berbew | a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabf

Analysis

max time kernel
30s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Size

128KB
MD5

e5650b359ac0e661d5d195a744216900
SHA1

67bf13a09cb18feb3fa6c12f4eb65ae964571ddc
SHA256

a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabf
SHA512

123e9f13b6b911b121973629655310fdc205b23d2da7ca6e41b388b62e9048378ed85ef8f2d07bb48967af48b22eca4ded90a8e029c6023ac2917922917e395c
SSDEEP

3072:l2jn9CGYiLgQFmIfx3QsOKzDd1AZoUBW3FJeRuaWNXmgu+tB:uC7iLgQ1ZAsOKndWZHEFJ7aWN1B

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdgdempa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjhagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idnaoohk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccbqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipllekdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Labkdack.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilncom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inifnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbdonb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfhbeek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljibgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkmlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leimip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inifnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmefooki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2684	Hhjapjmi.exe
2652	Hiknhbcg.exe
2660	Iccbqh32.exe
2708	Iimjmbae.exe
2600	Inifnq32.exe
1628	Ilncom32.exe
640	Iompkh32.exe
2096	Ipllekdl.exe
2528	Icjhagdp.exe
2884	Idnaoohk.exe
1140	Ileiplhn.exe
2904	Jofbag32.exe
1796	Jbdonb32.exe
2124	Jhngjmlo.exe
1084	Jnkpbcjg.exe
2404	Jnmlhchd.exe
1268	Jqlhdo32.exe
1532	Jdgdempa.exe
1236	Jgfqaiod.exe
1956	Kmefooki.exe
1460	Kocbkk32.exe
880	Kkjcplpa.exe
1912	Kofopj32.exe
2948	Kbfhbeek.exe
2828	Kiqpop32.exe
2768	Kicmdo32.exe
2620	Kkaiqk32.exe
3052	Leimip32.exe
1232	Lghjel32.exe
2992	Lmebnb32.exe
820	Lapnnafn.exe
2856	Lfmffhde.exe
2604	Ljibgg32.exe
2448	Labkdack.exe
2912	Lcagpl32.exe
1424	Lgmcqkkh.exe
2728	Lfpclh32.exe
2116	Lmikibio.exe
1828	Laegiq32.exe
1768	Lbfdaigg.exe
2444	Ljmlbfhi.exe
2204	Lmlhnagm.exe
2464	Lpjdjmfp.exe
1240	Lfdmggnm.exe
2456	Legmbd32.exe
2392	Mmneda32.exe
2748	Mpmapm32.exe
2756	Mbkmlh32.exe
2820	Meijhc32.exe
1500	Mieeibkn.exe
2656	Mlcbenjb.exe
3064	Moanaiie.exe
1976	Mapjmehi.exe
2872	Mlfojn32.exe
2860	Modkfi32.exe
2008	Mabgcd32.exe
848	Mdacop32.exe
1792	Mlhkpm32.exe
2020	Mofglh32.exe
2060	Meppiblm.exe
744	Mdcpdp32.exe
448	Mkmhaj32.exe
1304	Moidahcn.exe
2520	Mpjqiq32.exe

Loads dropped DLL 64 IoCs

pid	Process
2440	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
2440	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
2684	Hhjapjmi.exe
2684	Hhjapjmi.exe
2652	Hiknhbcg.exe
2652	Hiknhbcg.exe
2660	Iccbqh32.exe
2660	Iccbqh32.exe
2708	Iimjmbae.exe
2708	Iimjmbae.exe
2600	Inifnq32.exe
2600	Inifnq32.exe
1628	Ilncom32.exe
1628	Ilncom32.exe
640	Iompkh32.exe
640	Iompkh32.exe
2096	Ipllekdl.exe
2096	Ipllekdl.exe
2528	Icjhagdp.exe
2528	Icjhagdp.exe
2884	Idnaoohk.exe
2884	Idnaoohk.exe
1140	Ileiplhn.exe
1140	Ileiplhn.exe
2904	Jofbag32.exe
2904	Jofbag32.exe
1796	Jbdonb32.exe
1796	Jbdonb32.exe
2124	Jhngjmlo.exe
2124	Jhngjmlo.exe
1084	Jnkpbcjg.exe
1084	Jnkpbcjg.exe
2404	Jnmlhchd.exe
2404	Jnmlhchd.exe
1268	Jqlhdo32.exe
1268	Jqlhdo32.exe
1532	Jdgdempa.exe
1532	Jdgdempa.exe
1236	Jgfqaiod.exe
1236	Jgfqaiod.exe
1956	Kmefooki.exe
1956	Kmefooki.exe
1460	Kocbkk32.exe
1460	Kocbkk32.exe
880	Kkjcplpa.exe
880	Kkjcplpa.exe
1912	Kofopj32.exe
1912	Kofopj32.exe
2948	Kbfhbeek.exe
2948	Kbfhbeek.exe
2828	Kiqpop32.exe
2828	Kiqpop32.exe
2768	Kicmdo32.exe
2768	Kicmdo32.exe
2620	Kkaiqk32.exe
2620	Kkaiqk32.exe
3052	Leimip32.exe
3052	Leimip32.exe
1232	Lghjel32.exe
1232	Lghjel32.exe
2992	Lmebnb32.exe
2992	Lmebnb32.exe
820	Lapnnafn.exe
820	Lapnnafn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdilgioe.dll	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lmlhnagm.exe	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Iccbqh32.exe	Hiknhbcg.exe
File opened for modification	C:\Windows\SysWOW64\Inifnq32.exe	Iimjmbae.exe
File created	C:\Windows\SysWOW64\Eppddhlj.dll	Nmnace32.exe
File created	C:\Windows\SysWOW64\Jnmlhchd.exe	Jnkpbcjg.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmcqkkh.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Naimccpo.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Hhjapjmi.exe	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
File created	C:\Windows\SysWOW64\Deeieqod.dll	Kicmdo32.exe
File created	C:\Windows\SysWOW64\Ileiplhn.exe	Idnaoohk.exe
File created	C:\Windows\SysWOW64\Papnde32.dll	Kiqpop32.exe
File created	C:\Windows\SysWOW64\Labkdack.exe	Ljibgg32.exe
File opened for modification	C:\Windows\SysWOW64\Mmneda32.exe	Legmbd32.exe
File created	C:\Windows\SysWOW64\Ombhbhel.dll	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Iimjmbae.exe	Iccbqh32.exe
File opened for modification	C:\Windows\SysWOW64\Ipllekdl.exe	Iompkh32.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Ipllekdl.exe	Iompkh32.exe
File created	C:\Windows\SysWOW64\Mbkmlh32.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mbkmlh32.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Pikhak32.dll	Lmebnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	Labkdack.exe
File created	C:\Windows\SysWOW64\Pbefefec.dll	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Kbfhbeek.exe	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Icjhagdp.exe	Ipllekdl.exe
File created	C:\Windows\SysWOW64\Jnkpbcjg.exe	Jhngjmlo.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Labkdack.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Kiqpop32.exe	Kbfhbeek.exe
File opened for modification	C:\Windows\SysWOW64\Labkdack.exe	Ljibgg32.exe
File opened for modification	C:\Windows\SysWOW64\Jhngjmlo.exe	Jbdonb32.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Naimccpo.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Lghjel32.exe	Leimip32.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Nhllob32.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Eiiddiab.dll	Jofbag32.exe
File created	C:\Windows\SysWOW64\Jdgdempa.exe	Jqlhdo32.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Hiknhbcg.exe	Hhjapjmi.exe
File opened for modification	C:\Windows\SysWOW64\Jqlhdo32.exe	Jnmlhchd.exe
File created	C:\Windows\SysWOW64\Mapjmehi.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Leimip32.exe	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jofbag32.exe	Ileiplhn.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Ecjlgm32.dll	Inifnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2984	2476	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcbenjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiknhbcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipllekdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ileiplhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmefooki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfhbeek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbkmlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjcplpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkaiqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iompkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnkpbcjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iimjmbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccbqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbdonb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmlhchd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Labkdack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljmlbfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmneda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idnaoohk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgfqaiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilncom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhjapjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqlhdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabgcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inifnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmebnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legmbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icjhagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiqpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlhnagm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhejlj.dll"	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbdonb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiknhbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jofbag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipllekdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kicmdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iompkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhjapjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipllekdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiknhbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll"	Idnaoohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmikibio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll"	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll"	Inifnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbldmm32.dll"	Iompkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iimjmbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnkpbcjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll"	Jnmlhchd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhjapjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll"	Kicmdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcekqe.dll"	Jhngjmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll"	Kkaiqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lapnnafn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2684	2440	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	30
PID 2440 wrote to memory of 2684	2440	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	30
PID 2440 wrote to memory of 2684	2440	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	30
PID 2440 wrote to memory of 2684	2440	a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe	30
PID 2684 wrote to memory of 2652	2684	Hhjapjmi.exe	31
PID 2684 wrote to memory of 2652	2684	Hhjapjmi.exe	31
PID 2684 wrote to memory of 2652	2684	Hhjapjmi.exe	31
PID 2684 wrote to memory of 2652	2684	Hhjapjmi.exe	31
PID 2652 wrote to memory of 2660	2652	Hiknhbcg.exe	32
PID 2652 wrote to memory of 2660	2652	Hiknhbcg.exe	32
PID 2652 wrote to memory of 2660	2652	Hiknhbcg.exe	32
PID 2652 wrote to memory of 2660	2652	Hiknhbcg.exe	32
PID 2660 wrote to memory of 2708	2660	Iccbqh32.exe	33
PID 2660 wrote to memory of 2708	2660	Iccbqh32.exe	33
PID 2660 wrote to memory of 2708	2660	Iccbqh32.exe	33
PID 2660 wrote to memory of 2708	2660	Iccbqh32.exe	33
PID 2708 wrote to memory of 2600	2708	Iimjmbae.exe	34
PID 2708 wrote to memory of 2600	2708	Iimjmbae.exe	34
PID 2708 wrote to memory of 2600	2708	Iimjmbae.exe	34
PID 2708 wrote to memory of 2600	2708	Iimjmbae.exe	34
PID 2600 wrote to memory of 1628	2600	Inifnq32.exe	35
PID 2600 wrote to memory of 1628	2600	Inifnq32.exe	35
PID 2600 wrote to memory of 1628	2600	Inifnq32.exe	35
PID 2600 wrote to memory of 1628	2600	Inifnq32.exe	35
PID 1628 wrote to memory of 640	1628	Ilncom32.exe	36
PID 1628 wrote to memory of 640	1628	Ilncom32.exe	36
PID 1628 wrote to memory of 640	1628	Ilncom32.exe	36
PID 1628 wrote to memory of 640	1628	Ilncom32.exe	36
PID 640 wrote to memory of 2096	640	Iompkh32.exe	37
PID 640 wrote to memory of 2096	640	Iompkh32.exe	37
PID 640 wrote to memory of 2096	640	Iompkh32.exe	37
PID 640 wrote to memory of 2096	640	Iompkh32.exe	37
PID 2096 wrote to memory of 2528	2096	Ipllekdl.exe	38
PID 2096 wrote to memory of 2528	2096	Ipllekdl.exe	38
PID 2096 wrote to memory of 2528	2096	Ipllekdl.exe	38
PID 2096 wrote to memory of 2528	2096	Ipllekdl.exe	38
PID 2528 wrote to memory of 2884	2528	Icjhagdp.exe	39
PID 2528 wrote to memory of 2884	2528	Icjhagdp.exe	39
PID 2528 wrote to memory of 2884	2528	Icjhagdp.exe	39
PID 2528 wrote to memory of 2884	2528	Icjhagdp.exe	39
PID 2884 wrote to memory of 1140	2884	Idnaoohk.exe	40
PID 2884 wrote to memory of 1140	2884	Idnaoohk.exe	40
PID 2884 wrote to memory of 1140	2884	Idnaoohk.exe	40
PID 2884 wrote to memory of 1140	2884	Idnaoohk.exe	40
PID 1140 wrote to memory of 2904	1140	Ileiplhn.exe	41
PID 1140 wrote to memory of 2904	1140	Ileiplhn.exe	41
PID 1140 wrote to memory of 2904	1140	Ileiplhn.exe	41
PID 1140 wrote to memory of 2904	1140	Ileiplhn.exe	41
PID 2904 wrote to memory of 1796	2904	Jofbag32.exe	42
PID 2904 wrote to memory of 1796	2904	Jofbag32.exe	42
PID 2904 wrote to memory of 1796	2904	Jofbag32.exe	42
PID 2904 wrote to memory of 1796	2904	Jofbag32.exe	42
PID 1796 wrote to memory of 2124	1796	Jbdonb32.exe	43
PID 1796 wrote to memory of 2124	1796	Jbdonb32.exe	43
PID 1796 wrote to memory of 2124	1796	Jbdonb32.exe	43
PID 1796 wrote to memory of 2124	1796	Jbdonb32.exe	43
PID 2124 wrote to memory of 1084	2124	Jhngjmlo.exe	44
PID 2124 wrote to memory of 1084	2124	Jhngjmlo.exe	44
PID 2124 wrote to memory of 1084	2124	Jhngjmlo.exe	44
PID 2124 wrote to memory of 1084	2124	Jhngjmlo.exe	44
PID 1084 wrote to memory of 2404	1084	Jnkpbcjg.exe	45
PID 1084 wrote to memory of 2404	1084	Jnkpbcjg.exe	45
PID 1084 wrote to memory of 2404	1084	Jnkpbcjg.exe	45
PID 1084 wrote to memory of 2404	1084	Jnkpbcjg.exe	45

C:\Users\Admin\AppData\Local\Temp\a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe
"C:\Users\Admin\AppData\Local\Temp\a652d7cd7e2b307da3faa7e77434f9185af761b01064b7a7b043bfee8e3aeabfN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\Hhjapjmi.exe
  C:\Windows\system32\Hhjapjmi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Hiknhbcg.exe
    C:\Windows\system32\Hiknhbcg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Iccbqh32.exe
      C:\Windows\system32\Iccbqh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Iimjmbae.exe
        
        C:\Windows\system32\Iimjmbae.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Inifnq32.exe
        
        C:\Windows\system32\Inifnq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Ilncom32.exe
        
        C:\Windows\system32\Ilncom32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Iompkh32.exe
        
        C:\Windows\system32\Iompkh32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Ipllekdl.exe
        
        C:\Windows\system32\Ipllekdl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Icjhagdp.exe
        
        C:\Windows\system32\Icjhagdp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Idnaoohk.exe
        
        C:\Windows\system32\Idnaoohk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ileiplhn.exe
        
        C:\Windows\system32\Ileiplhn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Jofbag32.exe
        
        C:\Windows\system32\Jofbag32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Jbdonb32.exe
        
        C:\Windows\system32\Jbdonb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Jhngjmlo.exe
        
        C:\Windows\system32\Jhngjmlo.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Jnkpbcjg.exe
        
        C:\Windows\system32\Jnkpbcjg.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Jnmlhchd.exe
        
        C:\Windows\system32\Jnmlhchd.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Jqlhdo32.exe
        
        C:\Windows\system32\Jqlhdo32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Jdgdempa.exe
        
        C:\Windows\system32\Jdgdempa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1532
        
        C:\Windows\SysWOW64\Jgfqaiod.exe
        
        C:\Windows\system32\Jgfqaiod.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Kmefooki.exe
        
        C:\Windows\system32\Kmefooki.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Kocbkk32.exe
        
        C:\Windows\system32\Kocbkk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Kkjcplpa.exe
        
        C:\Windows\system32\Kkjcplpa.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Kbfhbeek.exe
        
        C:\Windows\system32\Kbfhbeek.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Kicmdo32.exe
        
        C:\Windows\system32\Kicmdo32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Kkaiqk32.exe
        
        C:\Windows\system32\Kkaiqk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ljibgg32.exe
        
        C:\Windows\system32\Ljibgg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Labkdack.exe
        
        C:\Windows\system32\Labkdack.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Lgmcqkkh.exe
        
        C:\Windows\system32\Lgmcqkkh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ljmlbfhi.exe
        
        C:\Windows\system32\Ljmlbfhi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Lmlhnagm.exe
        
        C:\Windows\system32\Lmlhnagm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Mbkmlh32.exe
        
        C:\Windows\system32\Mbkmlh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Mlcbenjb.exe
        
        C:\Windows\system32\Mlcbenjb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        74⤵
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        82⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 140
        83⤵
        Program crash
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hhjapjmi.exe

Filesize
128KB

MD5
7bdf86ef0db00dbd44a66fe0cb17b475

SHA1
2e6315dc1ec7505408f090b091fd375eff24db0e

SHA256
05b1b9554304f44ef013f2aaef33b50b97ba1e8f54b334533e98e502dc7f7fc7

SHA512
e4a9ec026f01469469c6f1f9f0d3c572bfaf4bdcfe65d977006e036f5065d366814d1ca8f13b25483bfc74166e1ace26c05c6e070910de8ca92a4ba619c7f697

Download Submit
C:\Windows\SysWOW64\Iccbqh32.exe

Filesize
128KB

MD5
4e57a327b2b979f381c3bc2e04acd33a

SHA1
15cf37f785fe96cd2d2ad49ce44387836bba91b7

SHA256
b8cddc495e6073e2e88ae9bbd8698436126704906a99c0b566e77b29384162e1

SHA512
f09feface74fc67aab2fceedf06c4a9b3176f75ae63fe204d64b1a2df0928ffe41ce97a05a285dd5ef31c50f21e7d4b18803d2c2f735f0dd775f417877ccdb90

Download Submit
C:\Windows\SysWOW64\Icjhagdp.exe

Filesize
128KB

MD5
0b17acd638e657683088201d7ec731e8

SHA1
6cc5451eba5768e495f797091c730908c5fcb3e7

SHA256
6e888cafaddbff68c041ee0c4a38549151b3d5af0ff848b08db02db900435836

SHA512
13aaec2f2339fc8d16388a3d164c4bb21dc2b9a62566e9af738fdbd7f964ed2b67c7c8f55946573918650e02bd7b3a8efd9b79b87141696d007112898c636e39

Download Submit
C:\Windows\SysWOW64\Ileiplhn.exe

Filesize
128KB

MD5
ec595837745956373ccd1791de42e1d4

SHA1
c566f2ed29d786718b87bad16639a3872fb56226

SHA256
bbbd3786a5dceeb802f77d23aa35a71e99dc49a6c9c35019d3d5ceb0c4281808

SHA512
5c7985783d9a2b44339cf1a1bcfe3b0065c6eb0e219cb16fcf791558c82ea5cb61487abfc1e4a98f51dea947b0bf740186ebbe5663d6b1eedf31ceddd53de73e

Download Submit
C:\Windows\SysWOW64\Inifnq32.exe

Filesize
128KB

MD5
e002467d3f36ced19727eaadf17b6da9

SHA1
cbf045dbc769c802d9f12903811ab991a60b14cb

SHA256
44782bbf805bc1e77974c7f9145640c68cd92fe9d5804bdc9b4abab73d5a6f51

SHA512
07d78fa12290c64f4900be16d60ac7b8f63e2676631596ad2230d62ec6ea9830cdb09e70b133232d08eec9cc188943d19a63d031d3486a80a24035491bb4551b

Download Submit
C:\Windows\SysWOW64\Jdgdempa.exe

Filesize
128KB

MD5
b9038e728124ae24857ac72b7e4cecfd

SHA1
1c19953e09027749d45876d9206b15cfcdef46dc

SHA256
e8cb5d13f0f8516e053b2b93e4dc2158c04ab11eb1db3774424a4dbfd2258d41

SHA512
a7e297ceb47197426d80fc3bd0b3283b212c504a195e56d22e68d04a95beebb017e7d82f0c3628170bb90d254facc6d47b40d5cd9cea1abbda89a9211fcdb375

Download Submit
C:\Windows\SysWOW64\Jgfqaiod.exe

Filesize
128KB

MD5
68302c73594d83cea68e9f11c6f0e6f5

SHA1
34393b29614b6609fbeebd981d5998a2afcdb8f8

SHA256
7687156fcaccbfd0fce8a325194a769abea47ff0771f31e4ea2f287013f39d24

SHA512
c4882ca04c29bc42055d0295d7d807f14bc484160c899cf4828b2b58ea53b24278c22527a0e9ba6f0a11b1f67fb0a2941f1e02942c1a80f860fd9b1a4228db3d

Download Submit
C:\Windows\SysWOW64\Jhngjmlo.exe

Filesize
128KB

MD5
9ac8e0611677ebcd6b2bab33eb43a663

SHA1
6aa2dda1f62c691f7549a057ea3e6e9ca74096a1

SHA256
b91aa6540333e5f465e9eb5dcda19028a06187982253001f713c9882b9734c28

SHA512
15773825e3bcde053a210e18ffd06fcd10e7b9883d3c8e5bdf83abf72f7a15af1657aa0f9151072dd28037d18020a5aa65c3359cca21511225c7260428ee3dcb

Download Submit
C:\Windows\SysWOW64\Jnkpbcjg.exe

Filesize
128KB

MD5
429f4fb5f7c64d63fb85b7068b8faeab

SHA1
727221611c4e82ad46c4de2d6a50dac12295fd4f

SHA256
e2b81a528230b80c3e5cb13cc1abe561d4370a649bc79a88c2386279f6f19a93

SHA512
c05a3e30b9899757bb48f63d7b229fc033a985f77d5d91372a0f1d241c4dccc122fd5882c4a4342c8008d73a69067ab72cd2a2ef7d1477a117a3431f78490184

Download Submit
C:\Windows\SysWOW64\Jnmlhchd.exe

Filesize
128KB

MD5
cc2da5cf40fc0af89f7ce248dc787694

SHA1
cf45aee984713ff44949f26b463df716429b7af9

SHA256
21c9549989330f078b78e01fe2fdc4f06f9da60527c8c4c42ad06c2fef5ee8ef

SHA512
8cc5027cf204553933ef7439a4e93908c74a5763d2cfc6208eb5bf1688c7f893e2b6d3b99706fa3f9218c54b6680435993af2011884ab7c9db434f5cb46bfb6c

Download Submit
C:\Windows\SysWOW64\Jqlhdo32.exe

Filesize
128KB

MD5
b425eca23ad3c49cc52aaca2514b3759

SHA1
092e96dee31e2e39852e2b4d47f895c758753948

SHA256
493efeb511fb649edd042831300aa89fba04954f8b81d4c193016382783b13fa

SHA512
5cbe1238bed13ec04dd9343ad41d1cd24e7d8ca0cd083fa7f68ea80e01a313c7ce740a9bba63226c64af97a84882e404180ad82fd716e7b859fd88277e36dda4

Download Submit
C:\Windows\SysWOW64\Kbfhbeek.exe

Filesize
128KB

MD5
27e1be04e7c8222125a6ff107ce9dc36

SHA1
5aa5780707a7443a7f5dc4678059a0e5831ada40

SHA256
98ffaefacadab7a23688e15270184053588cc84640c3ae9668788c2085ab4865

SHA512
a1fb6ba79c85950e8693241aba2e241335906953ed7dd5a3963035a5432016ba4bf4ff1efce789d5881587fd9384d6eb5c2c583356efa2bb6dc0fc4d515e2470

Download Submit
C:\Windows\SysWOW64\Kicmdo32.exe

Filesize
128KB

MD5
62fd33aabc3305fa41d3ac1d74e90e6a

SHA1
c6af63fbe1b239b1538fe9ef0927ae8dae0f5006

SHA256
3ee9e75f43a2228a585adbd438182bd0c7289b18108e36533de9f60488350bd0

SHA512
76f045088296f7995b988bb5576c943ba9bdc2050108d57de060e3ba29c3103788b510b4ff0c605f3e971cb0ec8b64c8b79b77d30c9a8df199fb9387fabefbf3

Download Submit
C:\Windows\SysWOW64\Kiqpop32.exe

Filesize
128KB

MD5
cfb204e8529a5d060717a2f69d60ba8c

SHA1
e87a9c3ae0f919d550f4e0cdc0c473aac69cf790

SHA256
dbbf7943ce1cd1ba6f6d46a4a4f7a1a9d9e3d2b233cceccdf80d336c12beee43

SHA512
adcade9700b41efe72d801a3a7d4601cc725bb9aa39e16898b9ddf20f4104e65d5b3bd195e82b166f807964e96ef1cbb507287b0e427f673bd368d55b80c1258

Download Submit
C:\Windows\SysWOW64\Kkaiqk32.exe

Filesize
128KB

MD5
004cbc2995b4b25b89f9f42540954371

SHA1
f3b6e5487d9839460b938d1ebb300d1f85401666

SHA256
775ddd366bff6b4e0b086575beb60c185978048e55f821797d0282ad3a22fbe2

SHA512
889451027d231326c72007a666fff2aa18a5c44f1ac65243685526122ce99a25a9108309bcaf9545256274db5a9d13959d21883f49c5084d872e6d25c3c92123

Download Submit
C:\Windows\SysWOW64\Kkjcplpa.exe

Filesize
128KB

MD5
b49d48ad73206f8b6ceaafb9d0f2ae2e

SHA1
c87caab1fda1d1c1af818814ab49bb8ac1b62ce0

SHA256
ce479730c468fe18e49b5eab5bb8caa59e1a5123879941e9f70262d3c49219be

SHA512
0eeb7cceef7924cb654e7aea9f3fb4a187c54d177d47479fa10952d70114f75578e17c69693c981fbcf94314cbd9c958bb6e3ba4005edee0b722580a2cad1270

Download Submit
C:\Windows\SysWOW64\Kmefooki.exe

Filesize
128KB

MD5
6bc80cf3afcc1453fda7290dce1c608b

SHA1
6e7299c00d46829be6a91bf0bae52db0fe81dd4d

SHA256
adea1bc95afbc213c4587151e802d22e2c8d27d8156365ce755baa90f5a31729

SHA512
49fefbd326f7c98dde7cc8edb428f50723fceec9df0f1443fb72566bd27d2fad2da8fa269587129c29d932f7de2ef2062bd01ae1bd2bcf7ec0c4e67a8b13f0fb

Download Submit
C:\Windows\SysWOW64\Kocbkk32.exe

Filesize
128KB

MD5
137b80a7e5961b736903fe73e19a957b

SHA1
a2a62736e1edc9cba1ffd45f59ad84382cb6b86b

SHA256
9a0b5f9c1e745c88821647c0b12c9499b7ab71195ec82d77be870e266a04c425

SHA512
acbfbef51024ac5a470e7fcde341422aecbb5d26986022859f7f2d8430aa314ad9ec225a8a1bf13247185670a17ddacd503fd73b99472c99197e6bb258cb90bf

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
128KB

MD5
34b770fff7fc6b4c88d607b057c3ac85

SHA1
8f87a20616d706de006f4613a5ed573c4f2dc7be

SHA256
fc1ac60e26a1c650bdcb1eb431095f31a16d2ed9505e8b0d71442693785d0911

SHA512
6316763e5a4ac3493235644e4eac1cd9c540c96675c605f598871bbd260f712e6056f15d2a73044989bdb5dc5e299cc0f0ae117105c8ec45f4eff5fcba4ccd86

Download Submit
C:\Windows\SysWOW64\Labkdack.exe

Filesize
128KB

MD5
eced088e12859f1d352c331867db03fb

SHA1
95ea03539c2d65ac8533a4acb5144929972f9a54

SHA256
49f114193c8b7a08234f77961b1241c4be264872b582b57181cddf5faa67011c

SHA512
7e31e088510d9c8d1121acbec0e67a6c7df971d06def68e69b94d528b0a359e1be058951495913501de1f100afbba33d6acf7ca45800531a5e29d4276ef677e6

Download Submit
C:\Windows\SysWOW64\Laegiq32.exe

Filesize
128KB

MD5
45e3538095a54258395cd86fb6254e66

SHA1
96197ff64a730c61d7fc86fbf19257d199d75b0a

SHA256
14de47ac0315286922ce8b69cd0a42dcc948cc473829ec6c301c3f00f631c4ad

SHA512
dc1b1bd1cde1e30d6d793e73687c0091be5058a5dc2a61fbeeba139e1cbd86711f3403e4fc49a6d4e34d7669cc453c41d40e6320f3735747693b943000503c1f

Download Submit
C:\Windows\SysWOW64\Lapnnafn.exe

Filesize
128KB

MD5
33c8b504ee2ca767919ba9bd494d7ef4

SHA1
662fbac119e1f5b6f801029907f532c0cbd7468f

SHA256
a780814eb6b527367154783e75275dde18c8a23024fabdad85f8de56ef47ac2d

SHA512
77becf52f8e9d7374d26199f9f07a25a9ff06fdb5d90782814a2a4b91ff2af404d475b9a35b50aee2828005be15fec554d8e450f3b93646006deaab17dfaf718

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
128KB

MD5
d7a201351a5dcce90cfab5f2c57d212f

SHA1
8c6b907cfcca926062e2c02afb8720ca3039fc4b

SHA256
b6d83af8f98481150d59147c14b281b958c720254c25abfd187f92ca5a9d8b1e

SHA512
478d621f612eb172fcf2e87b7c4f02f243718d8c95c45717fc0eb272fefeedbc3c6b5257f013747e8d29680ad12822194893b5e511b7a29d2a55cb1c25684177

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
128KB

MD5
10e57fcbf53cf1210fda36f8f9cedd79

SHA1
040d313e592087982127cc44d65b97233a14da00

SHA256
a3a7caf200ac1ee2c84eee2e8bb2738a644e8a8142faddd4d889dd45910441c0

SHA512
65465b1a01a64efbcdf741bf57b1c7b1385f51620155bfbd4ad1603aa915fc7152d13c3fdb3f23ebbe0b19949e4b440a82eb790fb7f813fc580b565f0a25d35b

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
128KB

MD5
946b00af9bb4c13784c110d5ea167f8e

SHA1
55a61d000b5cedd1a33c69cd52d4e95446fba9f4

SHA256
cd68fac21c8afadc11f7a340215d5eb98a4c70d98c82730dc56d6bdd459b5e27

SHA512
68bc69b6b8a8380b049888ed40cbd596a3bee17daeb3bb97fd5514feab259cdab87e05fba109a73649d437f4c20493c77db0cfbcb75c11e998da5198a12e4095

Download Submit
C:\Windows\SysWOW64\Leimip32.exe

Filesize
128KB

MD5
e3a6c55ed39b5c939b3bf7a51d35739a

SHA1
f7d2d8662825617add6bbaa358ba47d26164b4f1

SHA256
b84a1e41804ceb1f7a9b03845d0ac4ecc261c0229a0d1894f23346ed7bb73ddb

SHA512
4fcb8a916ba4cf7a42bf3a82a35934737c991eedcdfa9cd11f82c35bde9ff752e8593563836387a811d412b2c3ae604b6043a886bbc77eb2d88d2f0368cf366b

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
128KB

MD5
68effb78456419b1cae7d8d128945cea

SHA1
58141988f7875a25c715bafdc6e5b5bf14db8617

SHA256
780ab6d61009050a04f59f97160eca26057d4c9ceb5e0e35d081a9c0d091ead3

SHA512
ca6c104db7e9860ef19b1b07dc86efe8098e09f1e721f0d595eb0dfd2c62bdd76b9fe5fa38dbb75aa12c281c3ccf85931b6f439a0678001ecfe1013c899ee156

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
128KB

MD5
cde2a0091b0865aee10e274238235ada

SHA1
cbfa49ab989ecca0cd62bd443e25529f8c3e69c0

SHA256
12d5bb9b708d4b6e86a3e72f7b716efc18ac3880c50e2c3dd3216d3cda26daae

SHA512
d00ad3e87b7318a3ed2a07cb306996c0815bcd876381ca49f0efde0afcf857a420fb0b3b3842845dcb3afb6c26a6740217c7046fd14512d1498514413406075b

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
128KB

MD5
69084c9782d0d89d22932eefe56cc2ae

SHA1
1c00e4ae70be9c9a7c4d5e090ca635105822e895

SHA256
6be3be89974eb1413d891f876ae72f607ff9c47e66647e7fe4be8adae552c043

SHA512
bb3860dc9d2352629da0c852a922a1ffc235f17c0b0a9361c232d0a3b6f7f8926ff0f4536911b56462d9f863a0ca345b2c481225a38c44731690e7fae4a7bba2

Download Submit
C:\Windows\SysWOW64\Lghjel32.exe

Filesize
128KB

MD5
77c13e374eb16292f7b45caf2520eda6

SHA1
f0c139363c0373e337cc0e7ec7f6497387e1449f

SHA256
c29ef0e3593e8a56b8481749269b4fb56b4da2ae8075a254f2bea0ad6b2bc334

SHA512
4d84b529f1f78d730cea6f56a217ab868de461c62cedea07d4c8b903e7ea0c1d7ae262e66372a7b30844ef5c9b56a2b9311eb6546cdb909c056036361d6f1a40

Download Submit
C:\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
128KB

MD5
7d3153aeb7021ed071a6df7f8bda43d2

SHA1
d85458825611309a797436814cb6e588433cce6a

SHA256
7cbf69456fdb7b9e165511c38edb1e60e4fc697afbad14cb3358b4ef207b50e8

SHA512
93273bde6de9d012d50f0dafaa06973ccb489c98f0ae2ea6dab558b9a4688e05c29fc055f6f187957556da7ec5564b5c47435a2150535b733a6164a6cb7d18e6

Download Submit
C:\Windows\SysWOW64\Ljibgg32.exe

Filesize
128KB

MD5
d1484c0632dd568da15b59f4efa5fe6c

SHA1
2001ae4adf51fd4e54b54066a552d2484a119797

SHA256
0fd8dfd993a6d5f4ea5142de5797b556ca08a119490fec0ccc7e60fe7683f994

SHA512
e959801cee983693d3def50b0a3321db461fb36b995aa5f23cb23020135a3dff49a608c11249e5bd578a7948399473f183d27203f8175d42876d3e9148007bb9

Download Submit
C:\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
128KB

MD5
8353811445ce96427c3ec707997bca70

SHA1
759cb438e66f6cb4d018959304e299f46331232c

SHA256
8bd46a033add233483a0c429c0eecc526623345a65b72e1b376b78299a09f0cb

SHA512
ae739e9bf127e7b2e02248bb057443d1977af4560aaa959959881694e9d98d673b716d6f3ae7e4816ad7e4a27d242eea3419e0eaa8a4c824986dd577ab6d0f5a

Download Submit
C:\Windows\SysWOW64\Lmebnb32.exe

Filesize
128KB

MD5
787a54041a5f417f0e15fe1ef2111ec3

SHA1
189ceadf1972bd5cb0cd8f78504157317498d8ce

SHA256
285b64927f43bf436f492a94cf5e18b56ce7e8c30e74c3f4059249bffe99ad11

SHA512
9d625461f4588e17ea125d8d1b851a3844950c5d5444ffe4cccdf8cae6be486e957d502936d11120eb327960302aa52756be882b8e1b8afa1536cb0f6c8892f0

Download Submit
C:\Windows\SysWOW64\Lmikibio.exe

Filesize
128KB

MD5
076252a1d920de459ed9de644c6643ca

SHA1
dba87d39afb1c841d2d12a2e83489a35ac5bb360

SHA256
cf1c9370065878d7e89ef01c5565acb839f7f7d4e2d817fb1328d2e49cdb4531

SHA512
7e26abd4697edaccb71cfc7df62d26aa783c22225f0a2ef56bc5415dbb985eae2396736b6772b10e3225e68428748ef5d28dc1db04a62e22e7601c85c56fe8ba

Download Submit
C:\Windows\SysWOW64\Lmlhnagm.exe

Filesize
128KB

MD5
3bca3c8fece9e51a23471d4b2bf72b63

SHA1
8b5da1ecbcda2f3c91b77c358df9523b318d4a9e

SHA256
b7c7bad9188cea26903e933544fe7694799860559247bdbb59bfe430c8e71ea8

SHA512
82640c9de2b4eca26f8aad4df59b3da5c34ab440a6dd0a4e53043696a359efa2a05e0874ad07360544f6a47d51f38df30ae9775ed0aa8c194b23408661d9242c

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
128KB

MD5
aac1bb9260dc4035d802cefb77eab98c

SHA1
45b69c9c08883c261efed732425cde8156352ef3

SHA256
02019a4bfcbbbfd50420b721a1bd71510b55744b11d7c16820ffbd592b1c29cd

SHA512
ff3ee3e6979ff892da664de6506c042584e5c167fc1b5868d5f9b39fe06a58a91704116f0c54da9f29a8eda0a1600b18481fb0c3070887e12fef386a1480b559

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
128KB

MD5
8a4ee4ecc6b499bf15304f0efcc6fb17

SHA1
b96a2eca61e3b417a3edd5b7a79a9203f36777ed

SHA256
711328ef36cc0ffc198efa45bb7b241894707306adf228a71f7ff419cecf1cee

SHA512
fa7f7fd1202d9a607d484db447d35416ac93de46d574dfcd7caacc740089f34e4116100b25cc47da34c3e61cef606d86a72bce339a73885075c8e884538dc06d

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
128KB

MD5
a97f6c8aa633235c4513d409bd95c2fd

SHA1
ea9d006cd307b30ec1f59696673976fcf8d27147

SHA256
94de038c5002c89a83f57e42e3b9b99bb2533d693718222b04907dceac069a3e

SHA512
be084d64c41ee3cf9b3deeba84df0e1e8a74752271ba60fe78f5c6074fece94bafd14b3b68ebcae4b7bbb9edd62a8ea809841ecd054d2447fc2e500eba8c3a6a

Download Submit
C:\Windows\SysWOW64\Mbbcbk32.dll

Filesize
7KB

MD5
5a57f4354e08543d4b9bbb4a630a5be7

SHA1
e68c9dce5db0e8b42a6312513ebe2e9b7f1eaf36

SHA256
9b17e56667302d00ee63eab57a915faa8ad3613f9861f963ac06c073fb9cf25d

SHA512
708082b0d5083b4359bac35fcf332dc3dbc2ec5fc3235cd497929d0e77c8b69cc6e264bcabf3ab0c63fa16e3a859e4d5123fb8b9468ac4dd29ec333a7ab6902b

Download Submit
C:\Windows\SysWOW64\Mbkmlh32.exe

Filesize
128KB

MD5
804b2732cf8ecf6b801d4ec62f4dfd65

SHA1
415bb62fc201846ec04d4335d1e4b019eb59ba2f

SHA256
af715b7205daa20e3c8d5a380e0340cb659bacf68fda17788a771aebea122be1

SHA512
9c2ee6459dff0374f49bac5f8905cec5e5fbed226d288752188e0bc8106fd066105f760b3756ddb0cd1414c4911f33cc62170fe832d50e403f82713fb83ce856

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
128KB

MD5
c7da47a829adaf288d9dd09574fcb2b4

SHA1
224d1304a1532edf90fad5d729c63fb12ac52f6b

SHA256
e2c2ac54ce5b514fac917235d10cd034c8b4d9db43ad38cbe52db5f506e780d3

SHA512
bbfd493e4a7702674cb53172e7321575ad331242fd8d9522c1f98b4f544d1661584d5097602813266467f932f146f7b5cc814dcffd44269711f23dd868c25cdf

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
128KB

MD5
0f39b7831416cb9bcec9e629fd760ee4

SHA1
b22247b15038f2f1363ef96247c124d73d8e7c1a

SHA256
872db4ce0f3c208521f417614468721b1c4ef82fd3c6025a9f2a4bec14f65f93

SHA512
116b0eeb0c0eb896c80978a5269321408fb14f5b2bbf7bbaf0d22b1b3ab1d173eb75718c59b297cec183fa7919719fed13243553f6b2d3104912bad7e87d3d3e

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
128KB

MD5
439f238add9ec6f7c75d65a90972a0cd

SHA1
526d39d2bc50a1d5d08987e7411c982a470a3928

SHA256
4c5bf6c69d47ade4dd04ac6ee830bde7fe7fb17d96003f4bd45f1ee1e11b3be3

SHA512
97e5410d21607e0c12561102ab09fc16537726144a2ac510f7ed7bb63bb65e0544eabae09bb79dc86cf1d810cb2f207c92f099d1974406bb82e89d8ceff0c1ad

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
128KB

MD5
3d22a3929942ecf05856295914ea7226

SHA1
885902a11c236eece99d0eec740d0396b384f00e

SHA256
75a4a2e8473af4b9181934c18ca0aace66ee27c34c65508b59f66d5e336c9654

SHA512
524d2b98531e23ebc7621814cea002f66d28828da4c29cf696c22d45a9454db273f38ad9fcb9cf4320da379e1370f54cf78f1ae104ff6ad095f5200c59acdff2

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
128KB

MD5
8409b6752e0dbed30f945dbda204f2c5

SHA1
bbb2a6b2976cc2a8f16c2717369690f6c79d9f51

SHA256
058044989ccdf2f274cbbac0afac1698fedd3100b8d61556352f018d315a9e0b

SHA512
4f130c0e43078b034bc9f2473ea184eaeab2373bf212f2e00f18ba596412f764ff1798b8ec7ae1a0bb1d44647d170c8bc6d309d8cf0c04ba423d26f2f2722b8a

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
128KB

MD5
56baeb3cf44ba83f99310ca54c26d2ee

SHA1
4854bc404c2e07401087f349e62535613b0783a8

SHA256
8c6e18687dd7146e768667c207c99054c047b921249b138ba951ebe4a92303c4

SHA512
a72090c70c8cab2e3d00813a5be886e8a0744770a4713394ff6c52bde0df5eb62c7f8cb7a36147bf596bd4829ca672e8555e564eff892ff29821db63c09e0919

Download Submit
C:\Windows\SysWOW64\Mlcbenjb.exe

Filesize
128KB

MD5
27ffed3d9272cf7d62d90152feeeca69

SHA1
a2ddf1fef94da0d6c89786209c4892d545fff390

SHA256
e98210ccec7474d7a54a21837deebe9d6898e25126ac7858f3728d818e2c0e44

SHA512
001b0c770ffe20acf17a911944bb109d6e611b1ed022ccf3450d9b7a2f0ce5d830b667a28b361a38cf7e615c24f437481e4b678d5504371f9906633dd52bb985

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
128KB

MD5
35bb71c84c077b6c5e19814d33fe5c73

SHA1
2572943dac037fb0abddc449d78cabbc171b2775

SHA256
1c89667e779ecd87718da7ee2e8a530c2e7f506cc287928df49121f2aa5d2e6a

SHA512
60b79c03cc82fb211e70e909a55e05d3d97d1398ce465b4b5334113da0ffc12df6267c7f98601e5f1725eaf6bf3cd6d9ba9f1bc9b821e81b3014a0d431c9be7a

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
128KB

MD5
1f4007d48a5417e8b313a6fcb3f15a40

SHA1
bc6edb78c726b336c9a384e9fe6f198336a90af4

SHA256
1f175381873219c36b2db8b7b5dff722c4aec53f5f32573599a0fa32bd6b8315

SHA512
861cb626ae15668d164d04288ad36eedcaee35b06c113ae176ae85b588499a100169662f23c8811b1bd7e12930d79b591514cb9d0ca597e398c5c2fd20d70ba1

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
128KB

MD5
181e3032aa8fc292b5285cb4a68395ba

SHA1
ac6e9304faecff51967546961a6fecb5a3a03a4b

SHA256
03dbea6270ebca49d1d813adae91d6bd806c0ae3e4d28ab85d8e95de6bddbb5e

SHA512
1375792dfe40e7f9e6c28c0540b31e2f5eb4dcd5a868f935b45501ebf3a4506a63b2a64453737d91bdf515e3caca73158d6c2a3a87a847e5970702c8dc0a7cf4

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
128KB

MD5
307e0faac4c8732c8d272251e73745f6

SHA1
d3cfb610fa60bf9991100acc475eed354bbfad61

SHA256
d548d425a80c6800344a47d47770f072bf3808e270c3d906b16e070aeda7f18c

SHA512
b26d6864bfc870e4e31a3fd1b5326a0e0680f777c7f7e19186208fb95a5b86412e48a042f618e23e6dbe615428d64b8f000eaa033a4e92d9557991c80e9bf44d

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
128KB

MD5
716311cf4a9015e5f9d936b0aa69f14d

SHA1
983da9a55b6e14e93e6e5b942374e0759043bd16

SHA256
99ca4a50195eeb48ac71902f58db2c4f4ab6cc4f0274e6e2a62dba972675a163

SHA512
c7639c54924288bd2b35c50349ebf35fc5061876fb933e36dd2d1450f17fd5c75c148c64a190d6586c1b253017c76e1f12efa2b169e8ecafd2fa63d7094129ce

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
128KB

MD5
2b8f4c22f7071cd8135abb9e79c960f5

SHA1
484f278f8f235004070a845065fee7a4f096d582

SHA256
c76ee11c490e4f3c63e4d01caebac5d7d5391c88810f5ef47cd9eee088706f6e

SHA512
67b321c2dd10fa7b978869ecae9dde8c829e8acbbd84b551ac352019935076662e6e4d62b7e4ca3ed39c246632fb880f4b340415ec862b27a717b48e1333cc60

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
128KB

MD5
14195534a37a5877205d21cf6e1cf895

SHA1
4db20fcc48f74da550a1fce89dae6a07f07623dd

SHA256
06a0d5b89b77cbee4470181ebcc72b9c914574720e6c27a044283a6628cf4976

SHA512
8eaab9f8fe6f141c8d986a37f71c0b87fdace6be6044f98202239f2e1d3be755f0b6f7f39f096022c36cfafeb58163b9e914e7ee53bee682bd8f9744b00419a0

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
128KB

MD5
9fc0670cec28edbf9dc504bdac303cb6

SHA1
a1903e336aa217987bb35250347749f5f8d93af0

SHA256
98d7124ab5de7206bc8e2b16c97a6a49ccee01ca50321139ecaa5519a8fe2492

SHA512
050092d7f6835cc57b4de3d83c04da6a0b34f3e81686a9bd46e40701d8d777bc3a409d4bb2ad68ac7e6714f8a94874971d484b99f120ffb79b56c16306ed67b5

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
128KB

MD5
1a5b7a9e1a6c0798e887631ef668e29b

SHA1
9f18ab47feba14821a8aa49f9ec39bbc4b790aef

SHA256
e5e8372e270b9c91cfec2bff0d7a8b46e922f4ff07ff5d99ebdb07b1b0e826a6

SHA512
ab4944934cfa87a4ef2936156494a98fff3afcdadf9138fbaffea553d93604f78c3af23c95fb93df13049182cef5f213e148e70b4915f83ffd229873aaca3bea

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
128KB

MD5
36c009dbe46a98d870616b4d3da2ce95

SHA1
44d5da20cf17ea0336608079effc9dde2a9c84af

SHA256
358a7d3517f7837c2932019065e62e1c85b0f6e30267b65e099c1d1ed66c533e

SHA512
12d8ab51417ade919f5b659bd9f172d5bf00ccfe2fe74f46eb13530c790b3ccb6dc9d571dca2265448dd80c2d4a175110254f52ac8dde7894811dbae8fdf00d0

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
128KB

MD5
92a07f675a83df13084cc695ae95d485

SHA1
5e447182be776bb75fd398eef090298099842043

SHA256
ec05fc7cf4ad63533c6e93572d4f3cb6e31fdfe320772fab82bde0fc407431d4

SHA512
6c940e3d99360b31edc2a4cb0325489a620e9311e47c87057375ce66eeb312665d3be14ac25f21dd406cec939144facc974e682e9434c8cdbb068e53077b06a6

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
128KB

MD5
93b1ee7bd4c0e73e75949d1ac06177c1

SHA1
55c2ef9d41ceb00a06b6516f88740dd0048cf974

SHA256
da4ddda688d711bc211722e571673f5ea9445451bee4f081a18c87a76e4632bb

SHA512
156559479d6578a4615c59c6f1248b8780f223dbbf69b8bc84bc1965a84fa7a397f4b15758cec1c66adf4ee4e4b58cc385919d9ba94fdc5c6c8d60f1b99b4f93

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
128KB

MD5
89dfb01ff96d62e0b6c30f476d015295

SHA1
02e2f4512805dbdf08f304fa358494c5daf3ab94

SHA256
0e9626ee6146e108eecdaea13b38c757debeabde2e01afe753468510619f7024

SHA512
3192b29071580034565f26c25d58fa551032f7c496effa2e7140e20bbd7c522b9b4e837476f7df0d9ce076334c30497fde5c49d7f88a0e86b99d8cb3cfacc6d5

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
128KB

MD5
d1ae5113a729e80bd2d0025ffb4733e3

SHA1
d96f2c2c882c3952f4a8d14f855919c2f05136d8

SHA256
bbe41e4481769dec3d52aceb521adcd6d8b3bd4d1a3dabb2558d81dbb6f9eb58

SHA512
8ca94759bd7a2450357353986939290d2e78fb3ee576db4a4df2763bad56ab2abee7c1029523ac032a6987179460f7dcf1fb46fe434a67cf3be9384a44a33378

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
128KB

MD5
c2cd516635c073282f5b4a1d38ef04a3

SHA1
d0c4fe946954d298a76105756ff0a2b6031d6707

SHA256
793081dd8d122f678b64cc307ccf2937294536070414dcc0d675948c7b001c52

SHA512
8f7301f6b28375228ba2710d2f720633d2db44bcadb9a6754bc6aba2a5352cf826f5d5e7279c8bd1a1378a041a344b5a9c5eb5f6d67007189502630c75977c4f

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
128KB

MD5
f7905c1f08dda12ccc5d805cc9575c6a

SHA1
c7720d3c3ba8f7c2207b686c368a6db3eed7e24d

SHA256
e6a83156c013edc0e0cb809a7b0c380da9cdb790b2c3d7a66b76cf8c1da1bdb8

SHA512
c613122145873441c26a6e41aeadb76eeadd58895d51f58ff5b8c254934aa3f65366dcf2ee11a01fac0635772aba5fd785d38c349e6f4e704fcb9c0d114b0f8f

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
128KB

MD5
b53c115085ddf5cab5c614473abc2749

SHA1
ea648afc86d30fe59417712edff7515ca1c6c980

SHA256
ba2d007295d74c245060234d3397fb6c10718a96106839d153d17e8bdd67aace

SHA512
b2c48318c737ee3a1750722fe7e2a303912d7e10a7dcaaed5713d27c8cef0e5e3789ce711f8a04a0e98580fc1e5af619932209d000ad84b5d95753e798b4c3ee

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
128KB

MD5
2467f3e21d594aa6f5a1458203b0cc81

SHA1
316c4aeb0e373bfa72c5feb2a191e3a0e9003a06

SHA256
5f8d89915ca4e504c7f4deb42f8c0438bd18f0fdb3c146abf54a299c2a1ae91f

SHA512
6f9191710fc16b41a8894815556e27389128b3a6614aece53164a538c48352cf824d8d2d255cdd15c4bd70acd415c5991c76e9f7b74c08eeeb7953e89398bf36

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
128KB

MD5
aebb62b4e3c8a1351b779e968361a2f9

SHA1
fdfe8afd9cedf4b239a05f44ec87e5504e5ddd2d

SHA256
a075d8bab869d7ae93a24e4dea97f7ff7e58777d16294451d56bd485aa90e0c0

SHA512
a857576aaf7cdab95f65832416b6b99bf4d38ce9621c6a5463d2e496ae1af9486f4fbbbbf13b6a94bb763d3a00c30f4f93674310363c1161eabe10e0c02d3515

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
128KB

MD5
927a12f2f8a699a337ed81d3ec1bcc4f

SHA1
756f6713672311b2b0c2e9b7b39167dc69f291fd

SHA256
62cf52c9c725c0daee46b56335ed0ba93596bafdf545ea4cd306391898759304

SHA512
65a8e20e184eea9d0fb96dc2fa4a858b7ccf43458c7ce0ea27aefb520d7adf4b91446f5dd75f23403baab6d6e671bcdfd7948ddf11e2f1ff68b94f761406a070

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
128KB

MD5
9426cb62285e32ecf55e1ba3e70c237c

SHA1
82dbd6718500bf8cfb2077646b2e64531a60e66f

SHA256
39a371bb82feb3a3dcc3dbd13c8b645e6f42c002a551547e1f7b2930eb088b3b

SHA512
9e6577d7f4c14ad1682e7330e08b13b410bc04715dcd207858aac871e4a49b4d60ac5b25756395158a529ca88b9d46bffa26098bc6bc776a9c094fee3aa461a9

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
128KB

MD5
7d89fcf0f9126eeb095bdb415e05180e

SHA1
6623c27a72b8fc0c00890c5dc8ed16c28a7279d0

SHA256
da9ac5422bfbefe1df8d83740f2ca1d4428721c1dd96d277f38f182cf54b195d

SHA512
18b7cbf63118367843acdddf5ba01aacdb1fe46d729e547548c8cc48f82205c06b4872f79aba05e37e749a62f3f665bd0886a3c327156101203f18ec72b1925d

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
128KB

MD5
03a1688a674492289716f7cc6a8a6655

SHA1
a526d70a30df745f397d575cf9da258144e99060

SHA256
d31081658f46490cabd57ed85e856253f6a9619762f72b95007ea8535dd63274

SHA512
cfe744c992fba238709cabb2cde3442ad64646ceba2fc7b2566288a5af910c2e6041c3f22f4195c6abf129899e2bbf0a2e5182a198d26883fbfb1b864c05c827

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
128KB

MD5
5e0e034172a183a5239dd634de348e69

SHA1
61f3563639aeae0572db1b0c29ab3af419781b3c

SHA256
4a4b8ebc9cd0d71c685a03e2014bc8fffb4180674f5d063d745da9867e1397d3

SHA512
a895e576409d22cc25c242e34345790679b76bf6d5963c0fde78ed5c12dea246b579a4ec78b63505a84cd1679f66839a228bdcda1ac2fe95d2283dfa205b7cc5

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
128KB

MD5
d66e3cd5a3450ab71d5556e3d9c9e3fd

SHA1
6e84e56a195687fa4266d6a18d94e5586f39aac0

SHA256
6fede8f916f53864b0211a9fdcf7fc8552d2a90c97236188bfaeadc0cdfec2d4

SHA512
a4ab45e72f76801ae62adfa52b40689c25bad3c806e08bda93e93a39c1b3ae7ebf1f630e2a360f8d6c22d2ce74628c323fc8d6c81746b30e73ffc6061c9fd260

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
128KB

MD5
624dc7de26c4496b617337779788b26d

SHA1
6148a91c912037f84cb21c7017a3858fc9add431

SHA256
17ba724d708177fca5ce23501283796393eaf5e41f9c2d89ed452b54ec2eb38f

SHA512
e633d74c3818b9a9b836f5e45f46f90a9ad4fabbf7bb3091c10a09452d106d185755e8347e38299dffd7b1f9a6ecf53d487c9dbe31a427bf1725acebf20104e8

Download Submit
\Windows\SysWOW64\Hiknhbcg.exe

Filesize
128KB

MD5
16e44491187a2cfcb6f13c3cc6e93506

SHA1
d233ca8bb6482f88132543a93ac292a8428b4ffa

SHA256
c9d68efc33d6b2cf1584ff99f0f9f4df21cb89ecda1134221c672eadda667744

SHA512
ff88086c0d32377210ea5846be156fd10c2a592f8e190ad2b86f15eb65d0b19bd4d1eda80a9433bc726eb84e177e5433db44f97e9de478c3b6cb576d89821d22

Download Submit
\Windows\SysWOW64\Idnaoohk.exe

Filesize
128KB

MD5
7fbedf17c430d7b0c17bf60739a4f098

SHA1
640a0c3821836c0146ae46b3e90a4e06e595d9f4

SHA256
f61f9340c0b8a393f688c33997acb0449cb48f043be55576ed5979f244804996

SHA512
be3d08f98d5733b5bf97b312c8ba54e0bac1aee74e9e0c08cdd29e7f014bdb6a8070c38622ff9fb22accc929968b3050081c0b51b8028f20308666419f15f31f

Download Submit
\Windows\SysWOW64\Iimjmbae.exe

Filesize
128KB

MD5
f32fcbb3f94c5f457f402bdf5e9f727f

SHA1
0a5b64b6ad0b59d1a5085b4f6a17daff840780d5

SHA256
2316fa25d363d21cd593667889baeac383ff18edb860b57b25d21b7f8fca91e4

SHA512
bd5950b378a9934e5569091e5392392413df09f6884a7c5eae714eae3c9bc704acf9049707029eec7eabe6d72f4784dced18619a279fcdfa9c0bac93f646ed2e

Download Submit
\Windows\SysWOW64\Ilncom32.exe

Filesize
128KB

MD5
0d0d691559e02b3bca068763f299779f

SHA1
dfc531515ccc0c448e433377b708bc0ddd1f337f

SHA256
898475fd655ea755fcd07954556a330d27c627f169b1018fd51d7cd8aeb7faed

SHA512
e4d319887679e63b6d887d53e7d8fea5c0af380ecf8c1d88b5986dec7c658f352768fe4fd6cef03c76ce2f4dd76d77ab8de7dce93d885be26e87af068b84e9a4

Download Submit
\Windows\SysWOW64\Iompkh32.exe

Filesize
128KB

MD5
582777030329eba4bcdc6fc631770753

SHA1
664006cc87220aac307e5be62bb8fc83ef1bc6e2

SHA256
7f66e9ccf8de8ef8618dd4f2ac541b2747494d467ddcd9f2c9f417ec2bc1e176

SHA512
dfae79597eb3db806f2da21ae09985177969be6428be278635067157e5edb73110ef0f20f8df20e3663018478373b828a4d63201e191127c549976cb1f2acb5c

Download Submit
\Windows\SysWOW64\Ipllekdl.exe

Filesize
128KB

MD5
3c17479c1eab9aab5f80ab54d40ea497

SHA1
0241867350163bcc00bb468318303c17591de4d1

SHA256
6c468890e6f0f0d2cc08d6901d4356be5374a0350d28ccb30998bcccc17c7934

SHA512
b5a484a50a3a68dbc13c7e406b6e7a92616ac554c6fb230b707e3bbb3b59282c060987fa7fdcae93d11d2b0d6b0e4790edfae54e9a07311a13a8498a705b4667

Download Submit
\Windows\SysWOW64\Jbdonb32.exe

Filesize
128KB

MD5
fbb30417b215cbcd5ce252839da473f3

SHA1
bc5a5bd3f65a3fd7d28cace7d7c8f128d85e2044

SHA256
98c79342eaf387db05dab09214483c5bfdfc3bb7cb81810b23a3668e378775f2

SHA512
a165ff0479d7a4dc4d1798a69142c6bd48c1532a355e55cc76ee3cd64b6abaeed2bbe3a4ef92b72cdb0e556ab95df6884447f0503bbf5a0fbb19b23903c1c799

Download Submit
\Windows\SysWOW64\Jofbag32.exe

Filesize
128KB

MD5
2d105511b025b19af6daa82f96417e96

SHA1
f8d945074394bbc40d09a57968f6b01ee88eaba5

SHA256
803553aa9979703cd838827c0156d58cddd23d42dc025b9f7d129d95cabcc5dc

SHA512
84825f117e4c50eb8e4d780cb684f0c90c082907cebb92bf7ae1a6aabf89bc93b5aeb885fb0243d2203cac9c52372486ad83ced9265e307f5c8f69cb644c2fd9

Download Submit
memory/640-109-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/640-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-317-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/880-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/880-358-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/880-367-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/880-318-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1084-271-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-286-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1140-164-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1140-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1236-284-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1236-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1236-341-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1236-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-315-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1268-314-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1268-255-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1268-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-256-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1460-308-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1460-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1460-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1460-357-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1532-325-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1532-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-266-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1532-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-319-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1628-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1628-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1796-265-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1796-207-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1796-264-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1796-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1796-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-327-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1912-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-293-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1956-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-345-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2096-179-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2096-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-125-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2096-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-126-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2124-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-220-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2124-270-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2404-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-11-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2440-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-66-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2440-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-188-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2528-140-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2528-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-128-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2620-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-383-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2652-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-20-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2708-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2708-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-369-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2768-368-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2828-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2828-353-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2884-218-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2884-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-217-0x0000000000300000-0x0000000000342000-memory.dmp

Filesize
264KB

Download
memory/2904-254-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2904-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-186-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2904-181-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2948-344-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2948-390-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2948-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2948-343-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/3052-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-391-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads