berbew | 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe
Size

144KB
MD5

3559c069a4793e151d4b4a33f72af770
SHA1

e293b9506854db9f328363f6bc6c0bfb7f6a6e62
SHA256

9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4
SHA512

7f8259898982751f2796b58be139244c2d422e29ea3fa53b571639c06cba323b49d2bcdb3d60af372e41c4cd41aa91d98b3d8e7250e389438c3577d34f03f632
SSDEEP

3072:7nhTAgymzPggKJ7RUzgrgHq/Wp+YmKfxgQdxvH:9Tpymz17grUmKyIx/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1528	Jbhfjljd.exe
4596	Jianff32.exe
2672	Jlpkba32.exe
996	Jfeopj32.exe
1628	Jlbgha32.exe
980	Jblpek32.exe
4184	Jeklag32.exe
1128	Jmbdbd32.exe
2380	Jcllonma.exe
4452	Kfjhkjle.exe
3932	Klgqcqkl.exe
1644	Kbaipkbi.exe
1264	Klimip32.exe
2644	Kimnbd32.exe
1084	Kpgfooop.exe
1768	Kedoge32.exe
784	Klngdpdd.exe
1288	Kfckahdj.exe
516	Kmncnb32.exe
4556	Kdgljmcd.exe
1796	Leihbeib.exe
2636	Llcpoo32.exe
3912	Lfhdlh32.exe
3216	Ligqhc32.exe
1080	Lpqiemge.exe
5064	Lfkaag32.exe
3112	Liimncmf.exe
3976	Lpcfkm32.exe
1416	Ldoaklml.exe
916	Lepncd32.exe
1920	Lmgfda32.exe
1600	Lbdolh32.exe
4272	Lingibiq.exe
920	Lphoelqn.exe
2092	Mgagbf32.exe
4896	Mipcob32.exe
4440	Mdehlk32.exe
2400	Mibpda32.exe
4140	Mplhql32.exe
4888	Mgfqmfde.exe
4772	Miemjaci.exe
3096	Mlcifmbl.exe
4856	Mcmabg32.exe
2036	Melnob32.exe
5072	Mmbfpp32.exe
3576	Mdmnlj32.exe
5032	Mgkjhe32.exe
2972	Mnebeogl.exe
3484	Mlhbal32.exe
4412	Ncbknfed.exe
1052	Nilcjp32.exe
2456	Nljofl32.exe
2700	Ncdgcf32.exe
4548	Nphhmj32.exe
1612	Ncfdie32.exe
4300	Neeqea32.exe
4400	Npjebj32.exe
1624	Ncianepl.exe
4956	Njciko32.exe
832	Nlaegk32.exe
2960	Nckndeni.exe
1476	Njefqo32.exe
3164	Olcbmj32.exe
4384	Ogifjcdp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Jcllonma.exe	Jmbdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Jlpkba32.exe	Jianff32.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Kedoge32.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jbhfjljd.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6860	6776	WerFault.exe	256

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1528	1648	9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe	82
PID 1648 wrote to memory of 1528	1648	9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe	82
PID 1648 wrote to memory of 1528	1648	9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe	82
PID 1528 wrote to memory of 4596	1528	Jbhfjljd.exe	83
PID 1528 wrote to memory of 4596	1528	Jbhfjljd.exe	83
PID 1528 wrote to memory of 4596	1528	Jbhfjljd.exe	83
PID 4596 wrote to memory of 2672	4596	Jianff32.exe	84
PID 4596 wrote to memory of 2672	4596	Jianff32.exe	84
PID 4596 wrote to memory of 2672	4596	Jianff32.exe	84
PID 2672 wrote to memory of 996	2672	Jlpkba32.exe	85
PID 2672 wrote to memory of 996	2672	Jlpkba32.exe	85
PID 2672 wrote to memory of 996	2672	Jlpkba32.exe	85
PID 996 wrote to memory of 1628	996	Jfeopj32.exe	86
PID 996 wrote to memory of 1628	996	Jfeopj32.exe	86
PID 996 wrote to memory of 1628	996	Jfeopj32.exe	86
PID 1628 wrote to memory of 980	1628	Jlbgha32.exe	87
PID 1628 wrote to memory of 980	1628	Jlbgha32.exe	87
PID 1628 wrote to memory of 980	1628	Jlbgha32.exe	87
PID 980 wrote to memory of 4184	980	Jblpek32.exe	88
PID 980 wrote to memory of 4184	980	Jblpek32.exe	88
PID 980 wrote to memory of 4184	980	Jblpek32.exe	88
PID 4184 wrote to memory of 1128	4184	Jeklag32.exe	89
PID 4184 wrote to memory of 1128	4184	Jeklag32.exe	89
PID 4184 wrote to memory of 1128	4184	Jeklag32.exe	89
PID 1128 wrote to memory of 2380	1128	Jmbdbd32.exe	90
PID 1128 wrote to memory of 2380	1128	Jmbdbd32.exe	90
PID 1128 wrote to memory of 2380	1128	Jmbdbd32.exe	90
PID 2380 wrote to memory of 4452	2380	Jcllonma.exe	91
PID 2380 wrote to memory of 4452	2380	Jcllonma.exe	91
PID 2380 wrote to memory of 4452	2380	Jcllonma.exe	91
PID 4452 wrote to memory of 3932	4452	Kfjhkjle.exe	92
PID 4452 wrote to memory of 3932	4452	Kfjhkjle.exe	92
PID 4452 wrote to memory of 3932	4452	Kfjhkjle.exe	92
PID 3932 wrote to memory of 1644	3932	Klgqcqkl.exe	93
PID 3932 wrote to memory of 1644	3932	Klgqcqkl.exe	93
PID 3932 wrote to memory of 1644	3932	Klgqcqkl.exe	93
PID 1644 wrote to memory of 1264	1644	Kbaipkbi.exe	94
PID 1644 wrote to memory of 1264	1644	Kbaipkbi.exe	94
PID 1644 wrote to memory of 1264	1644	Kbaipkbi.exe	94
PID 1264 wrote to memory of 2644	1264	Klimip32.exe	95
PID 1264 wrote to memory of 2644	1264	Klimip32.exe	95
PID 1264 wrote to memory of 2644	1264	Klimip32.exe	95
PID 2644 wrote to memory of 1084	2644	Kimnbd32.exe	96
PID 2644 wrote to memory of 1084	2644	Kimnbd32.exe	96
PID 2644 wrote to memory of 1084	2644	Kimnbd32.exe	96
PID 1084 wrote to memory of 1768	1084	Kpgfooop.exe	97
PID 1084 wrote to memory of 1768	1084	Kpgfooop.exe	97
PID 1084 wrote to memory of 1768	1084	Kpgfooop.exe	97
PID 1768 wrote to memory of 784	1768	Kedoge32.exe	98
PID 1768 wrote to memory of 784	1768	Kedoge32.exe	98
PID 1768 wrote to memory of 784	1768	Kedoge32.exe	98
PID 784 wrote to memory of 1288	784	Klngdpdd.exe	99
PID 784 wrote to memory of 1288	784	Klngdpdd.exe	99
PID 784 wrote to memory of 1288	784	Klngdpdd.exe	99
PID 1288 wrote to memory of 516	1288	Kfckahdj.exe	100
PID 1288 wrote to memory of 516	1288	Kfckahdj.exe	100
PID 1288 wrote to memory of 516	1288	Kfckahdj.exe	100
PID 516 wrote to memory of 4556	516	Kmncnb32.exe	101
PID 516 wrote to memory of 4556	516	Kmncnb32.exe	101
PID 516 wrote to memory of 4556	516	Kmncnb32.exe	101
PID 4556 wrote to memory of 1796	4556	Kdgljmcd.exe	102
PID 4556 wrote to memory of 1796	4556	Kdgljmcd.exe	102
PID 4556 wrote to memory of 1796	4556	Kdgljmcd.exe	102
PID 1796 wrote to memory of 2636	1796	Leihbeib.exe	103

C:\Users\Admin\AppData\Local\Temp\9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe
"C:\Users\Admin\AppData\Local\Temp\9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Jbhfjljd.exe
  C:\Windows\system32\Jbhfjljd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\Jianff32.exe
    C:\Windows\system32\Jianff32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Jlpkba32.exe
      C:\Windows\system32\Jlpkba32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        25⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        27⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        37⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4772
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        45⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        49⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        51⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        68⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        69⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        70⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        73⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        76⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        77⤵
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        81⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        82⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2368
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2504
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        88⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        90⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        98⤵
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1364
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        101⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        109⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        111⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        114⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        115⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        116⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        117⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        121⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        123⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        125⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        126⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        128⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        131⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        132⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        133⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        136⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        149⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        157⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        159⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        161⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6384
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6428
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        166⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        167⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        168⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        170⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        171⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        172⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 416
        173⤵
        Program crash
        
        PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6776 -ip 6776
1⤵
PID:6836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
144KB

MD5
59197351d54b89e5f59083d73b4afd22

SHA1
e2f5ff9856988f6243b8219083f17a1d6b70cd1b

SHA256
2d6c977e103e216bf620c2b435a9ca5181aa6c2a3434bde92817b37312887cc6

SHA512
a42a6eec800bce12886e99928d35ee467cb56034b9288bffecdbfc91adde967b7386b4588d912006061ad5132e4f1f96fe32711522704109392a0a568a9746c1

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
144KB

MD5
fecee6502a5bd9c9ab27d65b5e66a1aa

SHA1
78ab67105fbaf1f4d75ba62d9ad54448ef20e947

SHA256
dc26d0e923275e1c4efaadd9a389553263ae1c420f72c455c83920b465a58244

SHA512
e9853b7de650967dcffb5d19ab0ea8b67a89df73b14286dd095c89ef69158c195f35552cf6398064d95dc8a2e683c3f0c079e444bf83bed6912e52945ed66dc8

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
144KB

MD5
d63bbc7c075fcfdf15778ab74604b567

SHA1
2c12b9debdd7a94b524be890fa66556897bf24d3

SHA256
ac02d5062b9d550bed757f4acaa775d58fb9172aba099435c471873c15792c5f

SHA512
3b84a7231ea5076e6583b75dc05f77fed6a1034b4e9a49104a8898693f77108cf5209c1de96d2e2ce8e762be65cafe687192a9a4d41ad0c5a9ed6937e51f3150

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
144KB

MD5
95ff6b6e65dd5cbfa6985e074b96c1a5

SHA1
a5a322ca1497f67b7da25062f60e035f585ecaca

SHA256
a5bb07b17a13bfdb5f1cf4fe2996b53553ef924273671b59baff28b14c294881

SHA512
e317ddc74e5fd9cadd0cc8821e709f9e959ebd5254ff0c0eb2e4b751731268455ab16f80f0607c9669dc10632133bb9c4a9e9bcb1a1c630dd7ecc15ab540bf60

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
144KB

MD5
63967e9f276d0748112841bf77e7ce9a

SHA1
32742df77e2d210727d281ca83c372ab6bb65fcc

SHA256
e86268a85c1b1b976b7dc4054eab1843e5b526af094d21fbe4875af40f97fda7

SHA512
5681e118263e1b1ca9e1cb2a766ab86b280fa8b65d5da6685ee509bf586417b05c30c5be21cc48ebb27384ac782b8b56b5a2228cc4a3bf36ff822c993136f0d8

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
144KB

MD5
a6bc62c78a9324f896c53847b7e0fd5c

SHA1
7a1707dd84c90488c218a7d563f464429e42d74b

SHA256
6a71c0197c9fcd66cde77d0638c1b68f2a09c53d5cc3b84396fbac085d4565b5

SHA512
c8117e2c024ed23e67ee8b9396748ca5ace60321d9b39a00133b8fe335b9212219ede11b7f200ec1baa076776dc8edb1e96ef64a07240f93d055a7a3f92126d8

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
144KB

MD5
6c3be6a56817d93c96926a55a0f74e7e

SHA1
bfa0fe60bc7d6836801f8595a9e6f8132465429b

SHA256
67ff3c2a817a73ba104350599a8764642328504077cb8208299806a20caebd10

SHA512
dda8301f61117c855e4ef90625dfdb2ca4e6c0baa8d6af497385e9d7cac5ef356ad3ba279c00eac3a8a00f6822f58520247d6d18886834fb2c2a28b7ffdb83ad

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
144KB

MD5
3a5c2b74f0525c253752fd340c112260

SHA1
10f3df3f75d4d994076ac4428b4cea58345695b0

SHA256
41c2f1ed3ba25ac90be049a1bf50b4f52b9b43e5faa4a3ab4ed8c1b95752ea09

SHA512
821ed2844a23690d5402a78c8f9610e88579598f78b41a29124dca18e6a0ddd4ef72a59df2603a9bc18d353cf6a341813ef4ba14113d3cc142ff8720c09e2800

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
144KB

MD5
ad00bc6c54882e8d54fe46bd042830a8

SHA1
50a4919e39aa3b9337f276819a81ce8acd32ac81

SHA256
1dc32e70c20a7886bae5ab1062e77d70cf7a53ee5bcb9624d287e0c92abad5c9

SHA512
6a609157abaef7c5d0b9c6e9c9cfb9947dfb56b79ac8fb3a9be840451e0ecc86aec496f7c691fbd95f0a56366422531e9c1e2732131b46997b1cd3b70d571360

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
144KB

MD5
33f2ae7e051047f1e639478aedbc3ed9

SHA1
fb4631a0dc45cc1d299c0a55e4c92a335f58dbd6

SHA256
f667baee07380b7dbc9cb8a4daad2e018a73c93887bbe3935c1c13bc7a731f96

SHA512
785e10af0d6e5d6b81e4e8a05061d23ce160e6b281ad781681bfe944fb3755cba9a5250aeee4ac6fb90e3174e8b8b6870cacf9529139dd51d81f51c5174e9640

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
144KB

MD5
8b735436b7c3c11134c9319dc4ea33b8

SHA1
a99e906a14c9364fd7058fa4d16272948921a374

SHA256
1047338178e34653cb06a3077f160b338fe72d9ee39441921a6e6cc40dca7f35

SHA512
e7f8816329261f2fb22b1abec3e7be5be4d6d73bddce41c15a942b3e92ff860d75a6e660634852c920c205b4d55064c6cbbbb9280b2b7661a8af72815827f2d4

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
144KB

MD5
a7189b640d8d577ebed455b312e2bd9e

SHA1
1c3b761e1702a1108afc98ac8edb17d1385c09ad

SHA256
3bbd723890d0dea664ebcc6def65f380124c8b156ab1cb83772e81bcfe6f355b

SHA512
0ddc6e82643d121354f8c91de18d8831e02a6b80e98c294d2d5651c9d8fb411090483eb07890ae0ce4ccdc2f4d1b0b600d7eb1d282e40c736f027799c9360af8

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
144KB

MD5
2f1b445f9e0783ad827d3264d54bb639

SHA1
d2d2af461c6229994c484c5c019b377f99cc7641

SHA256
f0ff193ddc9ebd8b35fedb8a29b4cd12979af8739c2008deae7167ae54d0c163

SHA512
7eb7a517551693c729d79d79dec0120682ad9a2fcf7232e0ba78b1e3eb0b083fea6ab0d9196ef8d88d58d140a68cacd44234b689b3c24af7fd975b74985410d4

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
144KB

MD5
43756c17423f9438d4408b8cc80a9389

SHA1
dfefe7bcf62f49268c64baca4161364d21da94cf

SHA256
7d2c033304fc821d7c54815f49403ed84afa9727d7de3f5177def5c5d35013a6

SHA512
eff9a3b47aba47f1b44d35aa78f8175191be082a770aef803a489fdbda73b2fc26e50d9328b88647223de2eb1df9e7bcf45a6a3845db4e5a98f576bfcd341471

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
144KB

MD5
1f5c85af5ad35b944ec14889df19f6f2

SHA1
d531c2befd07d578d6efe7e41b0ccb7742a4a3a8

SHA256
46c0324b9e4412124783802382c02ce3355307851d84a42019b13ce013d7e7c7

SHA512
d04d9c256da1e65b71183009d9fdfb73b17d34e1112681f1c21ca1a917cca243a076d61b037ee12aba38b49afb18454fcfd8f9b9b51b3e74a58c3d9a73a7b6d0

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
144KB

MD5
7d51e76a664ef6c3b84211c7e4afe94b

SHA1
425fa4db0fbbbde3ba6d3676facb202acf9ed96a

SHA256
07629e8c4d5ada3d1dbc71f67721c76f51cf2931116e36a72bde84a2a6e6a785

SHA512
d4014241b0fabb51b59f32e7cc6c2003b1bf058f0ed3bf63211b8d3de819af9606b7ac85a5b7308c2bf145bf9f07d2c294a76e0441da061d99c6bc69bec6515c

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
ec5b8b2b5a042c0f6c7ddeb0b0d923e9

SHA1
6f9184f05b4bd1fb702d0168d45d325dd2d497e6

SHA256
94e880a3b6f2f42b80749517d6d3db4e35685780832bed0e8e062151ace269e0

SHA512
f293bd2546bf33d2239dcce88a4087f9f67d80f56c6a5c6f81aebef634cc7f4666e6c1443a77d27e9077da0fe6fdda40d73ddae7cb9328bb32e95d4349fd8479

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
144KB

MD5
b64e37a505504df11a99016eb195160f

SHA1
974819e73a2aec76f33b02e3bd61c18c06da54b3

SHA256
2c0d644f305c0855e812e1549dc56307412ec7bb71ff36135fca4d58548036a9

SHA512
de622223bdc5195781b3dbcd44519aa5812d1a355ddf028bf186f0d4a64daab5f445943f42673a8179001e8502090c61676a851225fff038879b55653deaebc8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
144KB

MD5
a28f846d539c1489867904752f55142f

SHA1
5edf40ee31a8f0fc66e3dcdac4f64043463ee6cb

SHA256
e05d013cb1ea3422b8321811a0e41fb601ac7da38a313b9efb2587490ceb4a73

SHA512
0ead0507d2a406f6edcfbb36d76087ecdcba947b88166a8245d76ffdf518504d0b1fdfdbc03472fc7dc017fee0f82f22b7d25b69815aba93d06616f7c3705f30

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
144KB

MD5
02bad938610034f4ddfbc52efadc7394

SHA1
07ce3bedefcc9a8e8637afa072b4b2dd50516b68

SHA256
203f24562a31651e046edb8fffb5c4cd77f53b9448776cd6bb05b400100f60ba

SHA512
a27d5d8f16287dcbd44d9f1e4fcd2d92304b018c7e9e93ddd64e5a0a438c8a49ded0e566f2a1de2d8143660d340c5f489138847e2163e7f72883f1f3ddf091da

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
144KB

MD5
5b47b8efdb1e44039edf5705283b23f1

SHA1
d483984716b4c4f306760c164630624c0be3e508

SHA256
02ebbc13c9bf1190a78aa506420314d8fdaf533dbcd0fe8db4a9271379992fc6

SHA512
4a8a071701b435c8fc0b799d7101dbeebe279c4aa6199a49691a4caa97c638ce5b6c3d8a0de2c7a021d016885a4811cdb9bf729d16466960a5a3b05235eb81e9

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
144KB

MD5
22c353e16e7c143a20341605a6938515

SHA1
2044255bff9a6da4a3f334d980d07018ef41cd2d

SHA256
826e2ad64a34963e923657964841191c0df8b1003edde58ef4a3a7d4482cf90c

SHA512
96c530c7e3f981dbc223add5857ee7ac625054ac7629439e81852ab6ed338c8e733127c31630a25a1b498c471edf3dc6400794b75971e534b6779c67ee427536

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
144KB

MD5
0b5162bd999156199059cbc8f38bebbd

SHA1
806e681d317fd297fa0c86a7c02b8bbc1b8e09cd

SHA256
f626ebc61b583993a4593f4e3b39b8583d3b54ecec19d6118bc83875dec53b81

SHA512
3ba68d91b39b867f42aec2f7d953ac4b2f16c5d5af895e6b5b757bea365939ac83868161d51e9c11f554febff97a298c1a4d253ad3059e0bfa99293edec4c0e2

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
144KB

MD5
462ad6aa76f9a63216f8c51b79b2d776

SHA1
1442e1520e17e5658cec9ad677bd0bc5b29d0fba

SHA256
c5d2ed644b91a0065b4d1eaae4d1b99e9f98b9fbd6669e669aa91e7c21cacf26

SHA512
ed543dd3c917b941b36c0a0f8b5eafa55989e1ee30b47f458e1e689c1e3b1226ef53b7a518ee895e9072dc0c646e9bbb2612dd5ebc826f5363b362ae3f483a27

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
144KB

MD5
fb234a69ea797575b1ea184cd6947223

SHA1
89aa9ea015bee45fee0fd4d808bb8ccb5e0e124e

SHA256
b64ffb81d446aa1c2ff5122adbe0781a6a3865e09239c5170c8452d7d308292b

SHA512
83c9bd8b8063e60eefcd916de5bce805520a40b44b52ca097bd2a0cb07c53e000ac0992d7455371a76dd22397ae00d96ef197753d143c6abc4f6aa543c203f0f

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
144KB

MD5
936e9f38cde75e6ef058f1479656d4c2

SHA1
46befdbaccfab41d3968caebff066563cd6f7661

SHA256
0b773cfcd0eadb0d51358d7d904bfe33ab41828532cf52fe25f32f8be334426e

SHA512
52e3b21a1f9fe27b8f53ca956fb9f0c12ea9797b2e50262e3b0fb8199ad50752b5c8e795260f3ae43d17e9cb70be371dd119f196f9997632cd2712e6e6190d23

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
144KB

MD5
c77a3654262e1e9c01320668f75b999a

SHA1
cb19b00a1fc64815d291e23df2b66419bf08205e

SHA256
2039e41bf350a251d120320aff89ab26e69487e4d72b1180f64df2fd5bd3c919

SHA512
01c01419e7f879a51ea9dbe38c6936d59616322f1fdefded12fe3f629b42cce1667fba1e495ce6d7f654582484e1466a8ff13cd1c3ced4ad4b17d4ffae8ac9dd

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
144KB

MD5
081b9954f037488e037e47abdb9553b7

SHA1
36f2d89ecd8c38acf61bf7c21136aef65bfb9ab2

SHA256
e7a2f3162269469b89b171ff15b1602b7a803cb2ce419aefd0e40dfd9dad744a

SHA512
d8266cebf275c477b73d12e5b63722d8dca18638ed1470b1ac5262d7efb0fc5a1021708ca0c0e00cc6262d01c9d1a8906ee04e4e0c0ab9b052f09eaf117487d8

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
144KB

MD5
3c3eb547399558ad7517024986188ed3

SHA1
2f5d3e0ddef7c7af6df6557cc2021f450d596490

SHA256
6b0675d3a4bc30ff57fb5d2c8594d75e4b379c95ae4b613af377da5cb43478a2

SHA512
1bd5da12eb3088d89d2cfdda4559ed36a25e8d4884fda4393b131bf22529dd905ecfd71857d50cec6ba4cdba76e8c0cf2bf9b7905e3cfa11a146461c1191cd8b

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
144KB

MD5
1705bdc8610b009ef4b873d89aea5828

SHA1
ca4e81d7f10e103fe2156cc8189ecaac51553bc2

SHA256
85fdf83ce5aacc22ea36dafb6166fafa113c89f8313a15f1f90e2e2cdc2e2a34

SHA512
07ebb15ff30ee3a8708b90a04b7f215935bb19e1dc49a8dd482cc14637c864e6ad9efa73f51ad287e4b178d67a9e630ae83ea30c067c64709225aed357700f48

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
144KB

MD5
0890bcd8842af0935dbeb9fe46249ae8

SHA1
e65b53e6a906193f90c8278610e11a74b979e9ef

SHA256
ab29666a1064a279e6e53b45dc1277463d6d3d6be42d0421cbc9cdb894ded946

SHA512
6b878b6694626d9dda1b64327bcc4716b2e1ff9993c96f5c27a82bf7d425af87ff35964906a9b247dd8a5ec053ebed4c8f522c12c345d97526ef2ce24ec10b95

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
144KB

MD5
1ba1e6b56ca3b06fc9122572de549f0e

SHA1
88d208378cb4243c528d0ae4627ed9dfd8fee5cf

SHA256
60271434d2a6f3d14f8430ed21952fdfb5f9b2203cb65c29f515d0eec608ab38

SHA512
5b7539a1b6bef83eb2fa9fa98df5eab6204b67da0cca3290fc5c84aabcee8f11c5acb92ae9b3720d7cfc7bf6ec261bc2edee064e3d19698b8e9e265a43dd2d95

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
144KB

MD5
8262c7deccad42858e97e47cd8466757

SHA1
3b3bb3cf52fb39c2fba46cf2936cc4f4acb5cf49

SHA256
08aa547bc9fe5a6fbf49873129f86eef3f0c97d92a94ae4cb017cf1496dde529

SHA512
3cbe0174716e5966c284878bf39db4d69b5256bc1fb63141d8911580ee2a7c743351811d5660801d804d73c2aa94ecdb7ee7f01cd4d9f3f5dd6b5193fb4b10b6

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
144KB

MD5
c15cda73da1a27ba4b1c197e3871fe5a

SHA1
5d881825a96f673d12914609c313c6db01b0eff2

SHA256
32406c9c7bce5d7f9144d4844a1258976d189c7d76f7519a7977f2a6636ff84d

SHA512
8077d171315dd6844be0f22f1a1b448e9bc70b113abd2d5001986fd824d84c6e5eee34c48e60d94533c2a91e1758bf5206201b0012eadb30e7d0823869068ccd

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
144KB

MD5
cd329912ea51806f23235acd41f6f6c4

SHA1
cf54b1be6e189cb81487fa78dbfa924622837245

SHA256
84357b4892b465ef70c981b93e11f613e0b9940ce22d8bf7d8afc5a991eaa135

SHA512
dfeee6ab9d0e4e8e96c398cd775d1a6295c01078ed36294cf5ab36395c87e6e472235cd64b391e27926f471bc5a1957f434a2d5c5b4389ad3a9ece430a3c74b8

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
144KB

MD5
d34098375b63d64e30b3c823666389e6

SHA1
eff29567189cd56df97a8d5c732873d4771ba522

SHA256
be19d95e7c807db058a14922c3b839af0e6d5747236dc362827aa067ebacdfd9

SHA512
b6647930035378a175c935f1ac232bb3556c9294bfed3f2fa48dd4e7e96b1261f79045eb7f5998d438ca8be9d1b718c8713dcef6f17b925a01ca9ef11f87178c

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
144KB

MD5
e0c925733463ccb79a0bd737ed85b97d

SHA1
8454f9a38f0df1266a457b8319c586334a40a9a1

SHA256
393bdb7b4860c6e6a9de95c3e6f02033f14aaee329e1ed9c71ddc0e6bfa483f1

SHA512
2a57f44ad31b26315bef2bf179ca8190cc930192db47e17148da24d50261caa4306a8e4c99c05acbfd765d66aec0e4ce51fc1fd1a1cd554b89aacce94e867980

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
144KB

MD5
ce871c44804b2d8fd337f106e38e379e

SHA1
07c41d38f8e73e579bccf5a97c6beb1d273f196d

SHA256
2fa94dc4d892230f896027ce806c738de6cde19702e599fcf3607d49b491bbd9

SHA512
bf33ab5aa65027ae0ef21d70a679ddec2d18e58348da0393744044bb45f563de046e6066dfe189e53b56638a4cda0eb8da1fd111b50f2f6321763f5b74b3f142

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
144KB

MD5
5ba6b12b3b5702e14f318eb01285cd51

SHA1
471b65d61751e8c884bc686c27c7e3583e9b6874

SHA256
dcede56a7afb1e6027c98b0974e2bd6b80047dc0126ad72fb2b1f83f5cda68cb

SHA512
fe50fcca24d769956d5ebba7f3897888501bb2a0f7699d5607bdf5b29604f559297a1bf72d579eb8a8ffcd9ca0ffe03fb121f30160c080d068077b42e87c9353

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
144KB

MD5
8f544126b74d91e4710828e6dc4c8a9b

SHA1
4561abe8d0d45c1f0d11159f3c0eda8919396b3c

SHA256
6a3f6577fcebda497ad426763428bc41488f52926ad28d11af82220ea87c96de

SHA512
e6baebd128e374bf2f03472effe03ed6b0ec3955f341025a4cb627ad032b4aeaaf73cef08dad979061d431e8968215b7467a43151c4b0dc92760a3d0d7acef82

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
144KB

MD5
ab41e9f43e0a0b282c1a83f175039b2f

SHA1
59725abd3d3b527c667897c9bfa9a4d79341067d

SHA256
ad9afe999f82ae837b997fdab066efd08a1fd6bbed0eca4431d53317d41898bf

SHA512
ac98881e2e303c9d6ffd99cc48cc6a303728d5e3d6798f1faff182a9148f8022b06656f46b2b67fab287dc7065914ca2e36279a3d6dd487a99037063653840ac

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
144KB

MD5
da932d8e2f8779162701c3b7683c007c

SHA1
38ae012eba5dc44a5125985806ceaabfe76219db

SHA256
f30f4271ff0a7eff106c9f7d5276654e8bbeaed77d575df7557ecb37aeb917e6

SHA512
89827a5e40da563de9878f76e3de4c683c1aa28a871d9c2a7980d97e84e6f0d72da29672a0dc29c836e42aa309e0b43f14bd003bcb8e6e3cf033043eddf873be

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
144KB

MD5
a924aec448bc39a0fd6426b9e5826a1c

SHA1
5dfd8cf83772c4e804e84f45ee3082d97a44e3be

SHA256
778074ae852e26a57ddd0869bfaca90508578e334b7a7e38d3da8128f323c353

SHA512
55c13edb502fdaec301937d2c8eadd8f72ad0a4f89db72656098362c3b5cc0dd12477ea50957cfd5d016dd638a30df231667376f61bb27c6bac9cbdbfde15d2c

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
144KB

MD5
c52c0a29da558cf87d68deff41b9a1a1

SHA1
af1402156e0379a3c71e94275f73af393eebef03

SHA256
8c5e42e718fd6a23aaa5a2995f0e6c72e8cf3033a736f2fb722eeb3fec7b5b22

SHA512
568b6d18d8266cdf0cf6a8a7c23529b94b15f5d1c4099d7b08ef080d4ce485f821d76ca6bff28a0b0f8ffc0fd19b8a39a3df9a7707bbfe96fd7cd00c2b70e795

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
144KB

MD5
22738fc40d191f1e0d94495e964b9210

SHA1
23a0ebc4339087acf5956654926dcdf079d8bd11

SHA256
ce63b36f2a9431b1179d1c091b9d809dc62bd865a8b3f91fee292f2d1c7b97d2

SHA512
798d2e97930fae3b03c37de8d77c195cce8fa132d96388dc568e847d1d128a37f7de5a0e966224bdc12f7f4a380761bb892d4e4ecbff90be43db7935aef85cb8

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
144KB

MD5
36cdd05441f899ce7127f6d5b6d56a29

SHA1
948c06c86c189490703b3acd6e679a78f44482df

SHA256
3b3d377696eade3d9d9c7a288e2fe256981c41a33960e010b8498d62ae965bce

SHA512
507ed3747f30040b52e40bea95c96836b73943bd4762afc079de2999b76452d5173969ff27b6822eddaab9dbf8f9fbb67c44f1e8f8a03e1895c117ec6373f1ad

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
144KB

MD5
3847d356ac02ed18db63a8d4e4716b66

SHA1
e56b262bd125ae9af946195669965a9a37c90802

SHA256
fc5ce5645f1b6d9c82d3b08f3a0bd2f83cb420d92a300f7cf292fac0dce054cf

SHA512
93bd1a143ddd0e1c5b4068315d20765da36ae6e229815c1f0d6be2e85c10bf51d860c5b7e6244bd717e10247f1fd136828b6f7c124f9dde660a7f668defff0a0

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
144KB

MD5
6c773f4267e410a63297ec63e1e62671

SHA1
700377470fbb6b8775904f5050525dda1f7d3e75

SHA256
7232aed80fe7d8976a2bb336fed4468dc5441b5ecf01ca3122fe5c0b6c7942d3

SHA512
919b6186ea94c592d07e0fd6e49d316a65ab122491c8fa1e121c6852fc45eed3cf3edb8f30ab6b09cc67ab358d6cdd4fdff98ffa76ff6c1f263401822d7a18af

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
144KB

MD5
16c0ab7b524113fba7a157ce60c4c3eb

SHA1
bcd9d0e4af54bf88e6b5365ef79a5aa4b5c71940

SHA256
c17b46c71cb2042360aaa9489f0253bd46dc44690293c7a0ef37cfd48a938dd6

SHA512
6da3f7ca6caac386c3399a53a29251a165883af3ffd92b0e15bf59484921b5107485b3355739efca86086bdbe30592df4d1791688715c1707ee45c3fb906e3ec

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
144KB

MD5
79a8c94f1688e0e825d2ee13a4f3cffd

SHA1
4abe725807ade62080d8d4424b0fec48cdeba8d1

SHA256
d7e18f16d6a3dec03e0bf820b9b0caf11eb6251e5a5f156b3558cc533f08a146

SHA512
44c3e3b57e14ebabd8262375971f600ff7478d0ff020164f5cec8cf3a380d0caece1831fe8a5ccd2ea2cb8ef862265734b5378b89db8d35a195fbeb3476838da

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
144KB

MD5
bfc64ba7c36c7c49da8950d0f0402b65

SHA1
6e7cd999486558cc994387e9d11da30e4c697705

SHA256
1721da8c85bf6e8750e3a5406aff719dc95a2c936607f50eb858f415758c37c9

SHA512
e104de09287bbd59833c02484c1a47f1ff374b2739422b3d78398bab59098072988503fc6fe24a5c16c46f56a69e505cc5711d5756d477b9ee98215cdb4241a1

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
144KB

MD5
5f7fd2d687b7f9dad3be19179a3e4a2d

SHA1
91f596d9f62f779be8d301866ded1ace31e7ce00

SHA256
d83be6cbf4b5a96ab4a39fb5dcdbac78eaa2954f659656354d3afb77c24d1423

SHA512
6f47469e5f007e07859d2f6a353f484f8239a6334d1e734bcc330ececd0bbc1df25e838664966149398bfc36d4f40b63e405cef3f6dd8278baca4ccfc9af31bd

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
144KB

MD5
feb617f09d046d4871fdf3845c5f4050

SHA1
38aa444428e74a588e7982c5aec2587ff33b8285

SHA256
0d450f1eb5e5050b2cda1432c7c47ad3759cb21b7fd6a2481d76affc9c8a28b7

SHA512
0b81cd2f9663ebda3c8e6954a24a58735685e768be254b809f02df93b2ed576ed1c726ac0a7aeb42595f6abdaa50148d4de5bcf6a7020363e4754ab17afaf8e7

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
144KB

MD5
d0ae0c44c687fa976fd32a8f4c6c7ffa

SHA1
790548aedc5c5c7e419384de0d048ab79114e9fb

SHA256
e1e93f4af5f759765076c7d4ff8772cb65c3b635b17b7162a0cc906060fe8063

SHA512
123d4812ac1c3959e85be6afa7b619c5feebbaa2b4b18ff50c8c4408a74cff1f62f18649a05acd21d5c74ae480b75a3ab4a6f7438092fac4464edfc3d84eff8c

Download Submit
C:\Windows\SysWOW64\Memcpg32.dll

Filesize
7KB

MD5
ffef8bd03740341ac00e7914130e89aa

SHA1
bdc99447f01fa3f51612fc2b6109f3cd1d1aebe1

SHA256
23aa3c1507a8af2839592b10f689ca53e4e3b8aef0f7b325d3ac2b4ee223f0fd

SHA512
5abb90b09a5fa8d7802e17ba2c8037a78adb1bd3441bb3b621b79d10d8d7f222349099557b92c02742d52c78b7ee00d402bbabe97ec7cbc3cdb76ddee03bbbc6

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
144KB

MD5
a225724bcd576fc042db08d64cb38ced

SHA1
6682ed4f133eb9f20d7e83c4326980a5b6214b8d

SHA256
5faaefade808a792cff9799d126953fa2e100e7cc54253c8dc025bd86f06678e

SHA512
e8301b1af6ce066aacc52982d601a9638edb2b0ef6d887dd456f309b5cca04043e5162dd8f6a627c18e8e032b12f5386efed6278653ab1170cd0f05ca8f378d0

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
128KB

MD5
78ab58629592f5233cc682cbb640c419

SHA1
dfbdcf9d96bb07e828785b451faf9dda53ca326e

SHA256
87ca7c06c7734f8fdb9839f86e6250511297a801f9e508f283aa90e765ac55b2

SHA512
be827fced55b3ca442e1b3b39e516259361582db07d39d01102ddffa1d1d3e15d1898ee59415783ea73966cbcc0d1d06c04c805ddca96ca6c8811ad24514a54e

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
144KB

MD5
bf5725ee9cd554a10381bf1dcbfe7eee

SHA1
cfaa272e85f0ba75ce4eb576ab112b911848a8cb

SHA256
85614df58075fb246296613741831a322f04bdbdd572cf454a1634dd02ed276a

SHA512
2f8ee09ee7cc9cbb7e8dca352939c7ee0ac0c306c756733e6d59a497e1a0c46b1e0466e0120c610aa1282133319a13ebec144febd1eeba7cf09e09bb2b505870

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
144KB

MD5
44f6c7f839eaeb917e48386d2c615201

SHA1
543bfed7859f56a8df78e441d50f177eec7668ce

SHA256
a49af4350fae6ee8ce1e5ece711473ae0567107bdd94a1f439053975412435fa

SHA512
80f4f4cd81a80dd744fa6e9cc371b8eaa5c0d6358fd1e399546aa82b0bd939de2f2203e5e2c509d871824629c47953ec4aa74505d27f76a3a8c747052b522e97

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
144KB

MD5
d7c44084a809b9dc279bcf8767258b46

SHA1
a8469a6b30c3796eb045f5a70bf84fe1ab1643a5

SHA256
5489080f0f452b28a6adc666b70abc85d5def656f542bf14f3f4288dd0c0fb3d

SHA512
fe9971c2530c5d6560c0e27aea5c161bbbce8e8e6510d8b4030a4becae7a6595817417a96c119f0abb61dfc24079685bca3ef9994e68be4b8d48e9aea4dbb538

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
144KB

MD5
16a3faf3453dc607c14c6044c99cf7f2

SHA1
7a11246b1f1caec66cdfa14c4763f91578967f9c

SHA256
1b40e38975eebd11cf1a255d932a7d23bbe97aa58baf3a46aed71055dd724b67

SHA512
e12017b7b66c856308986eb9678bf3abd1cf5892919903a6954b22cd2e90f26e75e5da38afdb3326e85841a867d7856b85a3acf13c89d8492f3d142f0887a4ef

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
144KB

MD5
950267656302cbc6ea5bd032c693503f

SHA1
9e9e4063d47472f7525e4019bc10ed806556e8b6

SHA256
bd59c25bddd633fe04999e939521c430d56259c4e620ba7dc2d2f7dfa5475d1e

SHA512
50a39077ab0c8dd67c369b94716ba471d7ad7b4d210369892bcb7037e1ed1980be93fa4d3c6a95ee25ed036fe9904afee14b6f487c6daa34e4c041c9dba65755

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
144KB

MD5
93d3fbfe69803f740d676d668d13408d

SHA1
7c9acd219ff49d5537badbf13e3155d27d5c1a07

SHA256
e9af705203e96034f826041e9eed92471962dc0b5e210786d5d90c088076965f

SHA512
cdcec7c6e5bbd0cebc7518bbb0df1994437b06f8adf332bd9e3477ca2edb0c920726a5487b140b6eca7572a7005116c0b00a577e98d0ddefa655673e7bb4127e

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
144KB

MD5
18802019d2edfe311763a43942ca9f73

SHA1
b77f948d1fe01b082583d9c4a51c46309da8e4e7

SHA256
86a0d85b44db2c38b94264dfe3914ee4ae273d761c2b63dc7ac15c9e2d647c48

SHA512
f4a1f78e86b799e52e5539c1fe1ceeec0cee11f2d0c3f8b1f9fa3d7fee7908929ba0602f2dce45768f17249466182b529735a7ba86b1878e32f7e94cbc9f8638

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
144KB

MD5
b65f029526d8431595109689dc27826e

SHA1
c1cc4a05243960b661ac3238b1b64a5db9f55866

SHA256
89c79db64a1b4c44564cba9a7fa91e30706cda345090530fa00f85ea985fbf96

SHA512
63a15ce43607d716cd2bd9afc8064d77b44c688a185d84b91829d79d39d01ddf339494a1a559097eb5963f507e6ea29158c1651b2b61f01a131ba47b5d9c905e

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
144KB

MD5
20f79c8eed2f8c876c9efe554c661c87

SHA1
d17479bc361412c44b802fa0ae3798f807d97840

SHA256
4a5e1694e5add969ba13c60771c12c7794838a1385cb6ad3fd00086eeadd180f

SHA512
019b6bec3113a5b2e5a6f266a3f2ce596b298113b907e5c024738f7dea7b9c2d22677c3a97dea8d21f05c54d8a5ea1e324eb915fba2b9bcbe1f94b18947ec45f

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
144KB

MD5
8bc71086202da50d0332f1ca95291d95

SHA1
72e1cf3aa11641bc3c9194e8286ffe1228dbd138

SHA256
b9c150ea9ed35372fca324b1001ef01be7d77b84a8ed5779c851794ea07b12a6

SHA512
2a66624971850b5038c4e29ff0c28d1830965515e57a725069aa9d093f4871f7874c412f50b5da105178af8ae16755d9f67b1fc6f50c07075c4f5747fabac986

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
144KB

MD5
728c952d1967d9a64368a2456912b3d0

SHA1
401f39b0d960a26fd4c4d0429c26015e57d03182

SHA256
2dace7ab32b35222f8f4aab439e3d409c58935be92ddac259dccbaadc9afc8ac

SHA512
32ce6b5911cb2957a7a15c79268818b3949dec89ba668fbd93574751673c2d6b1ab347e69bd591e7a34bc8f26cd1a11c7f3b54f82597724a78a1e98949957666

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
144KB

MD5
b44da567e3f75d9169b71c2f0dd90847

SHA1
91a2d91348d067e9f7efd8ecb876f5498a831614

SHA256
c921431636adcb20e88811cb8b749be8d38653f4779fe1dc31344be9afcddd38

SHA512
fd989ec0050aadc79c0bc7a98b8ca68eea9066e1e731290790ca33f4c315b11627ff43e42664244cd9928b6789c6e9bc7e74dd8ddb628d58e81c15beb0b94aa0

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
144KB

MD5
d137649dd6a660af8cc5edf2e82fe27a

SHA1
de40645a80e3f8ebf6ae9391eccd431e5e216d69

SHA256
974217dfd94fe4974d76646f3089ffc82e8917b940b1835a26a365d04026255f

SHA512
c7d5c83962f406af950b91a158267710851043a8f498aee9e9d2ab74e822676cdde25d91b137a55a2b30994024b90d40125089704bd30ca196d33b8f4f72052d

Download Submit
memory/404-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/436-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/784-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/832-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/920-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/996-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/996-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1264-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1288-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1416-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1476-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1540-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1768-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1796-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1804-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2700-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2888-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3096-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3112-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3164-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3416-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3496-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3656-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3752-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3944-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4004-481-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4140-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4412-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4772-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5064-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads