db2c00d7e7d5ca1c98bcc39f8a3c4a7beb9b26db0ee4b83d319f58c3bbb4a3b4a5cb80b3f

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
128KB

MD5
c96d3c68c218c3185512f6480091597e

SHA1
250fcb924772df5449a1bca7aaebfb94f145f09b

SHA256
d497fd2a8ae7d821c401349752bcb6bf2f63506ab7bfddc13a456a62fd46fa10

SHA512
f49a0fd0cec8159cf4b5d8a0b74f61565e77d110a904eb3e048e3720c75fdfeb4d56943f7b364fb38ea4196c2cc26241ebe790dee6b5877b35fcd28dd78a1c20

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
128KB

MD5
72f80e09083c5602e2033c42d6503546

SHA1
1417624ab75c7f4ab229bfbcd17f73a82254d5d2

SHA256
4da6c89cb8e62f5af4219678833ce138f717d14d82ad51fd26595af5c64e2d9f

SHA512
5b62ff25a81f6ff5f06b83df4bcbdf6f1ff2798b6848b7a5f2cd0bc43bfa9ab09b0d2a85c1ba9f8fd5cf0d8720203f661ec5973077bbbc0ef3da388cd21d0b3b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
128KB

MD5
fd0743118017d5f5a48db584e9ee73e1

SHA1
f9ada9dd6f5a66359cb912244bbe72ce8b9de44b

SHA256
aec5cc12739168a429db3054b9eff3836ba76b7ac9d9e5825d325b535a360fe6

SHA512
1d70a723a11cf0de10eb490c3b86ebd2e1a74090c3607e15ea7c083e2e066b25666037eb5e7259258e953dfe61965f8fc8adda20dcb93fbbb52e73d7dba86770

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
128KB

MD5
4fd887f2babc0230e6dd0b178958c3df

SHA1
9e9fa1c6371ef976e7f3e333f8656f6bc3067574

SHA256
b7db83104d75aa079a9a4e5e279aecaefb9dc61ce7dcb0cf747d37cd91a0a916

SHA512
73085b9b0700039df93f507a326ec9d6bd7ff509a7a324c69cdde62be57bc0ba8e8e90d662907dda41be49e2de0b11f890d1f47af34bbae50d0ebe2c94b9b51c

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
128KB

MD5
390066bff7cef2f2c743291497892f0d

SHA1
f2ab451f476aee0ab8edfcc74a81d78ab150220a

SHA256
59690779821ad58c9d48f4a150bdf1f0194e4af60ac819e1ea4fab7197a47861

SHA512
a330989ae01828b6a3534a41c156ac6c280b2b3c12bb665262534172d622b20bb7f938fe50d42e639299e5147a945dc8252691ff5a83818e411c67ab68311f53

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
128KB

MD5
9c8f92af3bd181dfeeb3c1e8d4ea2762

SHA1
b44bd5bd91efc4a8144e827c5b4acf5be9e89069

SHA256
d6ad6177e36e2cdb1fd353767ef6ab5aba61a44871962a55b15756154ae16f9a

SHA512
3fe68a20884a2002a0c6ee360c7b8493fd0fb3d8cfddcef8d6d4b012480c8d07a7902dbeca51577465a65eaf2582f9897f685865a89afb359739ca9fa0aa5df7

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
128KB

MD5
a2d5ee315953ed9ddfee0c0fe3d18610

SHA1
dafd5184d4394bd7be6da07f2acc5736c7b531c9

SHA256
392ce06cbbd5e7e670541b6e3e0ef863b3afb259f8c95e711da5d25f691d9d2f

SHA512
9b2a51f1e8ff1e1808f705d4133406985d3451417d97b84f4c107c324ffd6bd6dae470ef3a4e9f547cfd9efe0bd501804d649addbfb0d075c72ac0e725224a9a

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
128KB

MD5
cadb5abfc613623b71b81ddc1d648ec4

SHA1
ab80bd2fce87075ea215f849aefd7bc11b1a35ae

SHA256
4b63dc963617440464d7fd5753b62de2fc6c4ba70fddf3960ba361ec1990200f

SHA512
5ea1881da223baf6db6fd78e18b85dcc24180eb3a604d243110a91f3ff6fce9f7308b169336d528bb295f2609f9aca66956b7b57eb0180978089e5a364e03dfa

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
128KB

MD5
caa306389b969a580890bffbbb3a5970

SHA1
c888c2999f23548669f43ee37c533f9571aa026f

SHA256
7f1cfbd6fa2a7c2bd196c7d45d5dce7af318e0dc78d21f5242e1925a2e6b1e72

SHA512
5baec246d3791d0d8dc0fd17283222c7127d3d46f8b9fa422502157af431f354f77306d462541db16023c5b4ac7dd89885043a85c564f022d35f7425a8d40dcb

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
128KB

MD5
4277b2aad1126cf3fe30825e426e1ccc

SHA1
0965f6db35949ab3cb83a656d5a0e706a8993d31

SHA256
e4f858b5d4de79fbc4c0eb767fb41d688d2be443b0e06400be27f9754e86f18b

SHA512
7113f600ce42013765b8afc8dfa3635a91a37754710e199132f5acf88800d33ee764fe27f3ead6c6c0f5650c0c5a70dda8845c148a4b5ae77e50b53ddf4666cc

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
128KB

MD5
ca828ea60bbc5c6b98fed638df83e996

SHA1
c31f8ab105e3c2497ecd7850ea7e9fcebfe83d13

SHA256
b510964ee9f33e5012b990b73e413df4df58825beb7b42307c8b020f2859afc4

SHA512
14d5510241f0c063546669f92616c62897b519708068394a35f39bbdadd55fa3457ff4aa82e28d40af86059f62ab27b69c4f6e22e9ed8ce5b6130aaadb941d90

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
128KB

MD5
123a20e46afd6d32f6338904209273fa

SHA1
3dd0dd6835a0193ee69a44f3778ee76554b045ab

SHA256
9551c05bb6e47fc46195bd42b6bcb9cf84efdd9b35da6f19551c10e04832e069

SHA512
ab0abbd6b93f9215b87adf70a171cce73efa20b15609d84abfb419abab3d7abda4126a39e347d411b5b612d27ac879d6a2273886fc59c1d64c4d1281c8cb3e15

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
152f7883d990215e876ac0acd1ffe804

SHA1
21b202a16e20d81a33d795e8d6900c58f8a841f7

SHA256
af231ab1d6ee187625c3346ce6cae95e1a93d3324505e70a74ea46b246a9868b

SHA512
a26fc5eba2d1f23646dd7b4ae9827520a7a1908a14314f296b8bb875bd06b63fd9f0991e8de95aafd617f351a061695462a742b93d0b7ebe487008e6cd6b4d32

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
128KB

MD5
4579cbff26ee8073ec8961f4ec7b58bc

SHA1
410a5564524ece1688185d85dec3645e7d197c83

SHA256
03dd4b8aa868b9eb3efbe2a740f62d851abe8efc0e6915ca8abf4a8593ba3164

SHA512
ef765741df77bc0d0f7d7b4398978c551f6dd0d4a9d8632abdd4a842236eae18a9c988448c9f14f40e77fffe398818765272bde9d364efce7c667a397cf99a53

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
128KB

MD5
40f4352f271536ee42fa178dbddb6641

SHA1
bb8712bb15ba5e25c1c5cb15b74f67f204e53eea

SHA256
8bebf6bbb2aecc80106af5dbaeadd5cc63713440fea89b5df809bc2521b8d9a4

SHA512
819117ef4069eb4b983a42d5daa871c4dbd2b41a7d569c395f081d211f5034bb27e96883908c138a747f87753115d02454ac5cd1559289776ed1060e4303bcb4

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
128KB

MD5
4584c466db4ac6589fa7c012cbc39946

SHA1
e878cc89af3dc08b91b6fb27ce3f79c983dfe97a

SHA256
36824876c063630402be46a9aefac9530290da89731832748393914adc5a2ecf

SHA512
6a822dd2af20cea372c45d8135a7994c6e2c17ae61065755cba1067c9ae0841b233acfc83423965ae3300cf98dbe12a980a882b2cf79de6397bda836b5affc0e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
128KB

MD5
956a0ba67ff5990197be6ab182125c69

SHA1
b43849cbe331fadb349a6875860c4a3f540b9c1d

SHA256
f33c1b1fdf2b51c7d1f3e20cf1570b5d68f1e1a468229863db8559312bbafb1b

SHA512
e8b975a888fefb02ca5d6e70a20c6a16b2ba02610b3524c253227ec150f63b766e8b8dec872ab63b06cb16f6ae78e04964a8c40cec2d6ff6d95f4b24a7eb1ba4

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
128KB

MD5
a578e7281348485149a82de3625ce8e6

SHA1
5fe15f420648b819c5357926cce7c7784d6b2f17

SHA256
0a637090be50ac602a1df05a1060288b9437e21c6571fab7be9806ac2e604082

SHA512
bfbd2234b41c8bcb408abae49b3ad627dadd1a6e767e08527b6ddbd602d7d7a671a00d663dbe5a55e3cb4ee74b4968dd5cdf1645860e908dbc59e6c177175043

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
128KB

MD5
3a84b7288c501e82e0f06c2f0d848b07

SHA1
7c25bcbd25c9413106e7ac31ce366c57c9765856

SHA256
138633ba81a6801b553e146d4cf32559b70df983364e6087ef94a9cca20b474a

SHA512
901200b35497a2a554885fbb036a62284da3c0b6f331c572fc9ce85214692cc91ad7ed0d8d58513190f7928d3c9e67dfb1857b573218ab985f824daa742c83e5

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
128KB

MD5
aac98a86a789dac8a45c57724e2e4081

SHA1
a3e1f7f5cebe78326a1b9f7abade594d4cbbabcb

SHA256
9bee9cb7e386a8397baebc0d3a7ab13d154b82ecc406543a024fadd912e10c44

SHA512
65018b0c65077b510b72df88810e59c5b46bf23a84fe3909afdc7ef88a353b7c4d65d300641edd4535718531b1c380a6881d80e2cd55be4dbef2dd1bc894f163

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
5591ac44cae5d97214a3648a7711ce3f

SHA1
90253c01e240db98b9f6dc00fff0b5dea5bceea7

SHA256
b149d263228e7124850d5bde3fc0b7a52c16019d80fe689b5327b589b54603ef

SHA512
c1cd40bd327e042da96df4092dfaafc2cbfa360d55f884704c55adceb7e565e7e9be1294a0365c21866fd70ac67a4c5da482f89d15a5f9b05b98655c936cb212

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
128KB

MD5
1b573bf6066eb342f8247857a32bbefd

SHA1
1ca3cd3d07cbddb917138f2f49195bf3017755bc

SHA256
ecf7290aa757b54a14bc24c42e12d234730ae72fc026c45502265ccc2593e889

SHA512
d948c6d983098ce9a438e22c85d29702a3f1f2f21f3ab1efe436b0f40b0e184c928e23a7b5570edef316286bff295ef384fca0802f22262242aed6f533c8609f

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
128KB

MD5
8bde67894641771e9b3d6198175db838

SHA1
fa0d1dddd64b6e4dfd44306c576b20f556eca120

SHA256
c035cc1a017ed86b0a14d49ccbc6042ebcdcd6270c4ff1a2a6be5388700c4911

SHA512
15966b0dfb5e2f003e0b8665c0eeb8d04726433360de04bbf922c9984fb7217ce6dc5d8a3cd160d3b244ee53d441c635fae2880a10ed56c869b1080648aa4b16

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
128KB

MD5
da251ee6a0e1fc547714aedbb4768fb7

SHA1
e7ff770d2b828eb1eedd0719e45bf9b5e72b851f

SHA256
3f70591f51f8894764c782345c921fee46c203fbc5b0cecccb03acc8c5779a4b

SHA512
2a8836cd216069db3cc91e02ced6c36059375c140011882955302104f0d6a5d6e1991541832998cad36951fda061044e05a579e39fcfd6807cc2fb99f59fb0d3

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
128KB

MD5
4a9b75d500f5187d576185cf86f3c425

SHA1
7e1b9d69a2bec0149876551e752974bc3b33ff7d

SHA256
406d9c303aa696c1b0de46b60b447e2274d684511e5e6482f5109670df7a92fa

SHA512
9032d340a32639ad7a702f47253d2c6f59e4f6d285abe854b86b6bf3b3d24f096f28a66e831023e5a50d56f91604c58bbb193e216c66b6f2e1dfa8f6264ac121

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
128KB

MD5
4dfd7ce71b5fe97d6749fd95910ef9e8

SHA1
58e03efa0a28eeafadd1025264537386a5ae0b33

SHA256
d31e09406052eedae289ba9c259fbbacd17cef278ff7e415707e792fbd325929

SHA512
dd819d82e6989417fba392bd75ab854ceeba4fc3b4f35cd4d205ccb5b4008c99ae76fd5f392cc455d9db3454a15a37b1fddcc4f93efd9c25a8415b98f5572543

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
128KB

MD5
a1b10a3e5e209a29b5a6373b6f07807a

SHA1
3c3091f6d3809b701d7bb359a984ae65d28d0fc4

SHA256
796e65cd3712bae5d67308dc7dc111838349b8ac33c513584e9d3e42ab474751

SHA512
7754792110f711e6587a161c584cf15fd9431c98ccca141d5fb012d955a77e3c61de0320f0fe62e9641579efa77c67fb3c15ba03dd568a5069235b937bbe5f6b

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
128KB

MD5
1cebf3adeca2147f49b8eefc19f0b5a2

SHA1
50a723f2e46486245e460ff26a7676854b502b80

SHA256
2fa1a8c6540c42323b3f884b5d80c09b4703b25085f6b4731ac8b28d730985d3

SHA512
df0b81bc81a49787ece5ac4c4e398521e8684a286f5308c35f35ede52ae45d4d353c8d8a62cae28771359a962ec1e0f4309a1eae69a2bd899f98f6a2608c370f

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
2d0aee02099b09617b2c6f513301b8c4

SHA1
3568ab5f487de99108723f132b4a6b0f39e852e6

SHA256
59911a69b601a9d6f63cb9f074cebdd39dcf9f5c41c03aa90e123f016dcdad64

SHA512
fa05d19e1c5035244b77c9decd9d43d022517f063284246b7dbebf56f3b37b402ae3ada182584707f710699568bab24c09caa1128e2fc0ccfd1c5d614e7b9e44

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
128KB

MD5
2ad44597a10aecdc6c5132392cfcbae4

SHA1
75e57a002db6e1912511469acdcec56fcb29aa69

SHA256
4ce3b8da1a84fbf5b613f8f1be63503bb6e575b29848bf1c39af7fdebc0e86d1

SHA512
fe70c9b55b6e8bb6950510ce9226a4fcf0b9cdde1425e045de65b15de771b47c4f8b83700407bffa0ab2824fd96e30ab7fdb8e3804928a1b18289f747036ef33

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
128KB

MD5
c3526bd57a715458eedc894f9f3f402f

SHA1
74b80dfa3b2e8bf7b23f780ea8e7c382e6993da5

SHA256
161dfabdbbf4aadee0680ef8037ff7b6fb13fe9d0970e86e5081fb9ae5ebcc33

SHA512
1b5caeda334651a0bad6331d5da10957445ec1b392a6a85dc6d257666d4397040459d59034f17ab8bed87304bb367decd286e6e6ded2ba73333cfc7888f8f0e2

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
128KB

MD5
79c7c8df19ed5042e15622a0b60dbde0

SHA1
b36bed25bf86645d51eae284d6009c3823c08c53

SHA256
eb58a8dcc99a8d1b93071744f69085bc916b36b3b7ab4dc7c41500d5c98636a2

SHA512
915cb1dd9e0916ab7731b5c5cc3fe449bc97a9caaef6f782d5522b0d8fb21303975a61dd3ede0e8887c51e320c11576294fc249edb7ae1a40d15e3d6d7846917

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
128KB

MD5
cf5bd4acd8921bff7c49a45d9e0c6888

SHA1
a5ac61f81bbb9e79188da4e639b92b774cc2ab3b

SHA256
8e460944fb304c70e0f7630acd717205af33502c5e52007a295d7ac4bafddfef

SHA512
ea98931b7dde8603ed08cde2f4728457d95510bb2aa241fdae4d4325ebdc53bad7442b26cc1a35405db4157483e0da1a1c5a8015115b324a5b0f8c91545491ac

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
128KB

MD5
c1bca5e184c24e795335e78d924ed16e

SHA1
b6ef884634348afc6143f56545c7a732684ec8ef

SHA256
db2cb02dbac1855a98790efa3bf93dafc69cb5b273c8ee2a2db7adb220a0b406

SHA512
b0f93daace2f64ba4cf3a34ae9c88add0ed13bab8ae9db4750e0c118b41ed1d5b211a89b7153b7bbbca84701b99bad8f3760aede3e02f4dd6ed3e9ec95bfeb3b

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
128KB

MD5
028d0001f63a33eced77826e9ad62c59

SHA1
5d65885d823de14cce02d5c6e72596f7c3584915

SHA256
655479a4b30fb949d43fdf768a13e8933bb36f444c05f85b24ca5fe6e11c6b9d

SHA512
42e73c4be5001969b9e707a2792e6639a8292abd3fabc586f5916db73ff96fd73fc6c173e8a17ad8c5911c33a957f59bb72ef4d4f5af381447d8082b34b6d6f2

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
128KB

MD5
b9754fdbcc06a74cdb87793b8f1c900d

SHA1
2871adf87fd7b247193b9550172c88b2cbe9997f

SHA256
e0d199897fdc006bb539ade684858fdb03b7d4af1bf4bbf4a5175fcab89df86b

SHA512
cf488e471fe8b199d5678f33339287da76be033bb253cc6eccff810c6748bdc6ffd47fc993d76c86afddf18334118d7b6bd248065b0d5fc6b3a63081bfd5845e

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
128KB

MD5
65ba5be141496e08a84b161321cbc2d0

SHA1
a7ed292af97930abf0a1a3c088405bf8db52ea48

SHA256
e54e27666cb37a6212ff9b63f9c01a5d640005e130a1a9d742b54fd10d7dca98

SHA512
eb9995cf4f7739696021ea262b3e4013c8dd13e10fcef2a9da5b6784a95a4dc7073094e6dd9055e0d67dd0a0692f9e2bce7ffe3bd94282240f59d116ce3173b8

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
128KB

MD5
d66b0d429435c83fa70bac9d4c27144f

SHA1
a5a1af42fe4735b71c2fe59fb571fd582ad1ae42

SHA256
cbfb6c5134ba318a61ff685855c9601c4b8ba32c46fd5d0bc5a47787b40f582e

SHA512
86038480786dcfb702a98a024a45dfc23d8ea1d03f7b89df826de28155293e19512eec974a5dd8c2677447c47d542dc803555fabbcccd3bb0a0f45fc6a0fd01f

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
e1922161b02a2e3c1534e587771b81e4

SHA1
aa59310a6c1d04a4f42c904a832f3ab9213bf162

SHA256
3d3c70ba08588c6ff12eb0e500348dfb1855860b8bab66800376726030372197

SHA512
e32b9fe6934827022c70686a3c94bbca1a4d9f8e427f0e096c7d5de8fcd2df029d0199abb73e82c9aedb06cd898ab302b58b7b8070062a0b094acf25ee6b609f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
128KB

MD5
a22e6a67a215e311ce03da5a9bf44575

SHA1
01089a95d42ff8bf69bd168d251b9beb4cdf1460

SHA256
1ac5102007b6721c365817c2f9d7397097e90d8b67befbc873e0f5b35e8916b9

SHA512
589003ad94e56ba31da8add6eacc1896ff55d1c1189e9209a4c80f6acb57d3bad9fd298a8860eaf0421bee924ba6788c2161714402babcc6ad77373afca9d559

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
128KB

MD5
6ebec28990f9b81845f64f39ecd215e9

SHA1
06a7a246517efdac756773c628e81f19ce4d986d

SHA256
83cae2ed71b8f51246709789956d56fb6d37da0676a8562cd675b95b7d27b17f

SHA512
4abb3ac3bebe9fd0ba8c893b1dad3e220e118d82e5617e4afb9ec5569d454b4166860ae8cc181eab9aeb2e952f6a20021ef39083de5a8cc536fa9ff38fe8df65

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
128KB

MD5
b8ff8ae735661f4f6af55e9ee8d07518

SHA1
4030d638629d2649830a6b00c3a878728e040332

SHA256
c5beaf20ddba1b21b8e32f86a70164cdf15608190ab982121a8af5803859adb7

SHA512
dce5b2af506a37b7b5c3ee8261dd83622770d795a127c9b3c048318c68ec58ec50488eec78e7b3b3328fec3dc2735405206212225f3d68547c0c4ab87042faec

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
128KB

MD5
4dd5c585121e67ae3ce5ca5ed036427b

SHA1
33fe1307e2bc9b236d31950dde8b30583954f0d7

SHA256
508a350eb481e7d93083b98d96f945a224b65cc0db7de936ce052a015385793c

SHA512
c6bbf245e6af2bd303fdc2c8b45fe396054f0d50b89c6aede136cd0ca066ab9731c694649bd90f5e6126b8b6bda9eddba4b4848774e5431070a60b0d0bb3ac43

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
128KB

MD5
d14dcb24f119220e8caa70ba3b9826a6

SHA1
0175bfa439ceff3637308abee2a251bd9e560051

SHA256
d495e08d6818b3fd1ce243c006c3b699f60d9786a6cb8cb9610a908d8ab618ee

SHA512
9361ac4f3df9425a8888567e71bd55bcf914ee7cefc089cf5f738ca2e54ab875452b25d5a3894b352a7d34b2c6c6db4355d38a6fcdcdda37ebf5fa0d025e4843

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
128KB

MD5
5eca76cf0e7623ce5d3273d3568a433e

SHA1
26a8073aa10e409d8dd9e3d4a54e2bccf1aaeacb

SHA256
6ba2cb55a618900131d41d78f1be8253f2096fd90005bbc753c349736b2bbc09

SHA512
e917dc3e04dfdd64e15883b62aa605f649418efcab8dc236d312046df37b902c15e0a897d25e07e9124fe9578654c3e674925038862d9e047c6c8c900fc48aa3

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
128KB

MD5
3467e9c20a3d67a680bbe9e9a127f0db

SHA1
88ca32d1cf9e33474db09bfb55f2275c187112a7

SHA256
408445d7cafad1b1e78967533c0a5d451ef0453d4129f519657cc1ee6ec57d4c

SHA512
149139b82e22f3ffe0e9ec10ae00556043ff108db5c9815020224017fa7d1e12e9065d501343d9acb9b7f2898a0e336af158405c6af40e0ebc934b004edcb976

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
128KB

MD5
b7b8e455788718a5b545e540424fdfe9

SHA1
4e2153b4dbeb4c042f939d0e220bfd5b0e0e5c9c

SHA256
af8f8d01b3c1d96d1b0c1b0810f32ef558f200de56759af698cdd01fccc8ec74

SHA512
d3d027a6c1aa062e4bbd7e349ea08d9d220c22580bbd3f35cc87098da5b6d4c83cc3ccdc3d44601eb5396fe62fb2dd9704fcabde1c42d5ca8d66dd459af3916e

Download Submit
memory/452-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/744-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/788-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/944-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1016-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1060-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1060-585-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1264-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1280-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1368-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1384-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1400-212-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1408-544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1408-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1480-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1484-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1508-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1556-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1696-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-322-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1912-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1964-262-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-592-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2084-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2096-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2180-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2256-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2448-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2456-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2524-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2624-104-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2632-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2632-558-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2644-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2772-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2844-472-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2932-478-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3136-442-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3432-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3580-448-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3604-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3632-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3668-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3692-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3704-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3736-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3968-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4012-239-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4040-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4172-551-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4172-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4236-302-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4308-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4308-578-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4376-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4424-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4496-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4516-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4572-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4684-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4688-466-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4700-599-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4700-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4820-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4820-571-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4860-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4864-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4988-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4992-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4996-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5028-430-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5056-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5084-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5140-484-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5184-490-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5228-496-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5268-502-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5308-508-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5348-514-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5388-520-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5428-526-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5468-532-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5508-538-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5548-545-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5592-552-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5636-559-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5680-565-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5720-572-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5764-579-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5808-586-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5852-593-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads