berbew | 0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5

Analysis

max time kernel
93s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe
Size

96KB
MD5

5f6bc7c6b639bcb3d7dd08e40531fef0
SHA1

cbf39b5ffcbd007c8213be8d2043fb08493ef449
SHA256

0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5
SHA512

aa67d0eb7d508590913b5373a1e900672d4c8101fa0db3caaac1aa0b95ff96286b5b565605c35dfa01334125165a4884d75d8dc293e0839fc9d065a5a86e4fda
SSDEEP

1536:2QIAz1wBwzqMwWjxIyletQBh4OKEq3QlAKOYzI8wMggXKSSeootduV9jojTIvjrH:Jf7qMhjB4UhlKFDMxRtd69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1348	Hmhhehlb.exe
4944	Hofdacke.exe
4852	Icgjmapi.exe
2664	Iicbehnq.exe
4420	Ipnjab32.exe
3996	Ifgbnlmj.exe
4596	Ildkgc32.exe
1364	Ibnccmbo.exe
2044	Iihkpg32.exe
1876	Ilghlc32.exe
2872	Ibqpimpl.exe
1952	Iikhfg32.exe
2912	Icplcpgo.exe
4588	Jmhale32.exe
3976	Jedeph32.exe
4876	Jioaqfcc.exe
3740	Jfcbjk32.exe
4432	Jlpkba32.exe
2312	Jbjcolha.exe
2648	Jidklf32.exe
1620	Jcioiood.exe
1224	Jifhaenk.exe
4580	Jlednamo.exe
1840	Kboljk32.exe
4264	Kemhff32.exe
4356	Klgqcqkl.exe
4200	Kdnidn32.exe
3564	Kfmepi32.exe
1160	Klimip32.exe
2960	Kfoafi32.exe
2752	Klljnp32.exe
884	Kipkhdeq.exe
4492	Kfckahdj.exe
1864	Kmncnb32.exe
4288	Kdgljmcd.exe
2496	Lbjlfi32.exe
4488	Lmppcbjd.exe
1436	Lpnlpnih.exe
224	Lbmhlihl.exe
1168	Lekehdgp.exe
4636	Llemdo32.exe
4856	Lfkaag32.exe
3616	Lmdina32.exe
2556	Ldoaklml.exe
1764	Likjcbkc.exe
1240	Lebkhc32.exe
608	Lphoelqn.exe
1768	Mgagbf32.exe
940	Mipcob32.exe
1396	Mlopkm32.exe
3840	Megdccmb.exe
3896	Mibpda32.exe
4592	Mlampmdo.exe
4088	Mckemg32.exe
3532	Meiaib32.exe
4440	Mlcifmbl.exe
2528	Mcmabg32.exe
4348	Mmbfpp32.exe
1604	Mcpnhfhf.exe
4584	Mnebeogl.exe
3744	Ncbknfed.exe
4336	Nilcjp32.exe
3052	Ndaggimg.exe
3224	Ngpccdlj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jcioiood.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Adecfl32.dll	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jmhale32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Hmhhehlb.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Ilghlc32.exe	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jedeph32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Jedeph32.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6024	5176	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilghlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhhehlb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pgefeajb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 1348	4324	0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe	82
PID 4324 wrote to memory of 1348	4324	0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe	82
PID 4324 wrote to memory of 1348	4324	0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe	82
PID 1348 wrote to memory of 4944	1348	Hmhhehlb.exe	83
PID 1348 wrote to memory of 4944	1348	Hmhhehlb.exe	83
PID 1348 wrote to memory of 4944	1348	Hmhhehlb.exe	83
PID 4944 wrote to memory of 4852	4944	Hofdacke.exe	84
PID 4944 wrote to memory of 4852	4944	Hofdacke.exe	84
PID 4944 wrote to memory of 4852	4944	Hofdacke.exe	84
PID 4852 wrote to memory of 2664	4852	Icgjmapi.exe	85
PID 4852 wrote to memory of 2664	4852	Icgjmapi.exe	85
PID 4852 wrote to memory of 2664	4852	Icgjmapi.exe	85
PID 2664 wrote to memory of 4420	2664	Iicbehnq.exe	86
PID 2664 wrote to memory of 4420	2664	Iicbehnq.exe	86
PID 2664 wrote to memory of 4420	2664	Iicbehnq.exe	86
PID 4420 wrote to memory of 3996	4420	Ipnjab32.exe	87
PID 4420 wrote to memory of 3996	4420	Ipnjab32.exe	87
PID 4420 wrote to memory of 3996	4420	Ipnjab32.exe	87
PID 3996 wrote to memory of 4596	3996	Ifgbnlmj.exe	88
PID 3996 wrote to memory of 4596	3996	Ifgbnlmj.exe	88
PID 3996 wrote to memory of 4596	3996	Ifgbnlmj.exe	88
PID 4596 wrote to memory of 1364	4596	Ildkgc32.exe	89
PID 4596 wrote to memory of 1364	4596	Ildkgc32.exe	89
PID 4596 wrote to memory of 1364	4596	Ildkgc32.exe	89
PID 1364 wrote to memory of 2044	1364	Ibnccmbo.exe	90
PID 1364 wrote to memory of 2044	1364	Ibnccmbo.exe	90
PID 1364 wrote to memory of 2044	1364	Ibnccmbo.exe	90
PID 2044 wrote to memory of 1876	2044	Iihkpg32.exe	91
PID 2044 wrote to memory of 1876	2044	Iihkpg32.exe	91
PID 2044 wrote to memory of 1876	2044	Iihkpg32.exe	91
PID 1876 wrote to memory of 2872	1876	Ilghlc32.exe	92
PID 1876 wrote to memory of 2872	1876	Ilghlc32.exe	92
PID 1876 wrote to memory of 2872	1876	Ilghlc32.exe	92
PID 2872 wrote to memory of 1952	2872	Ibqpimpl.exe	93
PID 2872 wrote to memory of 1952	2872	Ibqpimpl.exe	93
PID 2872 wrote to memory of 1952	2872	Ibqpimpl.exe	93
PID 1952 wrote to memory of 2912	1952	Iikhfg32.exe	94
PID 1952 wrote to memory of 2912	1952	Iikhfg32.exe	94
PID 1952 wrote to memory of 2912	1952	Iikhfg32.exe	94
PID 2912 wrote to memory of 4588	2912	Icplcpgo.exe	95
PID 2912 wrote to memory of 4588	2912	Icplcpgo.exe	95
PID 2912 wrote to memory of 4588	2912	Icplcpgo.exe	95
PID 4588 wrote to memory of 3976	4588	Jmhale32.exe	96
PID 4588 wrote to memory of 3976	4588	Jmhale32.exe	96
PID 4588 wrote to memory of 3976	4588	Jmhale32.exe	96
PID 3976 wrote to memory of 4876	3976	Jedeph32.exe	97
PID 3976 wrote to memory of 4876	3976	Jedeph32.exe	97
PID 3976 wrote to memory of 4876	3976	Jedeph32.exe	97
PID 4876 wrote to memory of 3740	4876	Jioaqfcc.exe	98
PID 4876 wrote to memory of 3740	4876	Jioaqfcc.exe	98
PID 4876 wrote to memory of 3740	4876	Jioaqfcc.exe	98
PID 3740 wrote to memory of 4432	3740	Jfcbjk32.exe	99
PID 3740 wrote to memory of 4432	3740	Jfcbjk32.exe	99
PID 3740 wrote to memory of 4432	3740	Jfcbjk32.exe	99
PID 4432 wrote to memory of 2312	4432	Jlpkba32.exe	100
PID 4432 wrote to memory of 2312	4432	Jlpkba32.exe	100
PID 4432 wrote to memory of 2312	4432	Jlpkba32.exe	100
PID 2312 wrote to memory of 2648	2312	Jbjcolha.exe	101
PID 2312 wrote to memory of 2648	2312	Jbjcolha.exe	101
PID 2312 wrote to memory of 2648	2312	Jbjcolha.exe	101
PID 2648 wrote to memory of 1620	2648	Jidklf32.exe	102
PID 2648 wrote to memory of 1620	2648	Jidklf32.exe	102
PID 2648 wrote to memory of 1620	2648	Jidklf32.exe	102
PID 1620 wrote to memory of 1224	1620	Jcioiood.exe	103

C:\Users\Admin\AppData\Local\Temp\0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe
"C:\Users\Admin\AppData\Local\Temp\0402b194f8406d3c6c6be59d94a48aed9debc612fb443c376a25390c4d1601e5N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\Hmhhehlb.exe
  C:\Windows\system32\Hmhhehlb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\Hofdacke.exe
    C:\Windows\system32\Hofdacke.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\Icgjmapi.exe
      C:\Windows\system32\Icgjmapi.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        23⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        39⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        43⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        53⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        56⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        59⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        66⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        67⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3836
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        78⤵
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2576
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        86⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3020
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3752
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1956
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        98⤵
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        99⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        100⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        103⤵
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        104⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        105⤵
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        107⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        112⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        113⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        114⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        115⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        117⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        122⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        126⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        132⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        139⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        141⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        142⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        147⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        155⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        156⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        157⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        161⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        163⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 416
        164⤵
        Program crash
        
        PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5176 -ip 5176
1⤵
PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
59aa31e0a410778abd85937a49c75599

SHA1
1a7bc7d764836449b04d807f8b54bbe20820e1c7

SHA256
b5f5563a8ae201c9f22ed99aa7e95aab1936d5bdfe78171586bfc28251e1c5de

SHA512
aaa4dc28e87a2bbdc1eb35cb2d884148935cc67ad155ab23642d025537266c9ea5e323d266a64546ba9cdb80601b74801b3c814755306f4ed18d344d06bb554f

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
a0e8bd72c51c7d21dccb3798966ba8cc

SHA1
2bc2ebe485d058d60b5b19552c76d40d2a32fb6e

SHA256
9c84fd0df31ea182576d8cdaa1620fd4cb45d5281272cfb8b5bd1d37e3df95d7

SHA512
14e61ef10fdcc69e0be071124e90fa547d52db65f282b449d58a3e09367de440c4c349cb35fa29bf6c81c1243f733b4d454b4730e15f3f6394ad29bf2ae29f14

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
ac7845d25b78024b51903cb233a75039

SHA1
0982782c09a94497f1fed716d77f0a4bab2431c6

SHA256
ef3cf5b772e3ece514398f110aea6d7c9899b4f1c6822905194942ababeb0c2f

SHA512
1a06981b626bf78e84e244f0dc45a4279bdbeeb66498e76fe3e44be7e40edb6f46e1eb5c7dc7a4371093ea04efb06d5f2647405fbabe9a6ec50b8b0a03f18537

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
00411b9a294c05fba4f6dfd068887cec

SHA1
c9c9091cca6dfe3ad2e6dd1d9fb5dfff167cf4d8

SHA256
f49a0b4d54170983e4994ce4c3756468796b5c1e84de20ab07bba0523c0d35d3

SHA512
2392fb584b5c556dee4e133be1aaaf0fa9d98fe3818701a21bff9a4639327ff740827219a005619347cf007ce20184c5ef14f6b672c3e068c2498884869dff0c

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
9ccf36305e6412f95bd1e81b8adb4bec

SHA1
f3df44bf5cbf13d16769a24d8ac61b0267f2e4d4

SHA256
bc0f46f9faf3186a346a98e5d880c7fb59110c8885d626f5fa42989a9b878472

SHA512
edb870aa43e089b2368957d979a6c147079c9a9176aec729323a3cfe257a7336fb4bc4acfb11dfb5c8bb86c94171baabbc2adf0119376af21cde564b49178c0a

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
c7c72bde28aeabb7b0845d9e1e2cc0d5

SHA1
850fb5d574e570cd7a92a2863351255b7b1f16b4

SHA256
bbdc1588ee8599e769a480bfd0f455f12ceb3dfd837e68b3ec334dfbe3745160

SHA512
8b0b3ab0389b1cda1488e94530d651fb1fa4df6f2d9a9b10bb83c435fd04ad4cce222d94414569b0b5180045edbc60d2a79c422ddc2b29022266608fb5bcee0f

Download Submit
C:\Windows\SysWOW64\Bgpmhl32.dll

Filesize
7KB

MD5
5509d53835f85af0f0a822b149ec0d98

SHA1
cdf2c0fbbb011aaeba8b2d68456a208aa53bdfe9

SHA256
6e2d9d8bc9e0b5a07443d6b8eb18a2472521d1692be5f4f51523264a8a52933d

SHA512
d2bdebf23f81c515be100d526228c6506402016c92f5a4ff7b6c2617d2662cb542ce8e1b3cb0933afc4f88ac46298b62d7f38d95847a57b4bf8f315c236537e2

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
13ceaecee2bb70e113bfb7dac4372902

SHA1
e99e61b7a422c13427e211130a104dfeec10ff64

SHA256
8d7741122e958705aa8cbacb16ae939997897452a02455fa0a0ff7f19b202107

SHA512
edcf85647485ed892447d325bd0b31e1b9b7cadf8fd745a9380ed0b2a22dc9c229056a9b74cef8bb51932963931d95b6e0f724a0bd0dd16ab029040edd8cc0fd

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
992d3b6048f73ba0d789b6adc8f04cb4

SHA1
42aa4c55f7e61e352013c614d3152bad8d2b3473

SHA256
c6b6d7a8f7b0f3d173ece3261085ef0b3c21eac8aeb8e04689ad98b7fcb1e1c3

SHA512
19f2b17a5833cd7a67b4801369e794a3c77816f93d2e4a0a7bd4a3ae70f79102cb20dcd044a9efd92f4a2b67bc25c8ac908ab2bab4999a64ff8903f2501a8f2e

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
152e900908640d6b44e2924acdcc3dd1

SHA1
cd827cee66caaf8662bc9a25c9922494368e679a

SHA256
541a20e912b602a29f17b1e3556e1c0c2d94ebe3c6815c4381ce48c1bc9744f3

SHA512
b6910a977a3111183397d060fc6e112d35deafba0604b7d1e7575d173ac9b3a3acd36a98993cd81fe40318e092fefd546b6816d5fd0a437654bc2456e8231f50

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
24de8c4f5970d57361194273cbfe8395

SHA1
1c2c500e7b854aca4bcbb59af0f28bf1d97fb6c9

SHA256
ac3595a5d4bb118c258c5ffcac5259e8613f172450bb3a5020623311dc3d0a18

SHA512
7393843744e091ff08f5ac17528548578b6247dccec240f743e468f62a5ab6610fb71173147c66a2b4526763120a2f182d894ab0605edbcf236acc1368557d0d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
88bfd55b59c93b30b5a0c092ac163a2f

SHA1
6abab312c92ce747b760e08085a548165bca034f

SHA256
0e536bd2e8c03f5ce815e33762915dbdb1005973ace5d1af7279cfd83b1e19d0

SHA512
33da9f7620f9363437757e0a4c470fbe02e023376d84e74ae1a7b6d5c4d2ccaf96f0cd5bccbd9f332038293da6f8462ff055feb4d54a6a677195b32922b5996c

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
7a2facfb03d9f5efa7a031615bee4d58

SHA1
53a8dabf084b4e69a8bab4b838af154f5b17b51d

SHA256
307fbb7ee451e773a696111282e5532f55b8543ee65daa779947982814da3086

SHA512
3dbd9f0e8c33ebb27fd415ce26226b613a40f27662413b12fa9944d85bc7692d4ee00a84eb2475f932df61dfef1b98692a769302b916da362bdfd55c73a2d5d0

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
33a0bd8b58d244d1041479259d84edf8

SHA1
3f4c85e509b7f9045093f7122113052d079116d8

SHA256
be46e160e241d4341dbe8189e8ebae3c5e6e2379882462cf04de02a409d268a4

SHA512
51c2a568e0fa3919a7cdc3dd71066e06f3d94f22e51bc2fc585b54c12ff4ffd43cf069b6f5abc2ce4ddc5b0119cc6f18e403591687e3704ea52e4867309e41e2

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
047a2e48a515f89e0439f0966815f908

SHA1
cde1dd8fb7f1e263099b95f6492a232536594486

SHA256
6424aa9e419d81290e245574e0b7621e11e526eeb068271357a2c5d0dec1738d

SHA512
9aafa2fab4386e78982496f56d92fb1fc1f55cf117c32030e6fee910a32b94257255acf33571e0162d4e11e5fa22dd2738c2e1c51ae4e8ecf3ded5409ce9b0da

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
534c91266e1a37b29b7dd39398dcf126

SHA1
1e2bcccad07daec6b9ea16858d96cb08eadcdfd1

SHA256
478a687bdaa8d184458507cbc505046b81bf8c4912f283ca1341fcf71f3f68ed

SHA512
73f1ea7119522107985869c8de5486349e1c767029b7c6ab53789aafb0b6109fe3635e3eacfc0c319c72b1c66fca54b1f3d44906da9545b6ba714d921517efc4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
774c443f6b7a11699cfa6a839190b95e

SHA1
989cd0c14a8c779d178c26e63e917cbe4e8ae467

SHA256
9475b86a72ee8cc84b44dd2ff9802def0d9e7b89aa43eb0957885e3d31b4542d

SHA512
b24059e5eca78e335bce32c1dff34a306b432ff76983c743c2975554aeb149726312c5288bc040e5e70f78d3393383765f1a161239e913f1c6c233a764feb07d

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
63379657cdec23988d49f7ee6a1aa885

SHA1
de998d10bd26d14c48249b98da59dd0fec29a31e

SHA256
d4338e016c3703f467cfee465447874bea6acbc789f7376895d1f50e8a633ea7

SHA512
7354510fd93ee042414ee83a7e6f9cc2f97c415b912ac6e3546cf25c4a18f7c0f033f54909fb8828581c3e58644e3fa71efb2129023911ae145bf77149698523

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
f93e4950ac414cbc940d89a2931dbfdd

SHA1
6f04461c4e3b5e6ca4ed0800328a06c0572b2efb

SHA256
ec97406ac5e95c97046b735a4802234be52330252edf87992547ed4448976387

SHA512
dbad0de60e4c9858699024486e2512deceae68df6bd2cc9e375d6985b79ce24c7c3e47b4361ee4d97015b97b04018e82e1e71cdf96655437684f37d724ac79df

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
a2047ca574f3c31428171256d8be510f

SHA1
110b697df2f162a02d49a38ef656ebfaa80dc9ee

SHA256
51e1b41df5d16b68e6940dcdd3470bef0fd8af8c799908e3f27db49d3d24f132

SHA512
06ad436bf98c62cebf6075e03e4b5ad779cb8ecbf9a88d2af1ce90f73f918d4a3f3188dde99d76ac1d8cf59b37e41201618502a42ebc0fa44fa128c4c6290c42

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
96KB

MD5
ba06462436d7c8aa5d864fb80fa332c2

SHA1
fec6232e34cca38ec49a0062cda5706ac978d1ea

SHA256
705257303b7a7f0265190f893cedeedb8828de49de959a27e01a01cd91a51b2b

SHA512
63859a2c00cad50b1e95faddb707c6253c0664f23b263d98650053fc331305cd06d5507686237d4a9bec83fe202f0c1542eb880132fb34cfe4ce0081481e0ba1

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
96KB

MD5
4b49474610578061ffe8c9fdd7d06eb8

SHA1
1c94ffc30465b5efcd4ed7c180fa543d613c0d09

SHA256
9558d2fa19631b269a3f665acdee830ccb0fd941156f60927cc90c9a80893401

SHA512
b367d591ad3697ac9e7b65f469e8fdf8223f5c74937d34e6257e9a66207c8f1ee446feaa5e9578571bf8475afaa4ab49a9a87128b43e71dddce37067ed2ee224

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
96KB

MD5
f88a3d73fcf340b052c4bd337e314b41

SHA1
1b34ba796a970d648ad3d9c8826e690846386938

SHA256
bc95c6852429e2b1b3de849c45a251ff6abe9ff15e07e277c2e9761d379e3ba6

SHA512
e73d4c74a0868ff6d23d4e84e85f96eae4281292ece49ffe0c01b0ba72a7e50e8e050339400fa31b2763a34fd87ea50f39bffa65e775c58daf3e0dc7b426561f

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
96KB

MD5
1b945382972bf185320b319c0f94dabc

SHA1
aa62bf74c14d6026cde71498ef0d0c99f84cf8c4

SHA256
7727d1f732cd978b625321a7a451c321d79f2521f86476ab6d19f3f6b3280222

SHA512
e6b398252756768efe8c4e3dfadef9957bc5962de0a4553698ad88d3ebb27834ff5423aa23adb87b06e624a5655ad31a990cc738526cd4b9a5a1689a61b33f22

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
96KB

MD5
e736c5d424369ba7e64f049c268b00ee

SHA1
67b41f50dbb896398b9144f947f06013c53f9d46

SHA256
b23839dfdaaf1f98d97898276dc910ea797cc1e9efa065c2f68df3ee88128252

SHA512
08508206743b77e7ad7738fe8ff24205108d1ad5cb33f7c27314584f6af7998730cebcc4b9f80c0ac0661380b0dbef663b765e174b1147e8baf60129518bf43b

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
96KB

MD5
3a281b387f78e48e304706695b321c2c

SHA1
36ed97a3fcab812aca76ef0291919bef2029f3a1

SHA256
4c9311a801a268f28cecde0ca6645bbe5f38d535f8a8f0855826f3dcc0085f8e

SHA512
9d5b30f7ab10db2131fb354ad5356019eb3ddd157944ec28ebcf8234a37b19ed5a44a77b30e8a23215a8bebea06a20fa0685eb1b0d9c162fff9a93184947513e

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
96KB

MD5
49565a0c47b8c0b66cad1e4c1a487e5d

SHA1
cb3bd96a10a2828e69d0b40fa48b1c00ce6e9b5e

SHA256
a38ebfb0f39c5ebd778a201dc93dbb283269cb779951d3ef02910d7613ca5681

SHA512
15ec7301e38b107b80b4f481ae434db99b05ef575fecd8493ab8a206871c2f29e7f95c88e194b57e6a05f45188216d74cc9ab8e20c463df8e3de852b99940072

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
96KB

MD5
6bb328e17e9e840b43b90c2ab9f0b0b8

SHA1
ca21e0c96066b27fafe889fab14d371ff389f181

SHA256
bab9c1ad36d3fc0897de856c0bf409be0e0ecb72d6b42b22db76139272792825

SHA512
5ac6e19084d56521b041c63f115b77f2e8693e347a77c75fcebcd843c8a1907f07a434e5194289e3aa8c503e6b291dfc37f0069757e37b4e34fbdbd6732af2b8

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
96KB

MD5
30e317206927e4539b06a2e836b6bc98

SHA1
2474cc8c94fb30848df13f539b3afc5a524272eb

SHA256
48b3d78626377483a6b0f052704c19db31c2bc72b3de6d37e8961893572336a4

SHA512
9bb09d3e8ee3dd98759d4760c4f01715d6c2449432ccfb68a8e401014abfa023b5b54eaa4235759a8cc0b3d2fe1ccad0cf6e06432300db77419255a3ca78e8cf

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
96KB

MD5
1565254142d8a717a15bbbe30ca8332d

SHA1
cb7af5d475ce7f010341e8f776ded196f0693d51

SHA256
bc7397b920873da0cdebe1e1376a1c69abd3fd106cbe1158b0634f5476d5ce53

SHA512
a8f91fbea9b6baafb396b790242faf11a108ebf4d718acc593c23848a8bcbce540ace2f970574721b83deffa8b53d3007c35ec53e49572be7ffb75957bac0337

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
96KB

MD5
9e71c18dc41e1460021239d05f237127

SHA1
70f8128ae446e6f7a292c9e252c365bf1de90647

SHA256
37e25869f9657d26e4204b46148698402f39046032dbe8e566249397b64dd7bf

SHA512
42b5ef5c93ba549a74cea75973de64240e518b2492badf4001aee1694e1cb8215a59d23eb36848e3ae371b6b6afea72a1c380e9e09811ae3f3f9159f3be15f22

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
96KB

MD5
dde6961faaf91195aba0ce6437bda465

SHA1
c9a045f282e6e7cd5f86c91927dcfa402e6f64ad

SHA256
ce6bd526b8d5484a3bdcddaac2b21513b9279cf50fedd150c384a6955ba3c650

SHA512
1afa0f8c936abfd074422eb9024328a3e1c35714c7f6a3bcf0b260c07669c0f555c676da806fb9d52daa7273b5ef61c368e3666896dc0a35c6568e6723c2d128

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
96KB

MD5
6519570d5a942f99389b6d237fe5917b

SHA1
cf0a9aa30d487890b61a18e03ad9e291cfb14ec2

SHA256
bab6f8f207ca2b7efdb501a02a346ec73e1611f9a748e6eca929fa0d072c27d0

SHA512
3a4bc1eded06437f61262e9c1dad6cdac3a69bffa5693e3bcbdbe78f793ab9de4187f65bcaa75de95afe013bca7a915749e2e63990988893b71ca784680a8d71

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
96KB

MD5
937f0fe4a27958a36d393370bbb65da7

SHA1
96a4150f80bc844d361ed08d7673e3e3f2a34193

SHA256
9afb1bc68bbde35eaaad29249b0a5212df40f4719accde8f209ad587ba6cd9a1

SHA512
5fca7aa543ebe89325881f03fce9b4d43f3484956a764043a5adc55a344f6207849c7b83450a1ba7bf7d48c50b6a6a686f4f55520bb0034e46858e6ae794bb1b

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
fb315f64e0b271df56977abd7ca3ac89

SHA1
e58beb26635e1b7bc5b3d6c45a8410e9673e8eec

SHA256
c5097db397eea7993ce85bde29f39b1417765bd59ad58c134ec7ebcdd69b3cf8

SHA512
b21df5d5e1ba0924b0bdb9ceb9b5b3ad2521bf85ed936baec5ccf04ff98580821ffae2d914f23265e5f7940dcccfbc43651c3490f51c89beceb1f8b3739640f8

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
96KB

MD5
d3809a5ead51c015ede3575bbafbf8a2

SHA1
47f41e15a8dcad5806fe49bd22dd3da2e2294001

SHA256
9daddefef057a1bd13515fd8df3faa9945f61ce2f77c65e17a1252d95c508a91

SHA512
01bbdc77a8bedfa3d2f609904ada3e0ce68ad9d89a3604bbe271c900f94ba1ec12d09c2736759f583357588c6da33ff4d15722273fa7f1653e65510f18334d2a

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
fbb63335c691ddac56783d126d50cfc3

SHA1
c9cb01e31fa34edf4810da43bdb35966174c3ee0

SHA256
9ae590df1222c22637502f65e87d3d836ae3f86eec198b4223c6b8517d5f63b2

SHA512
828577ee00b0a159ec229967c808e7a5140aec47829f7c94144e0b7dabc642805036e272f9c726efebddc18f725710ef319a0079293a08b4ed63d07306621eb6

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
e2097995c3cc74e74fb47f32520c01b6

SHA1
9eb923b06ea080bbf7797253961dce0a9f393541

SHA256
72f8a045ccb00ebfff4a6555b9eff128b676ee7365d169202c95abe3d974e5cb

SHA512
268c3d1c68f96a954e1c412f9b3a2b5f2a266a761e0daac24be898efd9befaf499b50bd2f23e32a891147e802387d82fb60a6a264ecf97d79cb87c3277892b03

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
96KB

MD5
0c62c5159d61959ed10466421e6fe726

SHA1
6898ae9eabb57a7579053282ef7d76676a8aa859

SHA256
41e7976f6aea556da82c03c9960fec9dd1230fb1d7150ef63ffaa67576cabb41

SHA512
e8277bf7969576dd9a094cf4d44e643dff9aafa8fd93d81569f71c04ad3b8dd5180400d7fd971c7eeac5237c309b7cc7f217bc3c1092c919dd49f9255c854668

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
17804d374f2b7423db965c229b465b88

SHA1
030f5033f47dad5c3f88eccdf16086a38ecd569a

SHA256
480b513d8cd60134d15e7c21e8f46fae98e07b1e9bafa52a99d1a0145ff0499b

SHA512
a9f16458508bf922127abed07dfda595f0efc2323c874b2a56920e3060fa0f1ffaf371f6f359a92c68e789206587117862689b3f59539ab63fdc2d843721f05f

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
96KB

MD5
bf22cb2c0d3f13147a57954ebbed2038

SHA1
64d50681feab3c6fa298ca684565cdc03cd429c9

SHA256
cefcbb661e872765034e5dde44ad9bd5331f9c4f74b7038c5513c775c574df43

SHA512
ab510abcea500558f1168303f993494ca1577be0d1e870f1ea7c88549013c7036bc916443b7f11c00fd4f83fc3bea70ee74ea017c5dc1d32c3136000513e56e2

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
2eca8495a94ffa4c5ddc73e12a271bf3

SHA1
5496b4cece30f7b83370c1acf6cc2b1509282643

SHA256
698cb3d8e52b9b8d30dc0d25def5efe521dcf66ad964c270df09e7dd65bef6ad

SHA512
e591f8097700c883a8fece8850b3f8c5236864108ac8d222aa9a10d725c9c03aecd1cd378d28bf075f739f7832e214aa6348e4d248afeb8dd3cb3a35c7f2eb4b

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
96KB

MD5
fa55d6495ceb5ae18caa9b588e60234c

SHA1
53a09f6c27694ece4711a2bd05e50bd1742485c6

SHA256
d4481be695bbd2824b7a590e0add2fe082176aa98290e54dd05e00803b82ac30

SHA512
81f3c0d5ce10e4c9956e8f326abbbeb361cf7f97d063fab0d6954c9eeae0633f6d4f196a6d157df11862470221585c51bbc4da6b840c1ee3d76b0a3da8da8cf8

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
1d2a4ff48047efcf5413ab2e426b1a52

SHA1
2de4064b6c6016d84bcac8854c7de3b21f069417

SHA256
42110cb5a61c0252ff9e374183de7a1b0ef404a1b877678d13bd4fc7db8cb6e4

SHA512
58ed3e26e6d47bc0d0d0c1fe5ce51c9f38fd8e1adcee90a6fc27ad7a6231541e53bd102b7b00e99a89bd2b8968c1bcadeaf4a15aefb830c935097a7316d6ac6d

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
96KB

MD5
b0543a25902ccd104848c7a732fbc25d

SHA1
bc0940744cd35c3cae036f2dcf2fbc3be419ea3d

SHA256
469e631d910fdae1b93340408b88f41b13dc302619d490faa9edefe32299156c

SHA512
83af7af76a6b5b928c8240851c2d48b647323a741ecc77fce9ada21a01b76d34632a6bab5d75e5f1b6a23241ba8e38d476e6004edb7978c35efe105085cd7131

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
96KB

MD5
9ffd988f549e29df5b9e9b86b9b785de

SHA1
d1368d869ed48494e313dac0cbe3f19c40cac440

SHA256
13a1e1a3838bdc0798e05580e2af23f9de907143efbbd51dcc1419f0bae0c95e

SHA512
a41b83a6e00e01285916f56746a03c9f9a5178b0542b65f998f0ec6678c20c829a5959272dc346d93b62a07a66176563fbde0794dddca5c44ddb2a7f0e7ab884

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
96KB

MD5
748e876a11269fda413a5ed5ee8932e2

SHA1
5694954c5be00bc6400aabec4a0b19c9123b5508

SHA256
27e238032066dc3e5d15ef96f2219b1003d0066241f6a5498b4efd1d7a49d32e

SHA512
33d7e830903ca422a1c4a0eca2358bbe3eea3462590d82aedfd7074a7902bb725732ff64dc3b6ddc8dabbab1683fe0c58b545393872723acfa390bb42820aa7c

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
441c983ab448b83826b40b78ac15cdc5

SHA1
a6fbeafc6d4afbdbc05d64aaa515b265343bd1cf

SHA256
15fb6c189e1945639ed549843e5547783c92d6bdebe3534e974ff6f66a334469

SHA512
228cbfda4a01014b884f4c7122879482dea002972d9e2f5eb590ba8f168cb2e53813aabc5e4b36dfb836335db498e30482604597c97330dd5702a78cf3b84ff3

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
ca05fa059e461e4fcb31301bad4ad017

SHA1
c94e9a11623e94113f8bfe72949e9512d5020d65

SHA256
a2c44c690d9584ed77891b543bd5f64141a4d35dd0f36a407f5b2637b8ca92ec

SHA512
d97bf25eb6ef264d84cd3ac33ed30e7f3f877e1c3fbc303608820c29654387e2530fa046018be8c7b04489540afd172c3165991934e1feb27ac3a1068951fa3d

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
2dd53ce0bd85f7b98f353edc168254de

SHA1
adc6526706b2f76814e97e38caf352e6da7861b8

SHA256
0f764a68170388f85d0106576f57bcc4c46b1a19be09505d0a1dfb8e8c2aec57

SHA512
2693de5e1ace461e91270740a90c04a799efdda896a8e0ae2fee14e0d10a629caddd9a9e96c96eb537a3a50e80cf9069e164f3485e3fe33870c8579b3b252eed

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
d51eb32446c91addb86cf61653f8c20e

SHA1
9b13677e6e4f8cd4490eeb734ddda0deecd07aa9

SHA256
132295ae034b28a782f95d9e9e1e7f4f25797c452e072817c9021f30d2639749

SHA512
bfbc19fa23655dcf94e0ff4b2aab6d6cf15cd77cead7cf85f34b2d94d39ce977c69ef2206f7b1cfcf9d7e1bcddca26a53d7d781a7534297c2c9e4b23504795c1

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
96KB

MD5
304c353d156b6429293aa9daf204e52f

SHA1
b912433eaca2f476963e6a43efb95165d4f854d3

SHA256
96b8b7cb83af2055a63bd3af7737f770358c3d5580c3c6769f30d3fb03f0d23c

SHA512
ca0f80cf335fd8db9ae0ace9e038087bd6530d9ec523394d66d0a235d55247bdae4f41ba460d34ceb2e3e39302682f7c589f23eb07595816b737b2950cc3909c

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
96KB

MD5
a968d44b09c12e638147a88a1ae7d7b0

SHA1
05fa7838ffad9680f0690b39790bf5ee8c3149e3

SHA256
12b2532c5a98c99efff632250621940ec42aa7b4ff1b6fde178413294bff9463

SHA512
c19a17f1538e3207759e95192195b34ddb73daddd18e29506690739a9a950c31caf14b2592d5119446535b44568ba542421ddf69aa6d971915b1ad5727840e96

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
96KB

MD5
81e56876c5f550d0588661ee0315f5eb

SHA1
3c0fc2a6a67810915e558f9e3fcfae63693b51a2

SHA256
31601c0bd2809c70f3396681ed52dc7098a468aa878f313648e5198e157fa4db

SHA512
80c57bff3d43d99d37fd35e54fcd6be6f31d9854e75ebb14231065f1c675194289366156d0b02b6a5120834f2f2e5864fff6172a5bf529b09786cc507bb5891b

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
96KB

MD5
baf4c4f5aa95f5663be4f8a83e38b646

SHA1
4476a61f493c6d31edd02299838d5ac55bb50867

SHA256
485f6109a88e791e992215d2a7202c071dd9887fb4a7c482012ebf3734195301

SHA512
e4603327ec06b8be8751e1600b9f90552ad0f07560c8a53b1e558c6cdfce4fcaed59c6f64b0a3d946fad9fff240e31a83b50f3cf19051e943eb6d655f8deb698

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
96KB

MD5
29bde1d0562810ab56191e7f718af6dd

SHA1
684715a638f0630a965b55498d9b48fe1f24359e

SHA256
f851646bc578e670c0eca12711698d4c37270b436e73c79db49d23315cb1667f

SHA512
a284e45e16f08fd9cb00a33c6811394840291fce5445ec455b67a2e82b8747f3812ddb9e2c6c63a063860df1370d4f870ab8632c9536d519c2157937c82cc64b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
c736609e1dcc78dd5ebfa0cda007ca6a

SHA1
5580a39ba11cda9949b677803c2c3c3e8a4e29bd

SHA256
75340684b5a5e2e725820154ebf6028b012a3373657414f29d84b4433967e630

SHA512
fa2818a352c3c0b80023c9b99edf2a3059e0e1743b7a85ead691df308fb5d953b9c1c9fe9cf6642d00c829c3bac6b72a8f654b422a0ae4be5cab39e049127bc5

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
96KB

MD5
ebe77d466d1605f64599fc86d6595dae

SHA1
ae5d9205eef70f859c7442572b0230f45a28ba29

SHA256
6e3810d60920b436222c8d7e54a19b842792cef88ab21f42946f7ba53b620287

SHA512
69061c13ae326d7e6f20f817121d98ff46f3b99268549aacf26ff6d739d68a928207874bb5b752f440aa809492f87a8b95f34e630f57e4248c35e8be1935033c

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
96KB

MD5
f651ead45b8ac1e10a907081d205d1bf

SHA1
274c2b8fe7889421b82a414ebd4611ee338e3698

SHA256
5253bef443463f9d6423a6df42d3884698e3aff86b665d11b8f7f5a2d40160ff

SHA512
18e9474ff93c2d6e247c78c9568e19ec7fe543c38fc50508363be31e8a9a2a3bc9c2ae974303a330a00a4df7e2cbd3a193b1a0f249c4530c1ebd5c19ebf8bdf1

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
5c55b1a65fba848de9f479758cafb19e

SHA1
3bf362affc95e9f08e80e037b73a23f3cc86e9d3

SHA256
942b3a7bf3e7a5393b13a2ff88fedb5ef9865b4558894712ccd120453552d558

SHA512
3062db4d7fd6e08d3a60ee6e9f7306fb1648987d1d7ba8a255d3eba23685e51a3cbd91b2d594c764f00f9bd85eff8a48104a5d5e83e09706545cc5f2c17aa748

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
f7ea5dc5efe901d4d0c5c60b688f1147

SHA1
687aa08255cf90838299d69df6759ab7337ca4c2

SHA256
5b741b241f8d10768a1b2ad9f8671437aaeffe76598ab6faac98c2b4cc69d1e4

SHA512
03aa0475827741e358945bff3d94e415b0dc37a29fc19682a296bb4e7a9f1a4933606e47dcfaacc054d374b46467f7d4e2df5a0ab17b73d03af5f3bd99a7efc9

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
718846d5a787b1c51c44938e75407917

SHA1
ff0f3e9b6009c8e32bd94a99c50d21dd8dae336a

SHA256
f0c64f156a6016040f43f3d789d879d1121ff322c0ad3f17244007eeb5c22431

SHA512
a905dd29355bb95b5caf46fc015ff7301a358c2f8fb56acfc30cdb2e5bc90e58553d62a53aeb0c313426ea8405d4375cb7529d292aa2f9ebb2d4970ae266c09f

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
c9f4dca8ee713e5fdd6fca4da2d70883

SHA1
ca794d968d33bed784a164a88430df90cb0e9c9e

SHA256
36fb4fdb250f258d9df8b75caf21aaa6b47bc20f52d4e1c03b2e700aefb6cb4a

SHA512
0342b1891a959927dadfe07ecf8a5d29c2680f28af5454cbd0f667e04a8261c62c6fcd9c366ce06a88b592b72af95f821cf74aeae910b297ba8c35013d2ffac2

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
7bbcaa956e21a97cc03baaf95cb202e4

SHA1
ec556e590f5692fd5c4fd4cfc249fec0d13ddb32

SHA256
b9e3132257881378c2d3c07131051d9e1c2be4c4a86e659a9ffdd64e4fa80fe6

SHA512
9a44484afaa7491390a470728cc2e02702f638c76aa8b7f5cc517a7705c708301eccd5db3f73289fb9d6839d4b9035631490bbebf79f3fddcf7998a9ae576db6

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
96KB

MD5
68860a0701294fe69f4413d9c8a1279f

SHA1
ff3d3eeecb726f512a8c9f9936a2db0fb7dea2a5

SHA256
98f9894d4c33d91a994f09dea3f0d7dba15ed4f281a1a07cd97d1f2928554a51

SHA512
e64a7d5a346884b63752a7fc5f0181695c1a065c06aa3fac424f1239f2dcfb3705787383996e43769d0147ede2214624b2cf783341725ab28150ec6cc693829e

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
3de568a252479786140cd25d45923284

SHA1
1c4f95b9beb47393bd608f82eba497d07015f407

SHA256
43db801feb91ecd0be304b0b93e43f9a3c78c9b13b830dc9d9a5b4a2bdb5c329

SHA512
bb92bb6de40424d9b1b09151e366dc42446847287abf7257ad73b74c1953400dbce475aaccfe497cee14998b07aa8a4520b943d861776447b0dd708e2404bf47

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
ef6c39c85affa720256bfcfce4d89fba

SHA1
a819a45da2e9ac48b26e79741bcfbf815276fdc2

SHA256
f197c9345b754e0c878579b6a4bc16ac51302e42b84a1d269aa6642ccb5d8f33

SHA512
b80ad215989f17fa7d887052bcbdbc3c745867e24ff7146e8048f4f2e7f24de385c989ada20b0c5d9f7fb16c753391317ce0111b0175955995235937acb47ede

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
96KB

MD5
f598b5c9fdcf4715b1eaeb776ec4d9e1

SHA1
9a692356a7d476efb31986572a81e3dd05f47bd3

SHA256
32a4be2bcfec752d53da52c692403ff226e9d4dc75be00791a169180b20610b0

SHA512
8f2179706a819bac482a2fb18cf6c81a083ac4feed97f71848095d9e9b7d7c5581aa02a3da83bc94d3cfb17e2091abb1c95ceeda97db9641fec0922fbf78a2e2

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
0b18e26c849e66331a0f098fae18c495

SHA1
8e18ff5e366483db5bf23d8e10b387b1f06b4608

SHA256
fce2ab05d531d71372877cf61578d342218006e83c2f27940295c76af7a21fd0

SHA512
09757d69ec7bda6c43ac6271798032cdac1978c646576b3fc1118ec41bd27f4bea716e8a665d486a5862f65848823402086c59e95d76a03a8e55c673079a1a23

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
d8b6f3625332a08bd5b169c194b847ab

SHA1
543fec81cee79a8bf50b7d8acc97345c1b98f118

SHA256
d56164c34b3d036444819e6d81d573bc9a07ac2c3a4e5ef5bb37cf05af8633e5

SHA512
ef9dec56f0fd14e9a2604a2f2888885dd060b4eaf4e695498ac3510beaa511b83dc30ec00d5ef424c5160440c6295be94c87b9c24b5ede9cf9a9e43298cb87c4

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
4aa3f08791e2a61c21f155c01e958b3e

SHA1
086d11f5e9ea02d6ac4956ff9514ebc4db65ec67

SHA256
6725b45281566393aa4e6877fe559d242ecb66458a4763684776b39b02933ba9

SHA512
59f0b62b2e48f32e19518d38a116faee3fe3598cd6dc6362f8efb70c650dc76a84e7362bb71c4430fd21fc5cdd2fc8468da619c167466d09d9f3e5f7b5cf421c

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
ba49586f18f295078809d715da742fa1

SHA1
71090b7cefb0d9cf5c26cac1cabc7ac6eaead3d4

SHA256
41ac986e1d5288eb1e8b9fc6026e8176bfd12e02289307aa156e0b799d855eb5

SHA512
233ad6064417f8e667d6119aba89c70b1ca0ee8825f66d9673c17389faf61f11ea2b411cbadf08a1d2d6f7435a16f0a9dc3e5988ba94096a1603f67e1efb5bb8

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
bc60f106779aea6ee5b3c598a5a38c45

SHA1
f7dd1ff959f7c1ca9a3fb874bd4f92821c79f741

SHA256
79c5e82ce9ce90ad85c703e0693a07f2ffd0f080a461059660d00a4c04c7cdfd

SHA512
ebe336eff84b97fecb0de94e77f77b87d0259f76150bda799f7df8d822e1a27c146511636f2f6664a176c1aa687d32d1c35c6cd5a6ebdfc62b586548d2f5badb

Download Submit
memory/224-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/316-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/608-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1168-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1364-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1396-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1436-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1580-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1840-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1904-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2496-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2664-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2664-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2752-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3032-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3104-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3532-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3564-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3744-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3792-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3836-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3924-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4264-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4288-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4348-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-536-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4356-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4408-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4588-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4596-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4596-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads