berbew | 8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475ba

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475baN.exe
Size

192KB
MD5

d4661b4d8a416b0eb19a39528e386640
SHA1

837cacefe5a89a74262bb104d2ac2a1e0925acf9
SHA256

8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475ba
SHA512

bc6b0ea5e7f585e9b0134e1fc29e57c4606132bec40632e76991e16daeb44d2e9bdb8fa9e8b9a35cde6372f4fa0c4a25120954e3a6bb16be69a42d8b8ac05584
SSDEEP

3072:qzwDxmQ4gS9fzHMByR/8bjYKahlmpC7W/QRoOKoMZ4xng3FQo7fnEBctcp/+wreQ:qzwDkQ4bzHbR/QJaLcCy4RotbZ4xng3e

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffkjlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcmom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hijooifk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcicmqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcimkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Helfik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2532	Ekhjmiad.exe
1516	Edpnfo32.exe
4212	Fllpbldb.exe
3468	Ffddka32.exe
4828	Fkalchij.exe
4648	Ffgqqaip.exe
3668	Fkciihgg.exe
2268	Fdlnbm32.exe
4824	Fcmnpe32.exe
2148	Ffkjlp32.exe
4896	Fhjfhl32.exe
4076	Gcojed32.exe
628	Gdqgmmjb.exe
1520	Glhonj32.exe
3528	Gbdgfa32.exe
1752	Gmjlcj32.exe
3632	Gbgdlq32.exe
4976	Ghaliknf.exe
3724	Gcfqfc32.exe
2044	Gmoeoidl.exe
2920	Gcimkc32.exe
4284	Hmabdibj.exe
4988	Helfik32.exe
5096	Hcmgfbhd.exe
3736	Hijooifk.exe
5008	Hfnphn32.exe
4852	Hofdacke.exe
5020	Hecmijim.exe
4832	Hfcicmqp.exe
4768	Immapg32.exe
4576	Ibjjhn32.exe
4404	Ikbnacmd.exe
3692	Iejcji32.exe
2952	Ildkgc32.exe
3284	Iemppiab.exe
2420	Ifllil32.exe
2616	Imfdff32.exe
3104	Ibcmom32.exe
2324	Jmhale32.exe
1396	Jbeidl32.exe
4996	Jmknaell.exe
1804	Jfcbjk32.exe
2224	Jfeopj32.exe
3056	Jidklf32.exe
1400	Jlbgha32.exe
4928	Jeklag32.exe
4104	Jifhaenk.exe
1264	Kemhff32.exe
4920	Kdnidn32.exe
4844	Kbceejpf.exe
4240	Kebbafoj.exe
5100	Kmkfhc32.exe
1456	Kibgmdcn.exe
1820	Lbjlfi32.exe
4872	Ldjhpl32.exe
5000	Lekehdgp.exe
2116	Lpqiemge.exe
4640	Lfkaag32.exe
4908	Lmdina32.exe
4540	Ldoaklml.exe
4656	Lepncd32.exe
4420	Lmgfda32.exe
2536	Lgokmgjm.exe
236	Lmiciaaj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hijooifk.exe	Hcmgfbhd.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ckhindhb.dll	Fcmnpe32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gcojed32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Imhkcaln.dll	Hmabdibj.exe
File created	C:\Windows\SysWOW64\Iejcji32.exe	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Eeanii32.dll	Jmhale32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cibifp32.dll	Hecmijim.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ipeomnnj.dll	Fkciihgg.exe
File opened for modification	C:\Windows\SysWOW64\Hofdacke.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Nabqkgan.dll	Ifllil32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Heomgj32.dll	Fllpbldb.exe
File opened for modification	C:\Windows\SysWOW64\Jifhaenk.exe	Jeklag32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Gbdgfa32.exe	Glhonj32.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gcojed32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Hecmijim.exe	Hofdacke.exe
File created	C:\Windows\SysWOW64\Bncfnnbj.dll	Ildkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Fiknll32.dll	Edpnfo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6268	932	WerFault.exe	251

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffgqqaip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhjfhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbgdlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbdgfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecmijim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdlnbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkciihgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmabdibj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcojed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hofdacke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkalchij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glhonj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghaliknf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmjlcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdfonda.dll"	Gcimkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Glhonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hecmijim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjjhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll"	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Helfik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hofdacke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keblci32.dll"	Immapg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2532	2040	8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475baN.exe	85
PID 2040 wrote to memory of 2532	2040	8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475baN.exe	85
PID 2040 wrote to memory of 2532	2040	8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475baN.exe	85
PID 2532 wrote to memory of 1516	2532	Ekhjmiad.exe	86
PID 2532 wrote to memory of 1516	2532	Ekhjmiad.exe	86
PID 2532 wrote to memory of 1516	2532	Ekhjmiad.exe	86
PID 1516 wrote to memory of 4212	1516	Edpnfo32.exe	87
PID 1516 wrote to memory of 4212	1516	Edpnfo32.exe	87
PID 1516 wrote to memory of 4212	1516	Edpnfo32.exe	87
PID 4212 wrote to memory of 3468	4212	Fllpbldb.exe	88
PID 4212 wrote to memory of 3468	4212	Fllpbldb.exe	88
PID 4212 wrote to memory of 3468	4212	Fllpbldb.exe	88
PID 3468 wrote to memory of 4828	3468	Ffddka32.exe	89
PID 3468 wrote to memory of 4828	3468	Ffddka32.exe	89
PID 3468 wrote to memory of 4828	3468	Ffddka32.exe	89
PID 4828 wrote to memory of 4648	4828	Fkalchij.exe	90
PID 4828 wrote to memory of 4648	4828	Fkalchij.exe	90
PID 4828 wrote to memory of 4648	4828	Fkalchij.exe	90
PID 4648 wrote to memory of 3668	4648	Ffgqqaip.exe	91
PID 4648 wrote to memory of 3668	4648	Ffgqqaip.exe	91
PID 4648 wrote to memory of 3668	4648	Ffgqqaip.exe	91
PID 3668 wrote to memory of 2268	3668	Fkciihgg.exe	92
PID 3668 wrote to memory of 2268	3668	Fkciihgg.exe	92
PID 3668 wrote to memory of 2268	3668	Fkciihgg.exe	92
PID 2268 wrote to memory of 4824	2268	Fdlnbm32.exe	93
PID 2268 wrote to memory of 4824	2268	Fdlnbm32.exe	93
PID 2268 wrote to memory of 4824	2268	Fdlnbm32.exe	93
PID 4824 wrote to memory of 2148	4824	Fcmnpe32.exe	94
PID 4824 wrote to memory of 2148	4824	Fcmnpe32.exe	94
PID 4824 wrote to memory of 2148	4824	Fcmnpe32.exe	94
PID 2148 wrote to memory of 4896	2148	Ffkjlp32.exe	95
PID 2148 wrote to memory of 4896	2148	Ffkjlp32.exe	95
PID 2148 wrote to memory of 4896	2148	Ffkjlp32.exe	95
PID 4896 wrote to memory of 4076	4896	Fhjfhl32.exe	96
PID 4896 wrote to memory of 4076	4896	Fhjfhl32.exe	96
PID 4896 wrote to memory of 4076	4896	Fhjfhl32.exe	96
PID 4076 wrote to memory of 628	4076	Gcojed32.exe	97
PID 4076 wrote to memory of 628	4076	Gcojed32.exe	97
PID 4076 wrote to memory of 628	4076	Gcojed32.exe	97
PID 628 wrote to memory of 1520	628	Gdqgmmjb.exe	98
PID 628 wrote to memory of 1520	628	Gdqgmmjb.exe	98
PID 628 wrote to memory of 1520	628	Gdqgmmjb.exe	98
PID 1520 wrote to memory of 3528	1520	Glhonj32.exe	99
PID 1520 wrote to memory of 3528	1520	Glhonj32.exe	99
PID 1520 wrote to memory of 3528	1520	Glhonj32.exe	99
PID 3528 wrote to memory of 1752	3528	Gbdgfa32.exe	100
PID 3528 wrote to memory of 1752	3528	Gbdgfa32.exe	100
PID 3528 wrote to memory of 1752	3528	Gbdgfa32.exe	100
PID 1752 wrote to memory of 3632	1752	Gmjlcj32.exe	101
PID 1752 wrote to memory of 3632	1752	Gmjlcj32.exe	101
PID 1752 wrote to memory of 3632	1752	Gmjlcj32.exe	101
PID 3632 wrote to memory of 4976	3632	Gbgdlq32.exe	102
PID 3632 wrote to memory of 4976	3632	Gbgdlq32.exe	102
PID 3632 wrote to memory of 4976	3632	Gbgdlq32.exe	102
PID 4976 wrote to memory of 3724	4976	Ghaliknf.exe	103
PID 4976 wrote to memory of 3724	4976	Ghaliknf.exe	103
PID 4976 wrote to memory of 3724	4976	Ghaliknf.exe	103
PID 3724 wrote to memory of 2044	3724	Gcfqfc32.exe	104
PID 3724 wrote to memory of 2044	3724	Gcfqfc32.exe	104
PID 3724 wrote to memory of 2044	3724	Gcfqfc32.exe	104
PID 2044 wrote to memory of 2920	2044	Gmoeoidl.exe	105
PID 2044 wrote to memory of 2920	2044	Gmoeoidl.exe	105
PID 2044 wrote to memory of 2920	2044	Gmoeoidl.exe	105
PID 2920 wrote to memory of 4284	2920	Gcimkc32.exe	106

C:\Users\Admin\AppData\Local\Temp\8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475baN.exe
"C:\Users\Admin\AppData\Local\Temp\8ad11d5c096bcf2b4a69e5b7456325ad4322edc0d7790baa1f9f85a7f1f475baN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\Ekhjmiad.exe
  C:\Windows\system32\Ekhjmiad.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\Edpnfo32.exe
    C:\Windows\system32\Edpnfo32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\Fllpbldb.exe
      C:\Windows\system32\Fllpbldb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        42⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        43⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        50⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        52⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        66⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        67⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        69⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        71⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        72⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        76⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        77⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        81⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3932
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        87⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        89⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        91⤵
        
        PID:560
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        92⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1608
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        94⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        95⤵
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        97⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        105⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        107⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        116⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        122⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        123⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        128⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        129⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        131⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        133⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        134⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        136⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        142⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        147⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        152⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        156⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        158⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        160⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        162⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        166⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 420
        169⤵
        Program crash
        
        PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 932 -ip 932
1⤵
PID:6200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
192KB

MD5
9acd4878ce4fc4960c9dd6c995ae987c

SHA1
6c000143478582cacd564aa6bbadb1323975ec72

SHA256
0776fb266b31ea4f60b70dcfb9ea092f84b434b71327d39d770f5720eb8c8b5a

SHA512
1d9408d9e53ad1a3b530cbf54c559fb40929bd969fd8756f0ef39333cfea69d7104d7319890d26d83392580b15eed9df7791a8ad1b82cb288ca35e22a2213048

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
192KB

MD5
de9c3fe8db9f7588e1577e1b0e4f0808

SHA1
618f8c7ff9ecafb511b9dabdbad1a7c5e508dafe

SHA256
1e063c29e3e4cd6866a42ea3f350377882c70e16f15b3c0d4fb20469d1f88bef

SHA512
00744c92045794a16975df524528c7ede09b38f7501e5a9eec4b7ca02f7551c7dbfe6a27912fe1bb299f458206b9821b0cd95cb77b6c93c82956a4deba89e121

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
192KB

MD5
d6605138859501d55ec1c80f8fe0cf9c

SHA1
ab12867236545ea5d99f91af1d6a388fc71f0330

SHA256
fbdc59e9e6d9de00bba7dcb939b125d1b09a840204d303533d2182c428460445

SHA512
ae264ae65e9be205b9f3e150ba72904eec2d388897a2ca12c3a757b517ccce79bf99fea539dbeca1861d66ab541172ab5422230f346005e7beb4a737aec7015b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
192KB

MD5
57578b01a0f81aed2a73bb3fad0f6ff6

SHA1
93cc8e4236573474d949aa0b3a6f3c1f0c46c23e

SHA256
c7c8cd4a1925ac5501552665fffc895057a20cc7df7eef19d2754bb917345e86

SHA512
329799f505ba48a2eb86112d88cc3f3370b03ab332868e1b8e689bff1e8e793c76d68b7676e2ff3a098908f202feea74110fbc9fe5d286b50f9427f696775334

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
192KB

MD5
f117b9ec9dc65d8536cb71fddc42c353

SHA1
4a9a730594c57eee801a99ebf5d9bcb10d040e32

SHA256
099500817d81efc207edecc131fd1733e480e4807098a828cee6ef9775ef0ef7

SHA512
3c5d6ef981f45840f99c9288cccc67361f2da5d72938417ac25a43d7074311fdfe7521af415f55d7236886ff6129ea44e67583c8163e8a08b51b04538d31a99d

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
192KB

MD5
c3cfa62ca6e2fd6ebf3b76b331ef7afd

SHA1
95ef6a08c558c6ee3ee55f2a4170bcce96586d3e

SHA256
ff2167bf821d82d4ba1a13aca027e3016cd1d5fe0c750cdea9f6242e1687a693

SHA512
c68d19dbab3e3cabd35ff4945f83782e8e90f3680376c4fab3df94ee60c2c8bff6de91ebbf4cd2d5a28a3c02c8e7623efe0ccdf396d440fa60e715c5727ccfec

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
192KB

MD5
66b9782f82fe3ab2ba6c480c7cf7cb1e

SHA1
c9617b28fc169a5b507ed05fa423c26086cbd282

SHA256
7730be8ba2dbf7693885384584894b8afa755aba97b36d5d3a54ee06e0f5a051

SHA512
91c9aa9b5402ac1c4013316740f583ad5fa20822bd3e186098b27ada3be4c9b26917c773f4c5b731e0e1b69f1c91d666854bfe85fcfa4c7890c7687b78dcf5e1

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
192KB

MD5
369256013668c6d0e23597893c1a4f11

SHA1
39e8cf367cb0ecfdcec94eae00596609cb8feb61

SHA256
7546c2b57ca5710cf248daf3df7b70b5d788a642e6b85dd50beaa586eed38105

SHA512
34b4be7c68c73bd8e61221e20d07867e64b17f3a19cf53229c2da472da5ba820cda762a9f5153cdc0be81e7d7180a3674a5e0093e6be7cfa6ebca85522ba5693

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
586747a5518dbc8b552bcd885a0ac5bd

SHA1
56b4697f1110ebb787c8a5bc228eb87dbb3289ad

SHA256
8d45ac6582fd932a5956952a694839b17b6bbc97a44f67817927f4fdc42f1200

SHA512
bbc5eb323f281bca39e715998313d6d52a395e567dd02f45aca64c3aa588197a3a0a14c5a678597a12eedf204cce89ae0d6fbf28f5bf4a289e52a167f4cd01ae

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
192KB

MD5
8165a76ea4f074b8c41ee1f5905399de

SHA1
51cb4eab034d2f2400052bb3b8963d9d41d9a3ea

SHA256
cdcad622227b4db9e09b01950d0d2c69b2de1198e88979e3cf473e983fbe2d2f

SHA512
37fbe9c407083010a24d54c47d8e5dbef2b10121a1f399343dc6f2ceae17e8ddf273f0cebb1aa09961ed5df7ebc6614d4b6e1779d0ea291528ca8e6fffc5d334

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
192KB

MD5
288397c8ecc40a7dcab80947fdd67ed9

SHA1
deb4442ca0de8ccbf11eecd5e62b0b8d9d1442c4

SHA256
91260b7f7fc3f6157ee7c000cc7c863d489d417179af615f8d65cf10541595a3

SHA512
04666d7a8ca1e77a2b77ab9371067f8f85fdc6107c1d28951d1cae18bdbb0a8c813e7331285eb0aa99808e311963520c52749eb064b3df46376f7bb3e573ee59

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
192KB

MD5
7baf14742e43367293de9dd3fa9b2cf6

SHA1
62cf7142f0eb6232a8334a5a981209b2b6878147

SHA256
5874698afd9ca41f7231889ad151681e334aaf9ba55a1814b7623e6eaa174ad8

SHA512
25e83b20cf6230e58a654e882cd31fe0dd880569b4d6a0abba387d1665540259bae7ee5cdbd2e3aa893b742557d5fd0ec8df7afd2a82e7e2cab09561f945560c

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
192KB

MD5
741f75a9f1f4d263a3132081bcc19b0c

SHA1
3654580d50a2b29c91736457a82d2e49538b0355

SHA256
289c37a3b3cf22efdd362aeab793d4aad63471be5a82b1bd94457589a624d874

SHA512
800f14aca33f2f0feb82249567b767caea33ea897a125557683fb7b5f140a78f94bad54c00e1edf9df32d8219675dfeeb2c391b8e75a6b6e82e5bbc04a426cd5

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
192KB

MD5
949086c10614b827dbf4bf80c4c30ab1

SHA1
574f6656a6849c7725152e17cab4d2aea98dabfe

SHA256
0efb7d94ae92cdafa057d2d1e42efce6cd9d905b5bba79e70d79979d85e96da3

SHA512
604c32a6e264485c10aa6255a284f7b4840a3ea08cd2b0b0045fc54ac966a60d6463219f2af893ad5604d02f909df572dd7c6b71acbd803782710971e91eac50

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
192KB

MD5
eaa73e83692d6273fd38c415b40f0de5

SHA1
74ee68f151a282d105219c8c7fa561f5cb0373d6

SHA256
2bef1519c17334dbd3f31c44752c64bb66b13554dc9687f3febe5aded67d5e82

SHA512
129cae76b5cf66ded6085216da21da395cb392efe5dae0c6960e7c5ef3104d648023b925ac45961dde6086c491af9f8dcc09b0333dc2d61ac4403b3839d59d3b

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
192KB

MD5
8537a0452854b5d68ff1851a07d2557a

SHA1
1ac17f07926c13c055941f48a67d06016a71ffdf

SHA256
5a41d93a9a49f6b9d4630c004ba25d97163f804427d9d92b91ab5a462e8d5f0f

SHA512
da9353b79dac60ae22a765af12493d64d06c9a1866b16568a5c9f8c9f629a13b78ac48d09ade97ac39892933fa9ddb7b75cc4986cc6bee1e5cb7929bbded6d22

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
192KB

MD5
cfd563ce04e663762aa02642397cd254

SHA1
1d17ea95b430f3b3c5870a679d79f5b93a442b8e

SHA256
2ec81e78f504281d67f821f9d4187b2eefa99d55b053f6dfb89ed5a47aad3c3a

SHA512
6f95d0441f3e56cf8c7a5feea45a91ff09b76f0d4911de41657b13ab23ad1551689e147d82ab76041b55acecf322acd77697e8183e22a675ae8055e67daf5c2b

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
192KB

MD5
0397a2612ce38c555e28599ec003494c

SHA1
f0c2b28c357874c7a1e51e888bf57f0f763d5e65

SHA256
e9dd197f420bf708c55106cc522acd0b40767e6082b6d40c35c2d5d4fbacdc4d

SHA512
65725f06574ba4365e9567cc9206edad605feaa028c2f08758ab0d13e30d7ffbb076f724c056a4940b6855d09087d8ee66a757719ac8808a4712d89ebfded6b7

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
192KB

MD5
a7f75b53b0d314ac2ebf4c90c12314c7

SHA1
93f8bf567a3465371af3470bb62c06f17b51f424

SHA256
3766aa17b3b7948884d69ef1154f877345702458002c2b75d369f46b898b7c30

SHA512
1791078059522ad1c3a74f1db5f029d35084a876f80a10a0298734f34752ead9b94bafa025a84cce2e255b20ca6e4fabae6d6b12017cd479a47f5e6b192f991c

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
192KB

MD5
f19e3285d02264f812637096501a4504

SHA1
c8a655e5f864c3c2ff33229addbb161a60f3ef24

SHA256
784e6b45a70aebcb46afa7d266d0a0bc6a6f633eeef10a5c1e2703473fea0212

SHA512
901135eb6982e852b85a5c1be04092409effff3a759a1c616632a32ead51561657dd654c3895bcec95e072c9365b9025c827e9170d3422ee199fab4a0f5b565c

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
192KB

MD5
acd198b597fb7561745e87043aa4ec21

SHA1
d91b22dad1fdafe9d318dc54dfe9bf22412705e5

SHA256
8443c640d0f9b16f20c9657d37bb9b7aa1345eeadafd5f915137ed0e23c7cfd5

SHA512
dc97401cce88ec9539bc3e631e42bf5ab6c970a8cbc3ab6f2e028867d2974e1567f513b0c02863c5a1ee06aa4f9dfc67f619ef6b5152e76bc59f4d69cee8e937

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
192KB

MD5
c5bb0695de4a262fc02b7e9a914acedd

SHA1
f5a937d30d136d831b801cedc51fc8c13d77f7b0

SHA256
d6312a1bcdf66982a70bf6988f934a0e333e29a9d4d629e7934dc8dd7460d874

SHA512
1fb19f2e1541cadb5b0758a75ecf29db69c11e6cb0283ab9b304434b4e5ee551cc47625ac92a3badf33f22cda7d5560f603b4f4e4fdef81eee13039ff91b2747

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
192KB

MD5
d647965aec15396a6ef3c2e6a0342638

SHA1
a418c3e8a9aa70a22444897e276724a28a80a264

SHA256
8645c7acf220677a0c11c7b77ddcd7d248b003d85a391d054f18bef3c1b94dbe

SHA512
c32da4019585d3648257ce1834f5ecef9a604fef6882d74418e116f65ef0a1afd29ff95b4f6c63fdf271c7d1aea4ca4f1a70041d8767c99c551ac97515fc3e7d

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
192KB

MD5
195806f4ef707e0f5ba2ca6f7af1068a

SHA1
e3a417f2ffb86e3f997a049286167bbd26adcd17

SHA256
ee026d3fc1d2f0d83b8a9cff202c680e4e821f2272b4f1c7de43c9331c6d67c0

SHA512
8cbaa99cc6764ea7a5ec37a6744e186c4247b7aa7bc002fdd0793a2b0d3bb9cc00101eac3cae1c0fa6334dfc8a9da848078b18552fe3816c04fe1cc579b317b9

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
192KB

MD5
e0dbefe5abf149a5e8c32a79dea5c4a4

SHA1
5ad528cfa877d5ec650a29c5ce94c14a41a74dc9

SHA256
2b330ddddd63ce61424f47edeeeb64adc697db52610a642bdefe7d2f37f833fb

SHA512
3277dc972bdc5a00f948d779a718793cb611913b350dd149c7ad10ae7d33e74953785523dfd3a294d0ee16dc0fa37571cb2f9b8a9e248d7bdf1f8733899e4448

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
192KB

MD5
0b617ebc16c9a780453f76c0b629ac7d

SHA1
03dbab694f7e9b91c025b24af4a842487aa98123

SHA256
e839f312059b409bdfb2b32646e5f263b970666358807135b4790712024ade74

SHA512
446809fd65023aae470c46d29e95e386f660e6a4ad5bcedaf5b6881c1173096e2afda93a04faafe479a7ff9c7462aa1ba2b2791339c8d5f4c43c9fe49a00e100

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
192KB

MD5
63495a1858b60bf58b6d8ca5fd1a0f4b

SHA1
e6826e5716dbf08a01499dfc23dec8e36f12d97a

SHA256
a2097297e1ffa61efa5d30b5e7f1dae25550d6b8ab99648d3a0c240ab7df2438

SHA512
74676a6846b2dde78b583c358bf531ca35d80eb9b74213e439281bbb8450f232e2088625a8d60555eabb3359d450be297f750a0c5c33ba64ba067f0c630ecc45

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
192KB

MD5
f19715b1b16073187876271f82db28e4

SHA1
f66967dc54125233b979ed9c06559e6d273ae675

SHA256
ef64f6866e2555d288d0a2de53bab1335bad4d8925245193a1ddc78b25466f7a

SHA512
bed08be3a4ae2ae62569580897903ee02e592504ee1040af8506523d1edb3ec262bfd11a488afeba8042fde23230385567708d18e3a2fe9e98f40928fae4d23f

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
192KB

MD5
dd733de732a64140b107c203d9f3ae04

SHA1
593a0f6bb88836666e4aee9e3152207a677e26a5

SHA256
2d019e20a3e1308f730fd3a3ac112604f02272e957a5b793e0cd475229171665

SHA512
5b269977d212581750760716607aee73d1b714692a8f75248604dc8e77cb1156518a2936420706e5025e58034613cbd7184bf8a91bcbeb2b495b66fac9c3f51d

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
192KB

MD5
1553871b52e02e84307aabdc5fd8c22c

SHA1
cde29970dcb46a7a6fabd7b5b961af9bc137c951

SHA256
46e58b552a1c47cc21d37ae87ac03761a3c7a5f5fe2beb9988af760b09f5c58e

SHA512
1c9b1976d98cb3f3d16963e64033efa0750f4bb3b4316d79b90e3a66bf533bf6a6b02c9be3a49809bac4b9803684e41e93a792af7bfc37d5379b349d0df3b858

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
192KB

MD5
d7b55627bd2fb79d95484bbd18722c96

SHA1
c2d1862bdf6a94b3f8575bdb6f2bf3f94eb35c6e

SHA256
49b29d2536abf6edcf209c49f8e65abf5b64a9a8a56591e523a96cfd25ae7e10

SHA512
fdcad3096a19efa56c2b43ed9fe0adfdcd8b5bacee376e613105383282c0af36016648aaea1923bbbc698147f6ed2a8b232f33a2564ae7261a5b64037e70e7f2

Download Submit
C:\Windows\SysWOW64\Gmjlcj32.exe

Filesize
192KB

MD5
5da0c39e8100134260fb1bfece819cf6

SHA1
c0ec9b4a374f19812c5a079cf5153acbccb88f97

SHA256
282877b96615374bdec9bbf4de3fc2c2b9ed9a44ebc5dd5107ad7e3485b03858

SHA512
508e162e1b62a2d9d89a8d30306d09032319665883f21904124bdb3b3c9dea580327983698ca6282a273f4d62455ae5a5efc2428206b90cdc98de54f854e9c61

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
192KB

MD5
5827a085d3db27b69d652d8217344852

SHA1
61423df22bc69f510db3c17027944f39486670f3

SHA256
c6d85710cc7f5a1066aa50e23d76150ec3e1c7e606f0cec727bb17ebccd0f02f

SHA512
dcae0c642693f960428ffba623ff36c9d1e1fa8e48ba99f95c54a4c55126eb278065966390e9e8e5175c2d529a1eb58e1772afd32b865a6b0e65cf17ad11f65b

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
192KB

MD5
69c3b564d5f5f7885ef2e654f61485d0

SHA1
8852db0f05852e0fd702a12236d3930b2ab784ac

SHA256
91b207fe07117703d58bb3426d27c39a24cf01712cd23db61a7896be8d165f35

SHA512
eb3b0cb27f0b3ffde22de43e185ef6ed3209cbff1718127541b3777cbd0dd481e45aba15d113bf46710bde5e54e4698cdef46920cdee4e842a9f638c5bb24ae8

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
192KB

MD5
7ab05bd7befe05f33156868f54583005

SHA1
4195040fedbd64e625a29a89dd59c21c0827bc46

SHA256
2b71e64b16c291d0b9ec763aa6cfcb85c03522d5e05335acce5d1a56f9396161

SHA512
c9f39c7c4cba25d58b8ce554d7a1ac4aec93cbebc538b3be4d6b141043878255c204f790b1741fb2cfde56a3382abab217f6ef8499bf02d2463eb1e0d3e06796

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
192KB

MD5
74fc9724ebf4a36108111edeed203cde

SHA1
143cdac2f84f007d192e9cc41ad64ef4e03355fc

SHA256
537265ade95b64663bb1414190a330ba27cb29dfa617836d8f8537f2c463e62d

SHA512
c5a3a7486357d7699fde0e31dda0894815e50c27660a5ca1b5bc61fe26a820077f7a1a8ae2042c6cd7c0eed119a0f06fdc70dbe4bbe52dcad780235248ba7733

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
192KB

MD5
dd04dd9da200c4c9d18c12660848c744

SHA1
6af64c38371106e3412807f5b2135387378cd21f

SHA256
91b23a279e9c0e2c6d46984b59879b6d51cdde6f123e62b5d9c39fb6055e6553

SHA512
6c6035797e2849b287842504ce0e1a3623c51a9bdf6f880ebbcf65e873d9c5682c4b2579dff7fb6418c0e2d4987a46120e84d93948962580e39e70e1ebe369d4

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
192KB

MD5
67a2e1f8b977cc49a373e283e334fbd0

SHA1
422a072eee5a22374b5798c2531fce446452bd23

SHA256
dbe417bb851fb7605747503e3d6508f90797e745feb50b4cb0e362741f001ff4

SHA512
c988399a8e975d071007a1616eaa2e1f3afb3b30c67fb6efd5f6d61eebd49b70c641a6b36f0ae27a06b1ccacdef2860e1d083c90f82454e42bdef2fcd90028e6

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
192KB

MD5
b6f70db26c134dacbce73654b7235afd

SHA1
accdbd11f26531963ce5ea6abf5292ecbae6c3b6

SHA256
5ddc3b11c5eee597478f59bba4e03526d9384aee7af1066bb08409f8892c8eee

SHA512
b10671b3be282e77e6cc32997242bca1fed9c5ebbd57ba510f7cc07bda40fea4d46c09e5b2e94d8e9c8bd0a89289bf3e15398ecfc611815c16c11a4dca3595ba

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
192KB

MD5
fd14c8ec300eab0d550df085a4fe5e23

SHA1
3f8f3740ada43443ee53b166cc7b1fbefc52ffd9

SHA256
86b9183a1c8e30c27fae1e819c746d329c345e3c410cd4923559a1b7ee064298

SHA512
976e197b7c8edcdb006c2c60cce1ad829f7afe25f9e7183935a462026e943c0967731e27bd5cdfd2c7271a899cd281f491e24b13e73951744972462970da7afc

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
192KB

MD5
8d4d7ff3d306b20c10a578ce13a40b9c

SHA1
69b90c5f27fb65f9a850299395c59e528cac58b6

SHA256
552f2cbd05f9d3f02e6069c2b17f1e1ec2c75befca5bb85b1404aa1dbb1a1e7e

SHA512
3f4820e3b961f4aa65b0af06dabd198fa67f7e40c0dd516391cd0db41edb0ed25a5f3fac83a4b2e9747c4726c621ce102f8628683b5ffe3af00b6a576be8e61b

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
192KB

MD5
01a0f24aad0c3973ed3e26f0a3a1b75f

SHA1
052d925966c5334030bac183954ea78482198ea4

SHA256
694a1eda8b75c285d377822cc20efb37ed25a1de222d48a2cc8dc7e9f1006842

SHA512
0c129c812fe896acd104184a853b32eb5a70f1d89ef8bab73a1f45c122348d80666949ac3e4b0fcc83af280c6f29de8e8036924e74aca03bc59b0e619b91057d

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
192KB

MD5
a8791219898912edb1d02eb08b2781e8

SHA1
01dd22611c0e38fe959dc940f63109d8ff4d24c9

SHA256
ad386b533bb2c8236a7405221682f84f6ba2e066b5518860b9270c4f9c913fa9

SHA512
c87590f6fae9fa199293032a0d03d32cc156b59bef1eb08dccad6f0aa1c7d20bc2af171c2c4378688eee5d94738b4eb50147cdb909285bd40af98e13cba738ea

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
192KB

MD5
78d971688d1be050b7d732c4fe516893

SHA1
06521afe7bfa3b2766d0c1b43092a19e6565906f

SHA256
55047534e0956e62dbf328280e3a6a4a0e5d0557f0cfb0d1ec3c4066e3ff55db

SHA512
cca3c8ec3461a80e8ba60c28e36b87de66e7a29bc8ee2339c540488d1193f9ac2c49573ccec6c870dac6aafef00a45d3cdda0021f59ff93a8d044e7973e873cb

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
192KB

MD5
11356436cef917826dd96bf2d15eec36

SHA1
a64bb42df34e02746b9c35672e6a0cbed6655a94

SHA256
e6ee4fa37edb4a8ab13a083577d138f2a8538f7ddfa470ffcdd97babea6da425

SHA512
b489c2bdb0f58eb192ca6536e66287bbfc65a0ccf121c424025aa0b0ee303c03e86208a447608770ce0ee924c5b488248efe0cfef964601aca20cb383a9571d0

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
192KB

MD5
0ddee7d1d3a4c75e922b8c694d493256

SHA1
cbb3ccc9f9ad20aba905c5ee0e8d2d8b6b2d8437

SHA256
e25c923c59302f91e92b6af7955e5cab7fe03152f9bd071c733cc3e679a50bc7

SHA512
b0e31ee76cc8ecc09e11190d3c0e744920fd6b9ad0093e453ffdd253db618a6960da546283b06344433e85daa0ccaece6f990a7f3fecf5a922cb4a6025c53e1d

Download Submit
C:\Windows\SysWOW64\Jbglkbhg.dll

Filesize
7KB

MD5
b26bba21a69d9acfed5999b2a5d08f1a

SHA1
e632215be4eedf62d2aac36e219931a75f4a4053

SHA256
36aa12639e7e86fe51c016979f35a52a15ae3b999225644b1231f2d3aa7ce132

SHA512
cad9c1f6feb1199902b75af7de6ebae7f42514e8f0f51569851d4960067776ba36ccc5e215a94afe614fcb0d9706831a94acfe13d531cfbcee3a658a62e41ce3

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
192KB

MD5
d6c7b5fbbec836ab9eed60990aa2b5b7

SHA1
a3a38373e1464c83ca5072db871271ca70b38a27

SHA256
8472c5cb948b6f79bc1ffd2361292b8128333c83b04db83ff2c8955a3a84bbd3

SHA512
137673a35afd7456f73374ccdfdc88fdf4dacfbed327546795ea86e021de807315bcb737f109ab628379e1a9e32456e1cf1f76c65717df79d8cad189618421e9

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
192KB

MD5
48283d1589b9c0d1a02c050bbf3b9fe0

SHA1
033b3ed4529628a6ff40f39293aa1ea8d2d2470c

SHA256
9792a6a66bbf1345de7b2642b6a7a5115f418fbcaefacad6fa523687683353b5

SHA512
ee27c8128c540acba756ee0ddc3916ab8051f119b3270677b0145618a6a8c318aa42cd7f3d5471bf0da9523a14cf4e4162c9a5a1d84f6beafe0727f531a7a3f1

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
192KB

MD5
fe40852dbee304aa178e58b48c24247c

SHA1
15ce957b63585a38e1083390a4cb89a586f0e3b7

SHA256
7525fb0f60d77e65e4afe09d6d768e9d5fd1ad922c8273f0ea95c56ff882c2fd

SHA512
be2087540ecc3bc951e98ead480c80567c67cf393fe3b1568b0436d275a822c66848a67dd5dbd258bcfe8729f4877b03106acc72b6bcea2fe02e0d1ba6b16280

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
64KB

MD5
bd039867fb700c4a95bd79f35bbd85a6

SHA1
81d9af1b21f9ce6635ebdd63bcc6646cd2f4235e

SHA256
bc91235b351b0f1f93f4ad9f622efe4d2b279ff859632fdfc59c985b40cf88d2

SHA512
f99bb2a1792f1004c2378ab36c0e15141ee02346663a1662d4ff11efc549679af0ef3a145b06545d7b1df314fe547e51ed44c25490e2e42426f534d6e2ff2f3e

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
192KB

MD5
371a11635d63eb20c679b2cabf3f923a

SHA1
dcafec37383d754ba0e8dbbeece4b62c6aa6bc6f

SHA256
7ae510d7522db3769a89f85270a476ac2fa98b08eb1150fbac80146b66a8018f

SHA512
1eadfaa077e59163e19ef19b712ee9a575dc23b0e596a1190501d89142f6363e4a46c92ffe77d0f8f75ec7c92daca67c6d13a1ecd2133eede3df01c6702f9109

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
192KB

MD5
2484e594b8d13774a67ce4787de88a05

SHA1
3e16e0fad7abe7a59f2e3f44dd4bd0c20c430f56

SHA256
673aa235fb6ec69e9ccef0dea7caf91818dbefae7674e868cf372e4ae4f7b53b

SHA512
c4083dace60daaa883443d420c73bc8123002e9988cf6a365327eefc8b89899c844016aebb0c6c8dbba53914517fed8eb39299283aaa2d452fe70bfa54853dcf

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
192KB

MD5
2dedfe7ba9d3e4f8430b1979d3ffc5a8

SHA1
11ff87cdd0d0a7c270c4b20b0b935f7033f6a33e

SHA256
1c6d9253617ffe86f287d7f3837a8dcc065df3e704ec425770fab9d47276efce

SHA512
eb83b9924c3a7bec3c4781094b86532514cf7a770d54fa6056c15b0067b2d9bef759a9e065e81da64e7b1471b9d7070d006da092b4af6bac7785fee85e4fe5e4

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
192KB

MD5
ae5f4508f3b1766c4745b39e3e20a087

SHA1
dd31c71853e0227f6f5e5343a161bf1bfe74978e

SHA256
013ab1bd60405a5482e141880ebfe329a486efef09992a97509ee04b5b99d0c2

SHA512
0b4934ada925f4ec5f67c93f902e750adece98de897bf7e8609645629ad8ab96816bae4c40c55ba7d9fd1c28f00784839c26388e25d27f68addd1964c0d4d428

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
192KB

MD5
a8c065a3134566bcaf0f7e7bae58e6d8

SHA1
0f0eb4076779e309a5511878d2af80786c549f4b

SHA256
f1ebba27c79167c3158914f1501fe52c725781412fb90b6542135533f6583ca7

SHA512
6df9dea021bd99eeef8b98a1b7e9d35eca8b346c7b662243f70265e098fecf4ccf5572081a9e39bf4e78da9bd608e93112ec3ba2b75ae838f713ad02b6158cdc

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
192KB

MD5
27c5e8f356224414c9132cd73490b5b1

SHA1
649f9f55a8fb6f70ad64bd84573f7a2db046c2ed

SHA256
4cfc0e1bfc8c82fc1bc3e82184d8653b720708b3131b4667419bef73eb5b5d0a

SHA512
a36f0bc1a0db72d5c778baa6a0238be5741d6e1ad36eba1dcd23023fcfbfccc17e90ea39f019f13ba3938e7c0bc55345edcf4c1e42c1c0cc2ee59b800124a97d

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
192KB

MD5
8b8ebdb98a97032c030d6a7a597148eb

SHA1
38a5f4599f78a761a5a5168e108a5a9b9d078838

SHA256
a44280841b9f914d14d3dd921bdc219bfe5f5d68c6774f6552ebd9f77adb328a

SHA512
c75e9c40e107132e166817ae98f42d0a65f957ac3e34ab1b1af855b382af99361418e776337f45793296bbbf545e1e03e7c4b577bc2306dd3973590fee3d61da

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
192KB

MD5
49a8cb6ceebbf2bdbc96decf30a72946

SHA1
ed848d81c2f35bc2cba1fc0febd5fb2384e704bb

SHA256
5ae3d722291a958293fb8a43ae6c8c145dd408b8c4ce3b3a64aabef8d0f48c5f

SHA512
20c8ac4833ff08c76e420fc34ada81d341c11b6475d47d797a9226fcb5a762d3df3cf397ddd741950a60f970f95f1fd981e1b710c2e61317e5bc506bf186d76e

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
192KB

MD5
8cbe99314b02da60d9f20eb8f674abc0

SHA1
e2c470a9b1d20735756ab540339d3360db28f272

SHA256
1fe9a7d87d91ba9c3a7e951c363ac5d64f52cc5704e8501d3617a67538aa3cca

SHA512
978700f188b717bae8c068fd18d1f1c628a2217df8beec88d922528593e73eac330acbb7f6f0279d592ab5c1ed8e9bafdae6a38f6d72e745579f389df2a3cdf6

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
192KB

MD5
c64c6da4998b0313ac39eacbafc6bf7d

SHA1
eb920cc6acfced6469f3a5e560705d8e5845b41c

SHA256
231f3277dbf7cb067175b94992a2d92bd06839c05c63d20c88843e57df2236f2

SHA512
6733fa5491da200512b17696d913ad89104c67966d090e3171810aa04c6a6441390af7bd56d8ce867b16983c819c9ee04f7a71f2169afa2de75a72478b73003d

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
192KB

MD5
fd9402dc2e8ec7119d216f683f37a903

SHA1
6ee95bfe52b1217f4b714018d4b78c04356b89df

SHA256
5bd44f962aefde9dffcbdc8a92997064e0bf2ec7aa35f84d041deea0ae731439

SHA512
281cc45c2499d4794f9b46bddf892fd5ed469fb823ef92a7be212a29bd509d24e52846b105957cc3b972a0baf2b72938f2807088435d846cc82ef3190f37e6c6

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
192KB

MD5
6319fbbddf3870d7644a5825a0e535f2

SHA1
07c2de15b83a06a1250c440f83e34dc037171624

SHA256
371e1dc38c4783ee99ef2fcffd322de18bbcfbdda7db9788694628288b523e1e

SHA512
56dc0fad4f330aa87d7db2c8a9806252233151811fc937b7f1b69879b0f5e7025bfcfad17b141d1cbb54f334fa96006083dc39fea5781e5ffe1e8d55730864f3

Download Submit
memory/236-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3816-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads