berbew | d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488

Analysis

max time kernel
107s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 17:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe
Size

94KB
MD5

2837cc16a73f61e303df5606c35d22d0
SHA1

12158e74d9dd2e19e954c099b459c27e6fb21e64
SHA256

d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488
SHA512

94061afe02268c3142be73aff2fd89d958e56d98e6a33ad40359aeb04a5a4ce4eabdc1718e970391c7604631d482875d2efc39467a80b1d9484cfdbbc840f1cc
SSDEEP

1536:RFSfrShllIXhf8pY4oNG1LNdG+RjYq7BR9L4DT2EnINs:0ShllM8p0GPdG+R0q6+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4468	Leihbeib.exe
3104	Lmppcbjd.exe
2624	Ldjhpl32.exe
2580	Lekehdgp.exe
3484	Lmbmibhb.exe
4228	Lpqiemge.exe
1912	Lboeaifi.exe
1772	Liimncmf.exe
4928	Llgjjnlj.exe
4632	Ldoaklml.exe
2248	Lgmngglp.exe
3752	Lepncd32.exe
832	Lljfpnjg.exe
1196	Lpebpm32.exe
4884	Lebkhc32.exe
2232	Lllcen32.exe
2960	Mbfkbhpa.exe
3824	Mipcob32.exe
2884	Mlopkm32.exe
2928	Mchhggno.exe
3912	Megdccmb.exe
3460	Mmnldp32.exe
2172	Mplhql32.exe
2532	Mckemg32.exe
3836	Meiaib32.exe
4816	Mlcifmbl.exe
764	Mpoefk32.exe
4164	Mcmabg32.exe
1816	Melnob32.exe
4968	Mpablkhc.exe
3796	Menjdbgj.exe
3608	Mlhbal32.exe
3116	Ngmgne32.exe
5084	Nljofl32.exe
3968	Nebdoa32.exe
3220	Nlmllkja.exe
4528	Ncfdie32.exe
4060	Ngbpidjh.exe
4684	Nnlhfn32.exe
3828	Ndfqbhia.exe
3488	Nfgmjqop.exe
2432	Njciko32.exe
3356	Npmagine.exe
4688	Ndhmhh32.exe
4748	Nfjjppmm.exe
3856	Olcbmj32.exe
4052	Oponmilc.exe
3644	Ogifjcdp.exe
4496	Ojgbfocc.exe
2920	Opakbi32.exe
3636	Odmgcgbi.exe
1520	Ogkcpbam.exe
4960	Oneklm32.exe
4212	Odocigqg.exe
3288	Ognpebpj.exe
5092	Ojllan32.exe
3312	Oqfdnhfk.exe
1508	Ocdqjceo.exe
4692	Ojoign32.exe
4988	Olmeci32.exe
1628	Oddmdf32.exe
920	Ofeilobp.exe
4504	Pnlaml32.exe
2856	Pqknig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6448	6356	WerFault.exe	242

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4468	2744	d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe	84
PID 2744 wrote to memory of 4468	2744	d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe	84
PID 2744 wrote to memory of 4468	2744	d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe	84
PID 4468 wrote to memory of 3104	4468	Leihbeib.exe	85
PID 4468 wrote to memory of 3104	4468	Leihbeib.exe	85
PID 4468 wrote to memory of 3104	4468	Leihbeib.exe	85
PID 3104 wrote to memory of 2624	3104	Lmppcbjd.exe	86
PID 3104 wrote to memory of 2624	3104	Lmppcbjd.exe	86
PID 3104 wrote to memory of 2624	3104	Lmppcbjd.exe	86
PID 2624 wrote to memory of 2580	2624	Ldjhpl32.exe	87
PID 2624 wrote to memory of 2580	2624	Ldjhpl32.exe	87
PID 2624 wrote to memory of 2580	2624	Ldjhpl32.exe	87
PID 2580 wrote to memory of 3484	2580	Lekehdgp.exe	88
PID 2580 wrote to memory of 3484	2580	Lekehdgp.exe	88
PID 2580 wrote to memory of 3484	2580	Lekehdgp.exe	88
PID 3484 wrote to memory of 4228	3484	Lmbmibhb.exe	89
PID 3484 wrote to memory of 4228	3484	Lmbmibhb.exe	89
PID 3484 wrote to memory of 4228	3484	Lmbmibhb.exe	89
PID 4228 wrote to memory of 1912	4228	Lpqiemge.exe	90
PID 4228 wrote to memory of 1912	4228	Lpqiemge.exe	90
PID 4228 wrote to memory of 1912	4228	Lpqiemge.exe	90
PID 1912 wrote to memory of 1772	1912	Lboeaifi.exe	91
PID 1912 wrote to memory of 1772	1912	Lboeaifi.exe	91
PID 1912 wrote to memory of 1772	1912	Lboeaifi.exe	91
PID 1772 wrote to memory of 4928	1772	Liimncmf.exe	92
PID 1772 wrote to memory of 4928	1772	Liimncmf.exe	92
PID 1772 wrote to memory of 4928	1772	Liimncmf.exe	92
PID 4928 wrote to memory of 4632	4928	Llgjjnlj.exe	93
PID 4928 wrote to memory of 4632	4928	Llgjjnlj.exe	93
PID 4928 wrote to memory of 4632	4928	Llgjjnlj.exe	93
PID 4632 wrote to memory of 2248	4632	Ldoaklml.exe	94
PID 4632 wrote to memory of 2248	4632	Ldoaklml.exe	94
PID 4632 wrote to memory of 2248	4632	Ldoaklml.exe	94
PID 2248 wrote to memory of 3752	2248	Lgmngglp.exe	96
PID 2248 wrote to memory of 3752	2248	Lgmngglp.exe	96
PID 2248 wrote to memory of 3752	2248	Lgmngglp.exe	96
PID 3752 wrote to memory of 832	3752	Lepncd32.exe	97
PID 3752 wrote to memory of 832	3752	Lepncd32.exe	97
PID 3752 wrote to memory of 832	3752	Lepncd32.exe	97
PID 832 wrote to memory of 1196	832	Lljfpnjg.exe	98
PID 832 wrote to memory of 1196	832	Lljfpnjg.exe	98
PID 832 wrote to memory of 1196	832	Lljfpnjg.exe	98
PID 1196 wrote to memory of 4884	1196	Lpebpm32.exe	99
PID 1196 wrote to memory of 4884	1196	Lpebpm32.exe	99
PID 1196 wrote to memory of 4884	1196	Lpebpm32.exe	99
PID 4884 wrote to memory of 2232	4884	Lebkhc32.exe	101
PID 4884 wrote to memory of 2232	4884	Lebkhc32.exe	101
PID 4884 wrote to memory of 2232	4884	Lebkhc32.exe	101
PID 2232 wrote to memory of 2960	2232	Lllcen32.exe	102
PID 2232 wrote to memory of 2960	2232	Lllcen32.exe	102
PID 2232 wrote to memory of 2960	2232	Lllcen32.exe	102
PID 2960 wrote to memory of 3824	2960	Mbfkbhpa.exe	103
PID 2960 wrote to memory of 3824	2960	Mbfkbhpa.exe	103
PID 2960 wrote to memory of 3824	2960	Mbfkbhpa.exe	103
PID 3824 wrote to memory of 2884	3824	Mipcob32.exe	104
PID 3824 wrote to memory of 2884	3824	Mipcob32.exe	104
PID 3824 wrote to memory of 2884	3824	Mipcob32.exe	104
PID 2884 wrote to memory of 2928	2884	Mlopkm32.exe	105
PID 2884 wrote to memory of 2928	2884	Mlopkm32.exe	105
PID 2884 wrote to memory of 2928	2884	Mlopkm32.exe	105
PID 2928 wrote to memory of 3912	2928	Mchhggno.exe	107
PID 2928 wrote to memory of 3912	2928	Mchhggno.exe	107
PID 2928 wrote to memory of 3912	2928	Mchhggno.exe	107
PID 3912 wrote to memory of 3460	3912	Megdccmb.exe	108

C:\Users\Admin\AppData\Local\Temp\d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe
"C:\Users\Admin\AppData\Local\Temp\d636ab1d6201c2284f2dcdb0c54ffce34b31d11bbd19a629a007ea5cb0dea488N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\Leihbeib.exe
  C:\Windows\system32\Leihbeib.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\Lmppcbjd.exe
    C:\Windows\system32\Lmppcbjd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\Ldjhpl32.exe
      C:\Windows\system32\Ldjhpl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        26⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        31⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        34⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        40⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        48⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        52⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        54⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        66⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        75⤵
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        76⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        77⤵
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3916
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        89⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        91⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        94⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        95⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        97⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        99⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        104⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        106⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        112⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        116⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        119⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        124⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        126⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        127⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        130⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        131⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        132⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        133⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        139⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        141⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        149⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        153⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        156⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 212
        158⤵
        Program crash
        
        PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6356 -ip 6356
1⤵
PID:6424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
94KB

MD5
a1c9b3a9710c0989606ac030838a8af3

SHA1
fecbd4dfb49fcc23b770c2bdec874e8455c5fa8b

SHA256
2cd7e2d993e29090766388602986f544ddd12f8160081cd955f5d4583d70d227

SHA512
84b31613fcc1ce7a9eb00196646067044f97ffc297d39fd3ba9b24c851edd7da67b9f2c900aad50341162a73bb76c74c0a94ce78ede2beeff948b8847625ce1d

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
94KB

MD5
03ac442a93fe27b7abf9682f08062538

SHA1
e0d62bd5de0a043bd4ee31fac747509804ae3bb7

SHA256
d6f5e19127df7eed1f7946a94602ff772cc3731605c983aedc9579ec9a6b703b

SHA512
b95085f006248194df1589e950468fa1ba89d68867a58995fd1599e16d315c754eab845d3acbb0f445b801bd776f7a6aa7fc25ac08818c351e150b3a550f2536

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
94KB

MD5
0b4a476f05334fda1af2e295d2b131e2

SHA1
739a7f5d1ebb8038c2b63233e22a1932cf48c404

SHA256
01995e53b75e0d18ae92d0fc700aecc385b2e84a4ee2d1db0fc97bd2d3efdd6f

SHA512
7fee52329739571fc8da616589eaf9519335ce96ba568339bc412c9530177373b1e6e4cc6486ce994ed6f46a0d4395c80a99686777130cb8a5941a8b858e4765

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
94KB

MD5
ffcb3c69a37a451cc8a672e201711422

SHA1
af4a11792d5bbea4a67b8f3e5eab12627c83a642

SHA256
09dcd9cefc57e4364a22d01a4d5ceda4d37794ccd8a54f2cd715ac4ad9eb2654

SHA512
c4d95ef4441c455b74dcf6bcdb2ae7c1987271a7977f5f5e2e3e70cacf3b32cd9ba6a4603c9161f6f32f663fbc5f95b6ee6fd77bbcd8f6eee629df16df8b1cad

Download Submit
C:\Windows\SysWOW64\Allebf32.dll

Filesize
7KB

MD5
ba6079879e5472f74ea29a96c98db0fc

SHA1
1c609e328379e7b19ae46f964800fc0287943ce4

SHA256
3df56f8c42f726aac409daed76a643cef5f951581f95d02cc0c5a7a0274bd352

SHA512
c3e4e3f802c32a1e55992199330cb7beeff0bf4f0730d92040291acd31a0adb868709ce61cc63dcbca3ebf4fe15b80954067f3f8d16506deaacba264ab2ade6e

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
94KB

MD5
87afdae504f169be189c69eb38de6c4a

SHA1
73a284dab92934c87fb2bb81ac168f19bbd8a469

SHA256
b1c35d07eb5bbdc4b2dedd479e4f85010fbbc8e8bb459930ef10090d38219fd7

SHA512
c0e3b64cb52f164936f0476c2fb32c062cf95741c0f1b805a23ad2cbbab4a6b997cf0b1301ee7fa6523c26ecfa692606094db4e859754e28cd712470399ef9e1

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
94KB

MD5
1b7837310b7fa70c5aab05cf51729c80

SHA1
fd46208c1eeeb5b253724e2d3a124dc89bf49a2e

SHA256
d8a178852011c01d73262f6e2a9a81243d5d21277e230a2b49f086153b8cacdc

SHA512
28f2b5478a5a59a36ba044db0470b151ee87f1e12524c0ff48476656d205d2339ee8f6090a4ed33027ba67b5e5bb6f70c33dfe32d55d778e808c2646cea359ad

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
94KB

MD5
f5b84bb7151fe488f308df32ac0ca677

SHA1
dd9b84c55f83dab9f07980bb4ae4d6d9a6acb78f

SHA256
e8d544e30c3ed28c3ea82f2781137783a7d5de337ed1f3eac4a965497617a75b

SHA512
8af27df21c3a2aea755b313bd9a605e632f55076faed450d6694b749ea890a340d0cfa26057c292aad1c0f0f247e5a0b3a7336b45b1d1236248f6ee54d1d3df6

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
94KB

MD5
5f22679c472efc0a10eb52595b1c5318

SHA1
888f3a9382fd9c0e1e995b4cffdab008e9d45765

SHA256
cea48bc383d97dbeb058a231b998ebabd1209bb4c264d76a41737c2cf9a4144d

SHA512
93ed0faec075ec1d0cdc99e0a066e04a2d1e685f1cb0a9b337e4f2e3d8169e972ea7b674add9451eff9173121b4b5b256ac0748d915085574c892e76a14143aa

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
94KB

MD5
47bdb6c546a2dbbb4a5ad171b5769788

SHA1
6ff71b8aca2a5a3a8429634ff71e742fb6b3b5fd

SHA256
372159126a9c7bc9f4eef9fffe5e77e9198046f6f7712fffd697177b67ddbdaf

SHA512
886b037a8e0461554cfc6b2f39bf3ba3030728701ec2d84e4266f7362a85730935bd165362977df35464fc4f966b251acbba3642116fe976990b9cc6e6aed598

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
94KB

MD5
0b36738bf5406b6ed385461b6993dda7

SHA1
f02e1ffa60d69801636c3fc67035af75c7931c59

SHA256
18c25500fc8ba2414b1e439d17b1d90c8fafbef553f78685c99c604dbfa16022

SHA512
566a834960d647041659e6f511e10e0171c3ca40680262488bf5ed02d3309fc00e16e376cbb4120a8d61808e28f9fe8875820546c927191c773763bce29865ab

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
94KB

MD5
cc16e213ff0cecacef08ca4653f986b7

SHA1
c7e85be2befe9574be736c39f169d7b929e96ade

SHA256
3bd7bd9c9e0ad98aba3e630fa7e26f71255769b21a4728796478848197339295

SHA512
8c3c2d0c014b0952200656be266ee0593ee8cf1eb4db35105fcbbd40e76266bcf73cc888b8aa53a7ad2f6f563e552c5c4d11b5b2185951e30dbe585e7a452ef4

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
94KB

MD5
01262153ebb15f6f47c7bf3cf9fb9089

SHA1
9484d3af1082e5d0c9df2d1b3edb67c8ffc31a38

SHA256
8aba6c0e8ce5802b3868dea1dd242ad9b1f0c47b40486de3ea501635f6f93053

SHA512
c16293ce6ced1a12b03e3f958add2690406d7fd3e3470ea55b1c0d1871d221af6ba689082d8ce815348f5f6b1b9cf2c9489f4a0e520d238f5e0152c8283e9f06

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
94KB

MD5
0b007620f21c5728856792ba2c609739

SHA1
3a01ed295c1a5a516dcc12c26f1d96e745f4480b

SHA256
0b9ed868ac327939887021f19e5fa285e48bd4ea39ee7eb609e3f5bb28ee22ce

SHA512
850120e6d5b220b48ea81535d75428ec8305f45c7ccbee39b0caca715a7689063c390c37497922aba09b95bd98a5b66b093c10f6a083710d232318e353254b99

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
94KB

MD5
14bb8a201ee37da79f76ce773c8ee3b7

SHA1
26e5e73d8221918748154e4435a1594569b237f2

SHA256
36d0fa0d8ad27272315e3cd675c070163b43165830969cff143f6a8b51743492

SHA512
5d37e8863e0dd950552b1548841f26664c5b60734239e584db69d2f2cff31af37804ffccaaaa192b68c048004e72430dea85f9ce90b1267b98ef4ae870f6a87b

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
94KB

MD5
3d48c585f2a478953dfeb1716a265fbb

SHA1
d331e64c4d20249e770d72dfb95feff3f2f0ded3

SHA256
f5312694a657697d1c476cd4c1f1ea0070a63bc6a2004bbc559618664673aaa0

SHA512
fe53d0e533d1984fbd4366e4b4139762a960fb287cbcf540c59c29e5a0408036800f7ae38dd5b96756b409775e333a3f6dee6b093bab45e34e924cc87f3da6c3

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
94KB

MD5
93a583b34eaca1062c5d85a93daec05e

SHA1
420b8f2ec7773103be78d7fad34453e32b62a631

SHA256
566894bae318f0fb26ac3ba82c318fe4063eea932e2a54dc738cda5507debcb1

SHA512
ca3768eda0c655409097bd9510417612146e2472f0764e62ed088b59021904b6670cca1d838d88c20c19d966c3992823c5343104162f4d9ec22e9e9de3182cca

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
94KB

MD5
9535889ed9b846cf5c65f6c7f4488774

SHA1
586b19590fc739f53f39ff57b53e2fcb3a21c58b

SHA256
3f0b1157f2739e286fea2d812023a5cef0adba17fe26d717f32b58eff727b8b6

SHA512
6d77afe372c8a1a13a0223163c2dfa7a4517052de2382eb3213ba67139757536bcb745810b8e7e3df08e169d905078b1f8dfceb5b2d8f53614552543eec0798a

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
94KB

MD5
9dc21de60682427da3c1922d5e4fb32e

SHA1
0ce2f9730d0afa66d5bd0706940d0e60435aa2a8

SHA256
b605c9d87c29cd1c3197a36433d8dd4c4763c98a673662e23fceb27d192d7dd7

SHA512
3ff5cacf0931557a00152c815ba64461ac1750307d403bb55926b9775820ee17465dc812d8a34b83c032ee3ac51aceff0a826e1618dec34b62e12fe4273a1e51

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
94KB

MD5
edfee323f023c53a475e9b0cbf5e0780

SHA1
d48bb7e46e0ea64bf69f9a46ee41ceb7f5f3578a

SHA256
9600703ac2f9a0d67affe91bf18e290c6e0c679555bf966c99282b95335ffac7

SHA512
93c84b61e146aa19dc58c687b202b070efc44530fc2ca42543f0aa878deec54bc8d6f9d473fbff0fd2ca7b538bb5637400a3ff4a04cced33ae337585395deddd

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
94KB

MD5
90139b7a9fbc99a4e68f4ee72105d1ce

SHA1
c216b57da50ef0d95727b454d78127594c9bdacb

SHA256
038442f3ac34332022b861ea050d61509ff6b15db1e358c09c94da3bf8c77929

SHA512
59a793e298dfcbd2047332bfb92d1ba4d532435275402d4745a6ec34d1f6446024f4942a57b380707afb945ddf89d5d852c5c1e028bf4779acec04a3400ec363

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
94KB

MD5
5d71dcd0b9258f7a9b6550ba2f3e60ea

SHA1
8153f69b58d5a67d37a14cb10f2b2fde92489334

SHA256
86855748bb946773d2118fea012fa3b964aefd67f4b80534d2b31bf3a6075ad4

SHA512
4a91ab118740c95b895017785519ece979823d26987ef09c341ced899d40a685a819cf77aa15ff0452a2ebb9498e6ec09c7b22efad459a4a2f34384081898ea4

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
94KB

MD5
d916b174ce421fa2f659987eeef4b981

SHA1
fcc23466267dba386bc113e7c153bcc6bf97c4ab

SHA256
31f0a75aadd9f19d330c4119488bca03cf15e9a974d1c5824efd1ebad8568d67

SHA512
c9b22239107be3316d01985d6da3ec191aa7c80a90be9667c660c2801d92ba8d6cce9fd7d70a7b1a2edf640bde3d817035fa971642a594d46bff68facc4e360c

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
94KB

MD5
5c8547b15484446c965765e7de34c856

SHA1
afc9273d6c0b15a1062be26ada3770275e29cd7d

SHA256
2a25513e3ce8eec851eda2417ca38c4319090f59bf0de38a4fb13b607b616cfa

SHA512
ca4d069c945dfd4f4fc82b13c81017d28c89acd7d50b13015cf68b1fd02214bcd41682bc67bef3ff3f0bf43eaa0221d368a0b926ad905328a61131cbbb433557

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
94KB

MD5
ab1fff5372a203e27c192c5a08ccb1e9

SHA1
804c5e9e7c871774f1fb51a77d7e97fd0969d396

SHA256
6916853b1a80ca0ddc1f02411356c45dbba128a448a3f85de053e3cad759ac1e

SHA512
a6daf1dabe6b806f72a2d78f56bd34f1c1ba2c00e5ebb5fb114bce9130f239170c03d0acbd574ae2b6ecb114277332ca966535c953f93c6985450568def116fb

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
94KB

MD5
76387a238317a53b9114d4a258040323

SHA1
49141a555948f48af256074ff5959261a89e74c6

SHA256
73d04e9ae158cc2ace7c4b50d3a8bfd5d7b9fd83f76994ddd4f2030298ea6ac5

SHA512
8d0c07ae2d630bf9f568d57e5a857288ba437bb81ebadd1e47f2c42126aaad6ab7c52851a9c56c4a675f168a7de7b6992f50630fb93e0527ffbcbd7ae105a21e

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
94KB

MD5
7b09273c18c9077fdff6095a2a14d893

SHA1
cde6c388597fc9787c9312ecadd5c793c7bd7521

SHA256
f6d81cce35112abc653f031069c8946183e4490474b03b626f85b5134a849a53

SHA512
73e02138efe53fa3ef37ad3bd965cf7ecad8a27c1635f15e77283a8dcab75fe1f6654d3fe935619cfb612ee4debd5bd1fe1d23178b4768b526708a44e2123be9

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
94KB

MD5
5d6860f923af1e9858aa99aefb1074af

SHA1
6784d012cf5a633a28bf8433180bf6f54f0db9a2

SHA256
8c28c53d2e4f5ebedd0ba4666973a3fec4cecaa63d9c39c2d0618ecb36ec5d20

SHA512
e9ef3d21728d26115aa040d4f27c8c88af39f0517ba12524e341d569e04a74b996d36dc74094a9d3135b0e230b0aac33e714f8b66c1992ffc860c8bd57f1f6c4

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
94KB

MD5
9a196bdc49e4c1a96e89b6c58db3b32f

SHA1
08d18a065ed336638cd141e314d44952fd8b5d5e

SHA256
de7c5faac8505bb8c4250d834a68493602fec3655d3e0416dc6ae19d41c3bcf7

SHA512
05a11f3e15128c90c88906533243016c8899baca270af54c76b447866f562ce26173c314001955ff71012763c75d3bc71dd1944b437ed41af15698a6e9d55c83

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
94KB

MD5
abdbefb2600bfe2105e8e13d1fb7e735

SHA1
bbfc6494c1022efa9c96d7ec9961e9f8cdfbda3b

SHA256
ef73b8fe0adc7f0473cbc3766aacb49d2f4c78e228347f3801a078b6137481e7

SHA512
1de969a54885fb0428ff33dffc7fd6fba02cfb23fdc0999a280c21e617292a456a868440b27994ebd4a5a670575669d2c924c121acda6612d3004c912d519831

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
94KB

MD5
7e7eca454f8be3f24ce5ea17955978f0

SHA1
38fb426bd0340df2666c44eee2f9b9112248ea00

SHA256
098d1a0c746e6b15874bb8ed01c2809c51a865ee113b70af61e425a20f5c0d6e

SHA512
66b50b454609c2612847bbb8c18a7d0321700d6d0c642024bbc067e82d2b8e80676a669a889a624278571b40d3cf0faec9feb430ae16ab64fa0d6f8d164e5a24

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
94KB

MD5
01afeba6963e9e9fefcff5d672659a4f

SHA1
41d5d9779ca850616231ea9bfd448f31d9fda322

SHA256
6df14ce440ce2af57ebc8e4dda47ca618fbdc048356f9d31e12ea90b732c95fb

SHA512
3785091460bf17dd2da091a035bf6a9d58012e2ecdf2555c9c9f5147cc15d906036cd599d1198d0515bc14e10ea32b10f18b0a4af33ee7d8ae70e7e5f36ceabc

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
94KB

MD5
2ffab602273ca662e44c34b2a2492dbd

SHA1
045ccb0fbfd98191cca1e60c7ccd11e2e7800975

SHA256
a96b8f8d18f15fe20b3e68da1195c6372414328e0786b32712c19df6abdadfce

SHA512
99f292626fe2236cc7e0613aa63ae36e8b0b909f6485756bf46bb33cb50714f5ae1c5958369884a89a5efe69e81b8a7fbffc1e81db5e3283655b49cc48cf37c8

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
94KB

MD5
5529d72859bf7c84e9011ced7e91bd47

SHA1
86d4059267e1511f1c1098ee889a590db5a738f3

SHA256
282d0f6514d38288cb32c026312408017eb1f073441821fa68b30d65dd1306a2

SHA512
508ecf9eb4d916ab5fd11b763f6fe41bb537ca0c69e86a4c9695fe92f1e6f9a7bdd7969468934fa03d215bbb7c2225fed45ba71e87688f33b630f56d10f9305b

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
94KB

MD5
349f8650fb0a8432da6046379d6b3cef

SHA1
dd4a13a6f505a22f90acec0240c644f366a43670

SHA256
94b734980ee22a6308acd5eab288c29a5213a9b0c152d1aadbb42314cc98dd51

SHA512
0c58d3e2f53c60e096ca4d5fa668f58d2b45877d0b75a17854aa94ab2100fb82b5049cb5bf839c7a9e483598135ef9f17738afe09225ea64c0b28b1fcd5fb1e3

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
94KB

MD5
9623b72196c915392381f73103a780d6

SHA1
ae83c53f77cf271223feb70091d7d58e955f9f99

SHA256
ee8be4434882fccb78767f6932aef22dd2ffd8f5f75634893d2bc6f0edc81edf

SHA512
ee37a4b4483fa3f165b57a721c56341ad5730102ded0f3c335c332e642fe6e6b3ee4f4d8504a5c1ff63f949a52f7eb41da73b82d85ef414ee51ea70ad3901695

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
94KB

MD5
bc699bd846efe6c6ef3470339161fa7c

SHA1
8ebaa2073b24ea4a4cc15ee5545e003789a995be

SHA256
af3828e3e01678f4346f3069eb62cfd9b5dced3872559aba9d8dd19619d80aba

SHA512
143c517487560e2ae067e666fa8d942ad9d3e7b5de26c6c207fd46a10d6b6870d7c7c2e42907ce6e0e7aa479e4c20d27bf2cfb1c712b3b6202bb8e26601dcc9d

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
94KB

MD5
fd75cca5c27a70dff26c721223a3809b

SHA1
d6993e1a061aab220d169da0eaeb6c79f95571d6

SHA256
fd54c6c12bc49adf7a88d804c1857c02cd49b98a47c9fba1108781c17e46e0ce

SHA512
f4d98a866d7b56ea60398ead8cf0bd6971e14a0f19a66da0ef4ffce5aaaf9ceed64024bf5d1cf97ba36755d7ee173bc6b204d75549ef6e4c7f653b7aea4dcee0

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
94KB

MD5
b770768a5061aa2678301d012db0da0b

SHA1
c9cefa9fd4e6233705c083faf6f09c2332f2e54f

SHA256
db47ecce8324f661ad5c38edc65c8611530d9beb2307e9fa6045fdb5b97e0ad5

SHA512
b060f9a48b4a8da13bbe4458e635d11cf8b8d42d96cd212c5b820107fbb02d7c6ac703d0fbb1036c5870e491ca046a11258c6a6fc9d62e8bdc969cc1c14dba76

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
94KB

MD5
497b77ea6ab754a243643ac857d330e6

SHA1
5e5cde4622b5851c3ef61cd2267e79025b1cf9b5

SHA256
266176214fc3c17d712ce153766ea57e5289db9d7cc21eab5bd414a5632fe3ff

SHA512
1e4d71bb9574d7577b05c5103e538fb2183506284bcc1e815131c6018c612979047232ea93ccc9e15c339e9bea679ca5b3872285e45f150b59d84396a8ac6f0d

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
94KB

MD5
ec428fba9c2a17db582ddbe117db1bb7

SHA1
2f7d7f0ab83b7c63584365f8c1465fef7d9c1b3a

SHA256
e57f69314cf792dcecc391172e76ab4d9510a71b856e17cbf5408f57a7a80b3b

SHA512
040380f2b951675c80627538388ed5d842acb77e3994680980dc09a7397fd6f7aa190f5e4c4ebeb62257c990599c7fb960cf65a232930db1be15f6c3a99c14c7

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
94KB

MD5
4705132adff0b6b1d8ce844de70bacce

SHA1
1f8defd6ede30629db1b51f5058608144fb8e4fd

SHA256
8f99f5c6664592c2f58402fb66c5da4a6148d1bee6c5cea7cdccc85fce9006fc

SHA512
99383000f82e57917c0ea3ceeeb83eb0572852a50a3603199d24734fa1dfc74083755fe6ba8e75883a920cddc1e3cb937fb2020f780968ceaf3e075c5713a301

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
94KB

MD5
8f663e23dd06c5e5dbd48467aae32f15

SHA1
45b5d34c9fcdd1d9017d8b2ef99079b253d7afb6

SHA256
62cffd9f4f30821ede71ee8b5abdc14acd551136d096624de025f95d6eea0f3f

SHA512
46db09ea9407f74edbef36417128ac40cc6ea89be2132a291327fff833409ae2946ff76fab907e4044fbd916db5d47f43bed591964b3c295a7483f33274c0464

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
94KB

MD5
a7148909ee5dd290d39c29fadb241d5f

SHA1
b92b1dbef81114f2500779761ed25722005ededf

SHA256
65093502f0427f0feeebda07faeead9d97edaf937599d3d3896df32b2dc41098

SHA512
3729aa5fe6872f9f03a19762410db2f42f68073007ab308b1a1f9c39a123f8a50bbf0ad33c405c72186d01b5f6dab89f8d7d95d1ca61163b164baaae7f588d81

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
94KB

MD5
3139ec846f2acdea8ed644a9f3a8a9b5

SHA1
442823598d3c0843dc6caa3d573b7f832ae51fe0

SHA256
2583fed455fe0b33c2b395fc29f99820e9255366c941cb8b0e55f69855ce2934

SHA512
74283941e020645893ddc6af00fa0faa4f8b2e2eb33d8f3dbab9cf898f13a41b364e3fb879f0632409917b4ba21f3aab51d64cd0be0eb8ac5988dab50d48c26b

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
94KB

MD5
08edfa5d9c966967e4e8acdf1cc0df5f

SHA1
0b1d9a71a2e69decf9ec9f14e7105e4411905cac

SHA256
bdc6a741be06336d33401c12afce048968c23b0ce70e2ea761e63aa0b018ff5e

SHA512
cd1ec2959c953f62da51f1b16de581b71f992c5f02224bf62256d7f38ceae28ddb74dd951cf5f6c1d891cf89d645293256bb6e2f1751b6e2200f087bc5367bb1

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
94KB

MD5
5a1fad2ecaf0ebfc75bb5121ad9ea385

SHA1
b9f40a0fd3a7f7b70724ef2cc4a140d12f3e6557

SHA256
ef9959a351993e5e1edff927d233c0e9e8b27295eaeb9ce327b55f20c688f8a1

SHA512
f3a34e7b3b51e55ec85d9e5e489ed7029fd9624e1ce2a6ba72e551945e6c2697c3764519f968f56448ef2cf35e49d79a3fd0206ecec073c657c81ec1abed07ff

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
94KB

MD5
3a1f02854452fe1fa73368c2850f6215

SHA1
7b36129eb4f989ab93d0d9ca40219efd8582eb6d

SHA256
05ce9dab715c59f1ded121360b5e471a1682e4df9287b696a8f7798be6bafc17

SHA512
26845ac461037d543ff3c7c478128b5959f534a0e0c9108436d18c1ed76c446e341dd5fc614d445f26917cb28b01649f658965f5b061a8ddb68ba70f904e82f4

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
94KB

MD5
d1179332d82b85d77603df825f192095

SHA1
6ad9804a63bb01298ce7c65514c2854a4400c41d

SHA256
b5c02e3f15e2a3ff580509c9c483b75cbf4a4c99e41ccc4fdac5314fcf904b73

SHA512
02027ec163eb081fec1b6ab658f0fa3dff92a12651efbef50518f908b9f123edf4a5ec1d90ef4310e710cc15fea07fc3942531a586139928eff9a5071731b3a4

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
94KB

MD5
d2a4a4f3b190e8c4e35ff6b39ffe921c

SHA1
562558bde99e01bc61220b938b44dab7f235bc4e

SHA256
8396d52ec735c37248d1dfbeb07b8ae7c89552e7f68f473b57c4e75b5ec31184

SHA512
e895889c6c0d92554db0fcfaab56bf2e126459dd269d9b76ed9931d5040ec4a608c7a225e55b5a915e2f99c394b6c80823e318aa3e4a214c64411fe2855892fd

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
94KB

MD5
4707afc7528b01a1056db34a02333ffd

SHA1
8a5f4e163e711265dbd8f053789f8f4de3afca1f

SHA256
061d1391266468afbb98c7d9562581863dd19d554a7b14a680f9a5e8382faba3

SHA512
dd27ae28c40078a31e3869a61939f7436dd7cda9acf85a77121ec54f089f508694b6cde937baa7c750f45e11b3ce73f0a8126ffa02df7fd21240518da77cdc3e

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
94KB

MD5
9c6ebf3acbc601c343528cf6732aa4b5

SHA1
bd1270ac77389bfcbe55aa65ca866373e5edb1ee

SHA256
a9d181b5e93af90d9f11597e59b6ade342ebdca014065db8e07602cfc140081b

SHA512
6d154a3a6d24aeb7a5ed781b21bb47262bdb708dfa4e63e0ce3c2ad24a69406e8207eb84e4904a9710b89eb2141cdd907517db2c9c70533cc626be95b718f442

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
94KB

MD5
ffa3d4778bd89919758512759fedc571

SHA1
095d7829203f762bb90cde8204f695aefac9c0a7

SHA256
f20c4e28aea83361461e007825fe6376f21837a9a00c50aee6db9ba9971dca7e

SHA512
73e69fed73eebc4b8f289599bd6c338f59b825425ce1e9d681b2b864e1c62a70241aac592650b9a7082701be182571ed4d90fda0413c3a5448c1d0d6a25cc644

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
94KB

MD5
603a859d5d8f340fe3198d881fb9c7b8

SHA1
0080930840bd13b8d810bdc1849efd01ec9c6006

SHA256
a8de2cc4a2d4a2bf9a856a4083e57894ab463c4f32ffd973098d861ec7fde388

SHA512
4b6297957afbeb3aea11ee1005534aee4a9e50a011b3a4abebeccc42406fe8e84f2af35aec74cf93b9ed37d1df8fb44933caefeeefb2d9e4d84b03b50d488dd8

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
94KB

MD5
2607e29747979134c0fed1ab2bf9caac

SHA1
c041090e9e27d9aae04ea8148b360cd8a35f2c3b

SHA256
449735ff5ee67e51c0cdb09002cf5574d05514fa1cd70da8a40e851aacb92ef1

SHA512
873713ba8a8d4d6056ea90e2733e52c3c0296cb8b532f396f2ec9a2221171d7992643290d29da75bc352ad9d30a1441af7fb9f4d34b8fd2f89dc2ddffde7bbcb

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
94KB

MD5
f0aec61f6a0330a677e837f2a901c109

SHA1
faa9f3a746ee213eadffdb700c1b66f6c8c5d541

SHA256
5b6e9597bc87ca9d8a2fb1c80d61bbcce6bbd61ea1d32352e371929eaf31e9ea

SHA512
3b15f698c68b713cbb22ce49a5451d44d5a3154bd150a3071dbe8ef2b5ba9c7ef7bd0a96bf1b18eea3332b82098f4b7115f3625a49eff5711bd9949bd55a7b3b

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
94KB

MD5
1c19a9b4eb8b8583f306c167a1d9afac

SHA1
ab3773f3eebb6d2702fefa532cb92d52a0c1b62c

SHA256
379839e2d8832bbab856eece6db169403c3f19b96eb887a2ec168935776b1ab1

SHA512
8518f438d5dda2665e3c026c658b18ab0a442baa5a647cfd036e8eaa46e86038f3f3bd68aec022ecf56d21fea1e4a0cb9c351fe4a72a8bb3589dc8569bebcb74

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
94KB

MD5
98424a9960738ae0c2d8c9461f1f5da8

SHA1
94fc955f5f30fb9bd443a0fc2800bd2f72b00c93

SHA256
4d382ee4ea8dab92a685d25ab7f902535cbbdedce41446f727b6dd8524040163

SHA512
ab421136ecfd0b8749f8bd737601327d7a4e0bd6937e334331f9c48faa23655731e1a5bc22b61a65b6142168cd9af635572bcfcc0be9ad8d747093811b52b508

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
94KB

MD5
b2a594f2b33e621d802dee4929766a1b

SHA1
eb0ce71db59fc037b7f528d6f4996e0fc8fc973d

SHA256
ac929ff37af3bb2dabacad834cd54bd6a9eb41aab92d2ad37647e6f6bf73378b

SHA512
99b74a615d5b11434418e5e466b38fe7579a4c62ca662779645806f2dff42da09d90fa3fead8ae772a428daaef14ac577a09a8ac5da050e9fb279c9b0d993e62

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
94KB

MD5
1c14aafb6ea51402d62f3b0b3acacf9d

SHA1
d313089f4894d26f33327f46c09a9234377de965

SHA256
fdc9c372b3dd75554965f5c8d0b7c1cb669e8bd8fca58cbe892e58eff83ca02b

SHA512
d445b424e25a50e131869a968c7b7932f00345b60a51f9cc09bc445783b2e9db8e178ec24951f083a4a47533bf11297d70cba5ef234b2b9889d5deaa10ab7075

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
94KB

MD5
3317382e8e1512349e5c308ed3aa330d

SHA1
d245b976fbaf76cbcec4d576eeb64e7ba5c98c5c

SHA256
d30006896024fcd9c4daab356c1f1568d5f02f34f91802a8faf7ccf1e63dbb77

SHA512
12f95d2177af3dd4afc185daa4befebc0c557114d0ebd5bab9e50ef110c9ea7037e56a5ac8ea31ce1fdf1bd2290aa2f55a44313081309fb02a6e1566b933e088

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
94KB

MD5
a0244388f478c3b2ff08113840023cb7

SHA1
705fdb7dfcdaf8031bb4d7f0c6e9cda0980304ec

SHA256
0032040451c27f7321c45a328312fe1d608573e894d6021941e88300c328b5a1

SHA512
8f9004c20d11151c8e2059404a383b06e64ba0f5d7792143e0a9ef77ef1a3e642e47dbc92af8d0f2bef4d5d736b57c0f1ee024d96978ebfb661a7975f01037ec

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
94KB

MD5
33406ece256c0ae3bb74b7eb51aae9ff

SHA1
6efa384fc5f9bf92f35b7abc88cc70df7e7f4163

SHA256
7592288a7c79c62cb057dab80cc34b89b8b0cb1637c2573f7f5778a362354a53

SHA512
5067eedb1b24cc4d81f6d3acc21981299b7c9119c45d98612224a61542406a42e72361ba1b071bf752a2074f2e9e58a2a07b2ae28752adda668d1385cb9efc67

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
94KB

MD5
ccd4ff8138f69c0d4e11df1d6ed9112e

SHA1
f5763d089df0199b40c70e9f1c63851fa91aa0aa

SHA256
d714c73bee4ea909b16846502aa161202418572b033d98b7e80f1a0f833e229a

SHA512
ff34cecf759534bf0dac5ff6fe245108b91dfbd2c7ff9af236ecaa947adcaee67ccb07b461cf6491cfa518bd966aa743a8f718518a7093ab5c99edac56ed97e5

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
94KB

MD5
1df5ca3d2de4b8b8012f3b6d21759181

SHA1
7bda4d8a4de1ddcaa6eaee3d8a9016c95b00c24c

SHA256
e58cd4f52f94dcad6c5227e633dad7c92c8d13ad8ba64c8ba230ac4cee844951

SHA512
91452bb042c5e4310c2e1e6869207f0ac3cc5fb8b563ae1e55970e946274fc88b74e62b90a7e83e03fa79b1e28abcc0bb8c85fbbc0b114335a9feb3dbe893d5f

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
94KB

MD5
3c14ce3e3ca83e651eb312e7e63080ce

SHA1
abbcd0efcc2d08fe6283b5104114426c4397c3f9

SHA256
274ce7466c3a430914598f57d8ce4206432e287d1f216acb7b99969deec29a3d

SHA512
6a08714ccf1d56a47f64accff1d0aacb4321e038ea9908a27740f662fcb51d8b3293483acd711303b6da12991c7aa90e9a42b717f0bc9522fe71ab275605b583

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
94KB

MD5
6cbd0f6aafa718921e7e861f35073533

SHA1
1272e922bf38e7197db3776429b105201c5b61e0

SHA256
5df4714f43cc9248fe13015ee0885c8fde45bf78390723a7cbac7d7848751d7a

SHA512
86dc21dfbbc881e1d5813af9010206ce7554df7703f2adfdb098768c54de5fa4647c546b460051aa47532e4faa7d3f57f17190d3908b91b5b54e3ec39263efc5

Download Submit
memory/8-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/832-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1716-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2928-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3288-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3356-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3572-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3752-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3796-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3824-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3836-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3968-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4164-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4172-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4496-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads