berbew | 7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe
Size

128KB
MD5

6f7d15d7812566c140566841cb574ed5
SHA1

e1656aa19d950e7c3ddaaf60ec46a04f47faa28f
SHA256

7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3
SHA512

9d871e69a6dfdc40b41b84bde4bdcd455d62938a4940afb00dd58cd917fd9cdfac726ece57d47ee27e70ab9b3cc038934cf04255805b8a9853a1e905a7d8994f
SSDEEP

3072:KLMVry6qECk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/:KoZy6qECFtCApaH8m3QIvMWH5H

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biklho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjdikqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2432	Lljdai32.exe
4652	Lafmjp32.exe
4348	Lindkm32.exe
2340	Lcfidb32.exe
2080	Ljpaqmgb.exe
1280	Lpjjmg32.exe
468	Legben32.exe
3560	Llqjbhdc.exe
2664	Loofnccf.exe
3100	Lancko32.exe
3200	Ljdkll32.exe
1312	Llcghg32.exe
1936	Mapppn32.exe
228	Mjggal32.exe
4396	Mledmg32.exe
3828	Mpapnfhg.exe
3196	Mfnhfm32.exe
2436	Mlhqcgnk.exe
2196	Mofmobmo.exe
1432	Mcaipa32.exe
1592	Mfpell32.exe
3924	Mhoahh32.exe
1452	Mbgeqmjp.exe
3728	Mfbaalbi.exe
2872	Mhanngbl.exe
4428	Mqhfoebo.exe
4716	Mokfja32.exe
1028	Mfenglqf.exe
3980	Mhckcgpj.exe
1608	Momcpa32.exe
756	Nfgklkoc.exe
3436	Nhegig32.exe
2044	Nmaciefp.exe
1728	Noppeaed.exe
3992	Nckkfp32.exe
4696	Nfihbk32.exe
4036	Nhhdnf32.exe
920	Nqoloc32.exe
2672	Ncmhko32.exe
2468	Nfldgk32.exe
4580	Nmfmde32.exe
2328	Nqaiecjd.exe
4712	Ncpeaoih.exe
432	Nfnamjhk.exe
4032	Nimmifgo.exe
1780	Nqcejcha.exe
1380	Nofefp32.exe
668	Nbebbk32.exe
1644	Njljch32.exe
4976	Nmjfodne.exe
4404	Nqfbpb32.exe
1384	Ooibkpmi.exe
628	Obgohklm.exe
2296	Oiagde32.exe
4764	Ommceclc.exe
3500	Ookoaokf.exe
2848	Objkmkjj.exe
2504	Ojqcnhkl.exe
5048	Oiccje32.exe
3024	Oqklkbbi.exe
3712	Ocihgnam.exe
3032	Oblhcj32.exe
4844	Oifppdpd.exe
4896	Oqmhqapg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amfobp32.exe	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Lpphjbnh.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Fnebjidl.dll	Lljdai32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Cgogbi32.dll	Loofnccf.exe
File created	C:\Windows\SysWOW64\Paenokbf.dll	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Qiiflaoo.exe	Qfjjpf32.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Aalmimfd.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Objkmkjj.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Aabkbono.exe
File created	C:\Windows\SysWOW64\Bmidnm32.exe	Bfolacnc.exe
File opened for modification	C:\Windows\SysWOW64\Llqjbhdc.exe	Legben32.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Oqoefand.exe
File opened for modification	C:\Windows\SysWOW64\Lljdai32.exe	7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Fcndmiqg.dll	Mapppn32.exe
File created	C:\Windows\SysWOW64\Nffaen32.dll	Ppgomnai.exe
File opened for modification	C:\Windows\SysWOW64\Qclmck32.exe	Qppaclio.exe
File opened for modification	C:\Windows\SysWOW64\Qmdblp32.exe	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Damlpgkc.dll	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Nmjfodne.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Oqoefand.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Piocecgj.exe
File opened for modification	C:\Windows\SysWOW64\Pblajhje.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Djkpla32.dll	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Leeigm32.dll	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Amfobp32.exe
File created	C:\Windows\SysWOW64\Oipgkfab.dll	Mcaipa32.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Ommceclc.exe
File created	C:\Windows\SysWOW64\Adgmoigj.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Lpjjmg32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nfnamjhk.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Bpedeiff.exe
File opened for modification	C:\Windows\SysWOW64\Mhoahh32.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Pqolaipg.dll	Ooibkpmi.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Padnaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ppikbm32.exe	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Mfbaalbi.exe	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Laiimcij.dll	Llcghg32.exe
File created	C:\Windows\SysWOW64\Mledmg32.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Pmbegqjk.exe	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Ockdmmoj.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Ppdbgncl.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Qclmck32.exe	Qppaclio.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Bpcgpihi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6632	6508	WerFault.exe	258

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjggal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifppdpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llqjbhdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbebbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjhbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qikbaaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbnnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdbgncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjfdfbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcgdhkem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmladbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajohfcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcaipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookoaokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmdblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qclmck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajaelc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigbmpco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbaalbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ommceclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabkbono.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhqcgnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcikejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmidnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgomnai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mledmg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll"	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiimcij.dll"	Llcghg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll"	Qppaclio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Momcpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcikejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajaelc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgidjfjk.dll"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll"	Mofmobmo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 2432	3952	7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe	84
PID 3952 wrote to memory of 2432	3952	7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe	84
PID 3952 wrote to memory of 2432	3952	7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe	84
PID 2432 wrote to memory of 4652	2432	Lljdai32.exe	85
PID 2432 wrote to memory of 4652	2432	Lljdai32.exe	85
PID 2432 wrote to memory of 4652	2432	Lljdai32.exe	85
PID 4652 wrote to memory of 4348	4652	Lafmjp32.exe	86
PID 4652 wrote to memory of 4348	4652	Lafmjp32.exe	86
PID 4652 wrote to memory of 4348	4652	Lafmjp32.exe	86
PID 4348 wrote to memory of 2340	4348	Lindkm32.exe	87
PID 4348 wrote to memory of 2340	4348	Lindkm32.exe	87
PID 4348 wrote to memory of 2340	4348	Lindkm32.exe	87
PID 2340 wrote to memory of 2080	2340	Lcfidb32.exe	88
PID 2340 wrote to memory of 2080	2340	Lcfidb32.exe	88
PID 2340 wrote to memory of 2080	2340	Lcfidb32.exe	88
PID 2080 wrote to memory of 1280	2080	Ljpaqmgb.exe	89
PID 2080 wrote to memory of 1280	2080	Ljpaqmgb.exe	89
PID 2080 wrote to memory of 1280	2080	Ljpaqmgb.exe	89
PID 1280 wrote to memory of 468	1280	Lpjjmg32.exe	90
PID 1280 wrote to memory of 468	1280	Lpjjmg32.exe	90
PID 1280 wrote to memory of 468	1280	Lpjjmg32.exe	90
PID 468 wrote to memory of 3560	468	Legben32.exe	92
PID 468 wrote to memory of 3560	468	Legben32.exe	92
PID 468 wrote to memory of 3560	468	Legben32.exe	92
PID 3560 wrote to memory of 2664	3560	Llqjbhdc.exe	93
PID 3560 wrote to memory of 2664	3560	Llqjbhdc.exe	93
PID 3560 wrote to memory of 2664	3560	Llqjbhdc.exe	93
PID 2664 wrote to memory of 3100	2664	Loofnccf.exe	94
PID 2664 wrote to memory of 3100	2664	Loofnccf.exe	94
PID 2664 wrote to memory of 3100	2664	Loofnccf.exe	94
PID 3100 wrote to memory of 3200	3100	Lancko32.exe	95
PID 3100 wrote to memory of 3200	3100	Lancko32.exe	95
PID 3100 wrote to memory of 3200	3100	Lancko32.exe	95
PID 3200 wrote to memory of 1312	3200	Ljdkll32.exe	97
PID 3200 wrote to memory of 1312	3200	Ljdkll32.exe	97
PID 3200 wrote to memory of 1312	3200	Ljdkll32.exe	97
PID 1312 wrote to memory of 1936	1312	Llcghg32.exe	98
PID 1312 wrote to memory of 1936	1312	Llcghg32.exe	98
PID 1312 wrote to memory of 1936	1312	Llcghg32.exe	98
PID 1936 wrote to memory of 228	1936	Mapppn32.exe	100
PID 1936 wrote to memory of 228	1936	Mapppn32.exe	100
PID 1936 wrote to memory of 228	1936	Mapppn32.exe	100
PID 228 wrote to memory of 4396	228	Mjggal32.exe	101
PID 228 wrote to memory of 4396	228	Mjggal32.exe	101
PID 228 wrote to memory of 4396	228	Mjggal32.exe	101
PID 4396 wrote to memory of 3828	4396	Mledmg32.exe	102
PID 4396 wrote to memory of 3828	4396	Mledmg32.exe	102
PID 4396 wrote to memory of 3828	4396	Mledmg32.exe	102
PID 3828 wrote to memory of 3196	3828	Mpapnfhg.exe	103
PID 3828 wrote to memory of 3196	3828	Mpapnfhg.exe	103
PID 3828 wrote to memory of 3196	3828	Mpapnfhg.exe	103
PID 3196 wrote to memory of 2436	3196	Mfnhfm32.exe	104
PID 3196 wrote to memory of 2436	3196	Mfnhfm32.exe	104
PID 3196 wrote to memory of 2436	3196	Mfnhfm32.exe	104
PID 2436 wrote to memory of 2196	2436	Mlhqcgnk.exe	105
PID 2436 wrote to memory of 2196	2436	Mlhqcgnk.exe	105
PID 2436 wrote to memory of 2196	2436	Mlhqcgnk.exe	105
PID 2196 wrote to memory of 1432	2196	Mofmobmo.exe	106
PID 2196 wrote to memory of 1432	2196	Mofmobmo.exe	106
PID 2196 wrote to memory of 1432	2196	Mofmobmo.exe	106
PID 1432 wrote to memory of 1592	1432	Mcaipa32.exe	107
PID 1432 wrote to memory of 1592	1432	Mcaipa32.exe	107
PID 1432 wrote to memory of 1592	1432	Mcaipa32.exe	107
PID 1592 wrote to memory of 3924	1592	Mfpell32.exe	108

C:\Users\Admin\AppData\Local\Temp\7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe
"C:\Users\Admin\AppData\Local\Temp\7a5fe9abb5a1401539996810477bd486171771b681b0d555f2799691629019b3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\Lljdai32.exe
  C:\Windows\system32\Lljdai32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\Lafmjp32.exe
    C:\Windows\system32\Lafmjp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\Lindkm32.exe
      C:\Windows\system32\Lindkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        29⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        35⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        41⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        48⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        54⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        55⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        60⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        62⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        69⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        72⤵
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3284
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:552
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        83⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        85⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        86⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        92⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        95⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        99⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        100⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        101⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        106⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        108⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        109⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        110⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        111⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        113⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        115⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        116⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        118⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        120⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        121⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        123⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        128⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        130⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        133⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        135⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        141⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        142⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        143⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        145⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        149⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6556
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        151⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        155⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        160⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        166⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6416
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6508 -s 220
        170⤵
        Program crash
        
        PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6508 -ip 6508
1⤵
PID:6592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
128KB

MD5
4a8c43786125734a3b53e19323f1bf16

SHA1
fc26e0d32a049df3ef30778c59e93c89e715278d

SHA256
c23c36c6786d9bd273b9156bc56f953e06d9e0a8660ca9f3d54bad2b4b82684e

SHA512
8e8ad8b2326ff2a677c4a091e6a7cf00d1fae4a2e4bf36774dc7c2e16ce44d325f76dd0bcebf5f2721f278c634248da77552c2b01594235ce36a77d0b8caa3ad

Download Submit
C:\Windows\SysWOW64\Acccdj32.exe

Filesize
128KB

MD5
f5bbf99203b164548bf9a6515e2f7149

SHA1
5d2dc1f957372d9f24fbe64ed2375d61f66a43f1

SHA256
63f159d4ec2ef8dabd7bf8fdc467e0ba11898f3d532822a1d6e139781ad6afd9

SHA512
34d60ea98404ae354650d17b03798cb014febb11aec3249e66ddf3f7a2db4ae3089f78b200c5a8a00a6c38d2d9e8d8e6e781e98eb4501701eed1ba4bba3c4b54

Download Submit
C:\Windows\SysWOW64\Apnndj32.exe

Filesize
128KB

MD5
5491021f39ddc89bfce5bb9b257c4cae

SHA1
ab19ec710ae3f91be511beeb640a170edcf225c7

SHA256
5cbd5a88c3e578848c65ce090c80bf1aae37adf676f9804846c16aa2f1b5919c

SHA512
9dace4b1ddcc79964e7957c30aec56b029ed378969d5fe37820f9979dac863ca6c47004a843614ad1fa5bc2672ae88e3b404a5899d1921601a043a5242a45c39

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
128KB

MD5
c9a30f4fc3eec829f561781f5c3f91a7

SHA1
e58d89e11a8c230826f05a1c0fd64ed9ef957690

SHA256
1f1b15445467de5d7c762e5e863ac8e69033b33f2899459e24b8e49ed521ee50

SHA512
a1bede030de5a2011de8a2df37a6beae664c08e66cad752b1c217bba8cbf91e500f7f75b24b4590c98e2f04ede7e700cc53e7e6ac31e4a3211bb1a68e8b98611

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
128KB

MD5
ac586bb918bd27f8d9d403a3dbf369f2

SHA1
49ea32c2f2baeecae03627e4189f9cc31daf4a03

SHA256
5fd1dd427c0978a1ee7e1c288d8de6b11bd6c98810cea00dc6dd5cf7a0abc02e

SHA512
9ae186b123acd9e73b774b49d1daa44d709b2ec6b6dc4496aced96c3df55308d725064cb5d9b32e226f8a1dddb2c4ea4c16f1df58043a7c6c529627e1a6ca933

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
128KB

MD5
e92669da3be49e28f8ce8da2780c3336

SHA1
8aee9fccd3e7065459e4327cd63cfe2d7e9b0ee1

SHA256
32542c865e626624822e8f5c9d79f8540d6bd0938cc0fb17b06c76db59e264db

SHA512
bb4197483503628dd135019c8bf536ed5ee18bcea86aa6da546aae6f108f0ae6a8fcbdf7629aee29020ba6b61ba900bac4fd308a540866878240b2d2e6df92c5

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
128KB

MD5
1612bf7aef6d1ddff5ee18f9c9e28cc5

SHA1
f4400096f84daf5593861054e427c44f9219a07c

SHA256
5933575de477ee0ed24104a8d6f435a93938007790e8364d7f1ed91b24af7373

SHA512
fd54b660c70210481d96ae17a6aaf42891e8dc0b15fe8c84f72db47d492684b917ce717caabb15e471a64e794ea32595f86f797e098dc843d874127d8cdcf824

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
128KB

MD5
0832a921cd1313ba52258bebd250ee46

SHA1
df005638c606e374b8726464c4e8a59c90d48e22

SHA256
53a248c04e41de69b4a3da36ca1f64a0076f2120945cf7ca5dda0094bfd7cf26

SHA512
f2f2330894e3e65f60d52ccbc08b76de562a5dd48dd6d3a52f8a8d7e82a991ce90311ee732fee815e229a65333930fdb0097a244c1e6c926dcc2dd8dd2993572

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
128KB

MD5
4380cf19eacae91bd881644a40f74c09

SHA1
1ba5a50c7af45e1a6aa52f53d06cd7db598dee59

SHA256
9a4f4bdd87667c3003f47dd2d430e3dfe71da442f35ff3ff3b5b92278df8548c

SHA512
70672d346e605c892bbd919f9e91380bdd8d1624c98686c935b309e4f88d97476832e271434bcdda0f0e4d92a99e40ceb77bf1f5da2c89f9a1a149c526e3417c

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
128KB

MD5
ede3de196e0f400a0cb1e5aeb7419d2e

SHA1
661d7fc1673c297402266c34582cedf722573efc

SHA256
07fbf5682e196c98ba810fac0c56b38b3634dea8349f59608a105afdaded9270

SHA512
43b94965b64c24e3b73a0c3055f314da05db123bcb2088c6028bd6bff6777a5c9ca2a356337ed7bba6c56f3f10a9ab8193642d38510da10551a3d21b42fab858

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
128KB

MD5
17ee8848c5220d003a5cbc706aacc816

SHA1
ba8bf28847401ff506db07718e4e363a03d65942

SHA256
aa7f461c69a3eec08c877af24cecfa5c59cc41d1d042c4c67ba25aa81fd5e13c

SHA512
5f893c4fb00c14519046005518632264f1179c0fee234cc2a8f2bce20304c4fc50a267c12e0c96e3c5a0db54e29b2760ba31a75217b92ed5e9919f717bb8b99c

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
128KB

MD5
7d8933b090aec21f9a7a73f40bd44cfd

SHA1
e9be25e782a0b1c10d8e8ed3d83bb13b48c16707

SHA256
2df79adfe81a7f33b186d4fbf88be8b09fc15b8bb40ad7278abbee3c9895a830

SHA512
4d6a178e9e4333f875e7819c3894a789657b411c76a2517b081785aa61b597fafc0d8b5d6900a1c85c7904ce062a887089f53cd5bc1abdfe9cef38452b3481cb

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
128KB

MD5
fcc94826ee21c4ec8b64a533ef32e316

SHA1
7a33cc26f4471876c77389786b6b219fe4b8dfd2

SHA256
1cdc7497e68ea071f13b68f5222bb8cd210e5bcf5fb87751885d4d0e438a413f

SHA512
94d6b9ae78169069bf6c0615f73eaefc49a3c2ac45f773c99b9aab0549c86bee2c579611730b3d6073858f0e92ecdd0fc4b0a568432d9fd23e3960547ea042aa

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
128KB

MD5
dfb619f46eedb60ac229f41ba235498b

SHA1
6b65f864e7c8adf52de06890aea80e3c98fff5fa

SHA256
5f798296c30eca681355aa764a1e932eab0141e82d02ecf678c6d1fee3f8b56a

SHA512
4724a4e08d39c659d1ac38960bb31ab0121d94d4409989a56dd742492f5a322dc3d334ed8567f145d154bffd5c82c3994c8973990a98318f99e015cf775957ff

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
128KB

MD5
8d1d7814502e23d32a3a7ea299f400b4

SHA1
07e67afee5f75104701378055a55ea4d94e955a4

SHA256
53dc4413e70f4ca93e36595c0fd815a3efab036f37e4f7c6fbc4e5cd67e8db11

SHA512
ce42af8cf9630e783088773b2d46b25699f85931214ffff4730fa4b5218c77ef866221b87206bace800cd20bcbc37b480f098bc2d8e825c5d5d57f65a0611ee9

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
128KB

MD5
e4ae3722cf282e56e7e4b8a3c14d0015

SHA1
0dc9a1e008e868a0eacf66930dd6a315b9464eda

SHA256
452356860217f6f2819404ba114da6c34adb0dc5cbbc53a052aaf2adf7eb4462

SHA512
fe67ce8b405572eb7389c9d59231a98876540b1fad54e222e8e10178141cb65624ce7dbd53dfd8bb8dd95e01eb19df53f34b27a72da24f35bcfdc103062a9963

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
128KB

MD5
f4bbfa6fb214c97796c9510fd8c00012

SHA1
27109bb3d57fa001592fcd56b375a7061d36e7a3

SHA256
19d158fba3f450a2c6ca7942dcb419aea9476edcf7b5349ca89b0966b02ace40

SHA512
3b7695cd737f9b8ee5d302fe8d8a390fb586c39715d7f987bb97600874e20065bb5a1a1df1f9f09565e4052b3d63713d928537155da700c9f18278c256f6e251

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
128KB

MD5
6efdc369ba4bd4b17ff3644fc9d63d62

SHA1
43739c27fce8456b36f8806d6662f327bcb557b5

SHA256
26aed39c3725ec9584bb2f88fedb4c63ef845b12850300bfa751f834623cfc96

SHA512
28f4c9102e77fd1c046235073399db455650c9d96b71b0d7ccbc68553b5176bc34e81491517cf0e27ff2dbc2dd0e0a68071d61adbcf4c36eeb6f9b232c8a99bb

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
128KB

MD5
396df328d7501596036cc05740a09964

SHA1
b0924ae4813a131380f8f4a01f01da738f142f96

SHA256
212381d29d412dee8ff2b72f16f734980e6293489f68c70b25d33abded991be9

SHA512
5bb565e254f734bb04810deaf81398e337241b736bb1b1ec71900bf581d8c0a62f6292e72a3df222bb973640cde1421bdde9b95ecf4f7e7e08e1e35fcd5cb9da

Download Submit
C:\Windows\SysWOW64\Llqjbhdc.exe

Filesize
128KB

MD5
d9f9eb881ec4abf758a9eff4334fa3f9

SHA1
67c49a00142b491ca9dc0b303d8f3abd6a24af36

SHA256
ec69d9225602e052527b9e7865729c212329bb0a9ea50a31689de87c95ed0695

SHA512
d8a0710e110ea000ea34fd4c81439bf78f29134f813a564eb5e78b5637d7937219c851fdb6980eabf60141cff76f135c97e35fccba313da65909c9fe7b087e44

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
128KB

MD5
47902e7ef918af83bb4a58168e8f8c35

SHA1
e9acdc2823f5172ec1173c4040541933d7b3ac96

SHA256
cc3b2c641f8611f6ff264cd2a9270efe40e37e547e5577c8a83df3a744d72933

SHA512
1271b429d5227e619f5cc50671d41001485ce425a5ee43bd1dfef281d6333a6f540e289e2b24b7c7097acdb37676a72851b84d3172dbb51ade5b4305730e5ade

Download Submit
C:\Windows\SysWOW64\Lpjjmg32.exe

Filesize
128KB

MD5
a50d565db7275ccaf390d915e27c721f

SHA1
137400457c3636ae7fcf9b8a6005d66e8af27306

SHA256
9f4ccb3e8a6e66fdc5daff315c741b8971c095c6a39060bd149cb594c2417900

SHA512
c9b25ccc25f29d740dfb6d1f35fd85de7d118665ae092464f8d8c74406fe2a69a6a25e068bcbdad191f1209cfde4781792b53b8de1eb13ca03ec4707fe172073

Download Submit
C:\Windows\SysWOW64\Mapppn32.exe

Filesize
128KB

MD5
b1a8a05cc4d1664916aa2786927d38d4

SHA1
67d1790f9ef1ec282dde714807c7c1b7ed394603

SHA256
3b8a08cb9cb93d77ac9420b4bdb16cb9df2a876030e77d974cebf845bb9a765d

SHA512
958104101a0888b025f3f5c2bf8f4e51a6c479756303aca167b07334388ece52b7bffbbdd39965a74e70c9b78db303d0103248c7fe0b18e02bff9e48c2efdc1e

Download Submit
C:\Windows\SysWOW64\Mbgeqmjp.exe

Filesize
128KB

MD5
5198e34a95d663295cfeee47e735c2aa

SHA1
9aedc95bcc6f21a396a544a884d4e71cc6b28439

SHA256
f0037e60dca5f669f370b93225ab8adfca5eb2d24f7f7528183f8938fa8090d5

SHA512
48968cee9b81879e87c088e93158ade35c68b4d6abc56311e2ed7cc2f4a81c0fed889f42da6f5da3ac2aa8ba3cf81088a814a6327cac3983024d2acb5ba6a30e

Download Submit
C:\Windows\SysWOW64\Mcaipa32.exe

Filesize
128KB

MD5
4b36fba245460ba5cbcfc9a5c3c7c790

SHA1
1958fcef90686b993d011b121a62d369c214f374

SHA256
a5f0e935be517d59be1aed020769aa75f1efd37e669e00cd142552d1f6129ade

SHA512
eaacb3d93c405a9e05e3e9f261a14887b21c405a5f413212271e5e2d1ec329adda56cf0f482448dc84a6cbb896be17ad6927b4dcedf2ac9a236045f636c36aad

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
128KB

MD5
f16b08c8ef47b6b5ae4827ae98c878a1

SHA1
5d65d92de517e1e7e34a4f795d8b59c18ddd3d8f

SHA256
9ba2d61f562e48f6a8cc164c66e15dcb341f3aa8df61117fe1ceb8fa7fe7af78

SHA512
5ff65a81a4000a6b950930d8030e25f4b4325fd7eb11f49902f160142b14c4f742d9797adc5553ce14f580362c4018658d22ff8875196b4283741fc65fad1e8e

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
128KB

MD5
23205f6137576a454f83eafcd84c4177

SHA1
be58566e0a1c741fd5c3028021627ce64d1aa754

SHA256
9de01bfc11b8e22b88e5fb4fd105ee5c57457cfc9831874ea26b3e00ba0fca4e

SHA512
7e40ff76cbfaf0af0732cf118eb221561b1b4499db1a6a51967ead378726b281f6f27d18579bb7e93253eb79432ec461a0414c7b9734e7bf56a8eb2782362228

Download Submit
C:\Windows\SysWOW64\Mfnhfm32.exe

Filesize
128KB

MD5
81c52ba5074ec9c12a7fed7ba0320bb6

SHA1
ad50607a11be3578a9b1fe29c55711a298f201aa

SHA256
5b1d4e2a4156c1c4fb3079eb17adb893446457de2ebbe6ba890bd18f40065f23

SHA512
3bb9b86caee8ac78739adc825801790e0b7b7b9a435da79b42654ad717a5da1dc9c2f4830909ce875ecd880edc740c0baa98676c2685cd70ee0295acb9f4a59d

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
128KB

MD5
63d8c9cec55018bdb2e33ff0ecec6423

SHA1
e5d9a7c2548612ea41f7f015ba04793d7f0bc82f

SHA256
eb1058fe5240551a9f2794a7082de85c08e3d272312a7efc93e0f827aceb779b

SHA512
b762282ef9d378696d45a87a77adc5e5ffdfd3ffb39ba22a192282b6b909c63741eadfd08c23655fae3aabdb3d45b93c35e088a9bd37cc7a1a63e5d711be613e

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
128KB

MD5
1d8031a0138cc9711bd7ceebc9304db3

SHA1
91adbf2b0b70d728efe836e7fa505c63204c9448

SHA256
741341d6300bd68b0ff9ac99419911b500ee88a98de1b2e637729ea28a6f5e79

SHA512
0cbb33a0e4069e8e01df5c406134f07795d56e9bbf5bc6d39193332c78f0a047d619ddcdb04dc5d99f53be7b230950ab9e5aa5394e109687afd45135e2e162a0

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
128KB

MD5
9bafa573a3ee0689ce379f92845ee7d0

SHA1
acbe864dac91db3225273b5ee2b66993b71b88ac

SHA256
5259ad9abd9fedce2065aa65eb69684cd160053e4881907fa215d4b4e5ffdc72

SHA512
48e137260f9c2cf606dc939fb560b15a40ba871f694f2d787690d9d07106f2cbabfdf212a1367d34a5e9b4fb5bc10711467ef70b315ae2b9b9efd1e19c2b4392

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
128KB

MD5
db4731401373f9f8e21cfb25397f9465

SHA1
0d56686fdf1badba6a6ea1d0bb099ab0c3405854

SHA256
553a2a8f1bc59700757c1a95fbab8ae4cee215fb578e1bff9a32cf3dd4f6e649

SHA512
afa139dcfcfa1237a308ea1535444104b6a59e67e7ffa61a18b60b6b24c7bafe27156c9821e9a50a669f4f02e0132c8a3cb237a889352ade1775da159a7c6dfe

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
128KB

MD5
34f85df4947b4ea06e7a891182c2a906

SHA1
d393cf0825f7b13663e809a2b6b75f8216e6bf67

SHA256
a27d24b03f290c42c4d04a00f24ef50325d449e9c0ede5edca75c38a36e25569

SHA512
d2e474f245dff1c004b9beda05f6dadce121fa72d6814a687b77fd063d72fcb1688b6bcb194cbd17aa5168d10f3e4b89444fd716e6cc93e9087594a236b3d578

Download Submit
C:\Windows\SysWOW64\Mledmg32.exe

Filesize
128KB

MD5
b496eb392661b1e38a2a78fde920e6b4

SHA1
0c02e6adc06aa8893df1d53a573c0911b5ae68b7

SHA256
48a4d29ded0874611fe58389284791da40120e711b21cf12acc9433775405aa4

SHA512
9616f768dc4b3263e9b76e0aa360344a37292b67804012689e4b74417806636663af1b0618e0e39f026a366e5bde1a9eef70db0a408d69415973525db96850a4

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
128KB

MD5
d6c965a71a0dd76516a2cc5b5696d958

SHA1
c1c10fcf1639efbb9ab0c9f71aefd306daa4fa8e

SHA256
f198118c4176e2c757c535daca04723e1c9152a91c5d0e553da032d690f65c0f

SHA512
91e77d47e287dae5842434d593d9f264accee45546623b928d6132bd02ca9346b3be5b01b33da1488aa1b0e81a2c5de308cc38bcb6c452b366a048495150e433

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
128KB

MD5
06a9e70777abac42c2d6d306fcccdad0

SHA1
d83833a6faddb9360d7d9fabd0abace79be9c7f5

SHA256
d11781564fa289614a3d84b7b1294c76c566aef80cf7791288cbdb84e7193fac

SHA512
7432e2b1975c0c414bed08a3b62d202f976ede4ab9cc2f370ae9f97c7abba6b73125824acc64f222b1ab9ba47d03866e715f0c7d1b4f38451a4581cb5a76828d

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
128KB

MD5
6c30ce93a7e39e9ba46a8bed4da0cca7

SHA1
9935218f09f086ad46993b619dcdbbfca1bab333

SHA256
e5311cb7e59d2666e72fd2a9cf575f27dfbdd48f7909b87d55d2e316ec4d0b22

SHA512
d4361691053ae652513892cc07525123b1313b1ad9c8c25e16f7b8a734ba636950996a5f3c764a002a49d504e99df51eafb3896662434d7e0a7e4b2850e8ddac

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
128KB

MD5
1334f77a65d8b2c26db7e9320557af91

SHA1
26cc297213cc54b7afa10c4382d5dcabedd4c290

SHA256
341a7a6db98cf811ca966e6c06f0928cf4685c550949ed9457bdd733ff7762d2

SHA512
9fdb913eef94b1c7219cb45f287b880091f41cf4b0a785989d31f124d36a15bfd62df322072de957d9fc473b639889e6425d278fa0e9164bc880d3530b2e314a

Download Submit
C:\Windows\SysWOW64\Mqhfoebo.exe

Filesize
128KB

MD5
9148d546136ab74bf502e09b9af53dd8

SHA1
ae178c87c996550d890a8f96e902631b52e83672

SHA256
9c361245be0db4dfc591a16608f7b8d03527ec2368949e9a04b2a9ed7037bc70

SHA512
c7927e06193c3e3bd90183f0709d0e117d9ffd04140eb20904859dce4b39a507f784298a279cc3582d8196c5f7122c682b74454e3a9087798fbc6e56c8a85fa4

Download Submit
C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
128KB

MD5
6b75ae37702cc242066b64c29ef0c3b9

SHA1
8e6766e1220f526e353c873fa5c21b13e8e27ddb

SHA256
ca0e8749fdd0a2f18f79d0a582b2ddc8c1b7b11bd2cca12dcad6ffecb014f5e0

SHA512
2c46c25a84afec0f18dcb66c9605f36aa47ad8219feadd7be31d512fdca52fa98af4d00a9dd77d8790d4dc87f12a3556070cdc2669abb78762e75d633ff67968

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
128KB

MD5
7dd85771219bbb25690527a371509f11

SHA1
897409003fb15d65e02f50a0fe1aeb3315a0c06b

SHA256
c783f7f50bd3cb7c52098482fff70d14066472c52aef4e599c0bc96213b30efd

SHA512
aea83865db1c0f0de6b06494b956622c7dac2723aba2adb01c718d87802818756d87935c8ce11c8a0c87fc6dd0b645fd80b93751ff505096b40caf5855d378ce

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
128KB

MD5
197c282cc0c1cc05d8ca5c039ebf853c

SHA1
23e4d3bc27a5d3cffc1a249f67f80483bc779092

SHA256
56fa9088b1137b87d194ff26909be9c2a2bde57e44511018eeb214c72e378e9a

SHA512
43c9a47cad65785fdd15203c00715c12b272019c7b0ead00366d6b8829980a75c4487f2243ec5434bea61f0615d4fbb88ad24b655175c6af97830af6aca9dcb3

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
128KB

MD5
db3fe93f38a3f8aaba4069f637cac8b9

SHA1
277714098039fe0fd35804e54618d191f04af74e

SHA256
b7c1ccc4b33a23c17d2be81fe087d945119ef1de58e733388eab18c08d60d929

SHA512
5bda14cccae3641dc94e4c290dc9797fc7c5dd448839355831e4e10bc6c3050b302aa77902faebf66c00e54463b79064951c065951c883787548d8fc33dbeee8

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
128KB

MD5
a0b0ff140ebcea5e8d0de9028a0bd3a3

SHA1
909b91f33bce56fd892e0496a4858cff6422c5ae

SHA256
8fab694067f4205f059f65c96e1a7e84f3a424944ae9594e5c5d84a3a82d3ac9

SHA512
21140efce3eb7e3dd942d9d5bcf5bdc0545b493ab78d14fe5db1109e0d4d8c6ff87d4b1110060949bfcd439723ef81324c4e2c3f2c0e84a61ac09ec12c8b109c

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe

Filesize
128KB

MD5
0a3587e0b0f1987e2546dbe5568d944b

SHA1
ef4289539c4f7ac0f6d6d67a83e35d694992cb94

SHA256
9e3363da9d9c3cfaebdb633cfcaac16093ad1a9bda93d388b787f1a489857529

SHA512
db12c289fa8f0d4b78f1407aa8a81fc7d33596f07a20cda6d8878de6ee17b4fe34bb99df94ea796704484eaecf4f255b4e0eb63982bc544973de42a953248e69

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
128KB

MD5
565ae4e1cd1d66661f51b7988f1fcad3

SHA1
bc292cd9d5432d90de1bd6aa914a7647533fdc24

SHA256
241beaa875db88f1e890e7d0d97896e8f971a4f870cfc7e944454d3881af4de1

SHA512
f06444287b7cb1c5763326ba242fe3c06b3676d71364686b157023c3f4dfa11b4a801f8d771b50c9b964faa83dcb2b219881e5e278cb5d60a80fdc49eaa55aee

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
128KB

MD5
219f49c774633445a0810ee40623f860

SHA1
b7ff9bef64886a173a93b8987b0273e804834066

SHA256
f2a39416d7d7be256bd280ee85f093e04212eab6ec6fde079776d42f41e395ff

SHA512
8793abfbdd7b3e361f3e0c958cbd3a3268b37d530b55a760cb3932371387993903cb5bb5974adfbed836e8b25898fa0d6b6b5b04f8f0849dd803bab3b9dff66b

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
128KB

MD5
5e985900c2f07764ed4f19dd7e7db01d

SHA1
68c90bf08413408eb983ef23f15280320dd10e42

SHA256
161bc428caaa8a0aca170b8220a07371457b069110dcff72edb7e0aea4e74c15

SHA512
8fb991295682b3cf4444235bd08c5d326f02472c9cbda4baed6ea2b66fa0f6bf6afcbc3e06a98f838dc456baa6ab33e47f3f6dbefea099f213e075f0009cee82

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
128KB

MD5
2ba3374d95d4db29b1d819fda3c98dc9

SHA1
2466076eebbefa7d4bde1f5bb3ce18fb5e223a41

SHA256
9fc605600e3c208ca74573b883619cc952a94e3045a6231c77db855de1de30d3

SHA512
31e472afe119e55b1fec43c90d8720030dde70b28481f33fff021a43064d9b43598e2983dcc74c7df1d3b35ad4dce7606fee97d13e3509836f2b50b9041827c7

Download Submit
C:\Windows\SysWOW64\Padnaq32.exe

Filesize
128KB

MD5
3122d3c78b5df971e3cccd75d0258033

SHA1
6114545a2e93ae109ec5e5d74371a1c3bd4087c0

SHA256
37e369360f8a6241be7565161622146990c9d6d5b196169e7881e8f06533d346

SHA512
8aa072c7a5280e9985f9613ac58f05816cb2e07f1c996ee5b8e1f043b236bf532b776322fd9eaf9629891b0158b06edb5e402df9456e51cdbea2b48e40b41cf1

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
128KB

MD5
28e193c24d65f526ad257b01031a592e

SHA1
e37805b2c3ac4e55795402c236e8f8f4136e6926

SHA256
bc456ea1cb36d014c0b942fe38d58bb8e0308346d9cfe7343f53c5efe4c8febe

SHA512
825df49e1ad0b1b25882348c521adf3b833d681dd1cb289c3fb87190ba21eaa722f76ec989bc6e19ab8c3f5907d4e853c01a8a0bdd57f6582eb2a590c0df0e62

Download Submit
C:\Windows\SysWOW64\Piapkbeg.exe

Filesize
128KB

MD5
ee8585fd514ffa9ae03ccc726aa5ee95

SHA1
015fd4eeecd32d41cd100477d025bb70f39e5d05

SHA256
555059c56443c89f9c6773ee1c7d7fac0d74d85bbc89ba3e2800bfe4b4571d28

SHA512
3f75a1ea53b5d4afda580fb7bd8d529509ba19ad6ad38059617096153088445d70b66c96ba76de83906bb8452c99195dcda4bea57868d0dd4794593ddb0cfa57

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
128KB

MD5
836db1bd98c46860dcde79feda80b1c0

SHA1
7f100c51e3612a4ec430ea654f179b975be41099

SHA256
a1b68feb3ee0a19ceb4a75c1da8cabeed9a87507cd0f2484a4231162da516b3d

SHA512
1c1f43db472c81508e3cbfa3b73e9e1df837bd6e5aeb4861a986070c1a69d60af1e1f78182e2b8429a6c33151121d2c1037a5e1a03abe64e6d6b0974249ae363

Download Submit
C:\Windows\SysWOW64\Qfjjpf32.exe

Filesize
128KB

MD5
6f51e5eaabb1262229074122f83a13d2

SHA1
f36758747d29de756a8397e0100a05662456e08a

SHA256
becb9c3082a183f8e4e28ca6c84ff3b9d8955d4d57aca1717ab403b58e49cc12

SHA512
03e8e128103fdb44e02bc4a253d0a72917cdd6ec08c99a800b2ab7c948cb79da37393727baba0a89e883f397192465b8b27dd2e75f6e41bad4ec54dbb90c67cb

Download Submit
memory/228-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/468-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2296-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3500-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3980-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5144-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5188-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads