berbew | 3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
Size

90KB
MD5

bf0334416987502fec6746e9518ab217
SHA1

e1a2f0055c243876e303641701679758b3357f7d
SHA256

3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959
SHA512

9faa9900504a6daf3b09d550ba40fd46d88d42451374ba64d3ad4367a08c564f706a0069f1bab3c66a283ecdc7e113b0ab38bfbf8814701d74499c94199e2425
SSDEEP

1536:kaPBxh8Fh+wQwD5u6ge5KW6ZivLuOATSvjDVGju/Ub0VkVNK:kaP58Fh+wd5u6/5B7vLXVGju/Ub0+NK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ippggbck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3028	Hbgmcnhf.exe
3712	Iefioj32.exe
4560	Ikpaldog.exe
4052	Ibjjhn32.exe
404	Imoneg32.exe
4624	Icifbang.exe
5092	Iifokh32.exe
3096	Ippggbck.exe
2880	Ifjodl32.exe
4952	Ilghlc32.exe
1984	Icnpmp32.exe
3752	Ieolehop.exe
3772	Ipdqba32.exe
2692	Ibcmom32.exe
2232	Jlkagbej.exe
1072	Jcbihpel.exe
2664	Jedeph32.exe
3928	Jlnnmb32.exe
3284	Jpijnqkp.exe
3776	Jbhfjljd.exe
4588	Jmmjgejj.exe
3348	Jcgbco32.exe
2164	Jfeopj32.exe
3828	Jpnchp32.exe
2972	Jeklag32.exe
3552	Jlednamo.exe
4856	Kboljk32.exe
3512	Kpbmco32.exe
2952	Kfmepi32.exe
4668	Klimip32.exe
3344	Kbceejpf.exe
1364	Klljnp32.exe
4948	Kedoge32.exe
4320	Kmkfhc32.exe
2320	Kpjcdn32.exe
4152	Kfckahdj.exe
4216	Klqcioba.exe
3500	Lffhfh32.exe
1560	Lmppcbjd.exe
2296	Lfhdlh32.exe
4964	Ligqhc32.exe
1576	Lboeaifi.exe
5080	Liimncmf.exe
3452	Ldoaklml.exe
4844	Likjcbkc.exe
116	Ldanqkki.exe
1816	Lgokmgjm.exe
2496	Lmiciaaj.exe
4248	Mbfkbhpa.exe
2616	Mipcob32.exe
3468	Mdehlk32.exe
2832	Mgddhf32.exe
2148	Mplhql32.exe
4384	Meiaib32.exe
2964	Mdjagjco.exe
4060	Melnob32.exe
1104	Mlefklpj.exe
3032	Mdmnlj32.exe
4468	Mnebeogl.exe
4356	Ncbknfed.exe
664	Npfkgjdn.exe
4896	Nnjlpo32.exe
1872	Neeqea32.exe
4220	Nloiakho.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Phaedfje.dll	Jlkagbej.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Imoneg32.exe	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Jcgbco32.exe	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Jcbihpel.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6220	5588	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcbihpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipdqba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll"	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlednamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3028	2392	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	83
PID 2392 wrote to memory of 3028	2392	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	83
PID 2392 wrote to memory of 3028	2392	3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe	83
PID 3028 wrote to memory of 3712	3028	Hbgmcnhf.exe	84
PID 3028 wrote to memory of 3712	3028	Hbgmcnhf.exe	84
PID 3028 wrote to memory of 3712	3028	Hbgmcnhf.exe	84
PID 3712 wrote to memory of 4560	3712	Iefioj32.exe	85
PID 3712 wrote to memory of 4560	3712	Iefioj32.exe	85
PID 3712 wrote to memory of 4560	3712	Iefioj32.exe	85
PID 4560 wrote to memory of 4052	4560	Ikpaldog.exe	86
PID 4560 wrote to memory of 4052	4560	Ikpaldog.exe	86
PID 4560 wrote to memory of 4052	4560	Ikpaldog.exe	86
PID 4052 wrote to memory of 404	4052	Ibjjhn32.exe	87
PID 4052 wrote to memory of 404	4052	Ibjjhn32.exe	87
PID 4052 wrote to memory of 404	4052	Ibjjhn32.exe	87
PID 404 wrote to memory of 4624	404	Imoneg32.exe	88
PID 404 wrote to memory of 4624	404	Imoneg32.exe	88
PID 404 wrote to memory of 4624	404	Imoneg32.exe	88
PID 4624 wrote to memory of 5092	4624	Icifbang.exe	89
PID 4624 wrote to memory of 5092	4624	Icifbang.exe	89
PID 4624 wrote to memory of 5092	4624	Icifbang.exe	89
PID 5092 wrote to memory of 3096	5092	Iifokh32.exe	90
PID 5092 wrote to memory of 3096	5092	Iifokh32.exe	90
PID 5092 wrote to memory of 3096	5092	Iifokh32.exe	90
PID 3096 wrote to memory of 2880	3096	Ippggbck.exe	91
PID 3096 wrote to memory of 2880	3096	Ippggbck.exe	91
PID 3096 wrote to memory of 2880	3096	Ippggbck.exe	91
PID 2880 wrote to memory of 4952	2880	Ifjodl32.exe	92
PID 2880 wrote to memory of 4952	2880	Ifjodl32.exe	92
PID 2880 wrote to memory of 4952	2880	Ifjodl32.exe	92
PID 4952 wrote to memory of 1984	4952	Ilghlc32.exe	93
PID 4952 wrote to memory of 1984	4952	Ilghlc32.exe	93
PID 4952 wrote to memory of 1984	4952	Ilghlc32.exe	93
PID 1984 wrote to memory of 3752	1984	Icnpmp32.exe	94
PID 1984 wrote to memory of 3752	1984	Icnpmp32.exe	94
PID 1984 wrote to memory of 3752	1984	Icnpmp32.exe	94
PID 3752 wrote to memory of 3772	3752	Ieolehop.exe	95
PID 3752 wrote to memory of 3772	3752	Ieolehop.exe	95
PID 3752 wrote to memory of 3772	3752	Ieolehop.exe	95
PID 3772 wrote to memory of 2692	3772	Ipdqba32.exe	96
PID 3772 wrote to memory of 2692	3772	Ipdqba32.exe	96
PID 3772 wrote to memory of 2692	3772	Ipdqba32.exe	96
PID 2692 wrote to memory of 2232	2692	Ibcmom32.exe	97
PID 2692 wrote to memory of 2232	2692	Ibcmom32.exe	97
PID 2692 wrote to memory of 2232	2692	Ibcmom32.exe	97
PID 2232 wrote to memory of 1072	2232	Jlkagbej.exe	98
PID 2232 wrote to memory of 1072	2232	Jlkagbej.exe	98
PID 2232 wrote to memory of 1072	2232	Jlkagbej.exe	98
PID 1072 wrote to memory of 2664	1072	Jcbihpel.exe	99
PID 1072 wrote to memory of 2664	1072	Jcbihpel.exe	99
PID 1072 wrote to memory of 2664	1072	Jcbihpel.exe	99
PID 2664 wrote to memory of 3928	2664	Jedeph32.exe	100
PID 2664 wrote to memory of 3928	2664	Jedeph32.exe	100
PID 2664 wrote to memory of 3928	2664	Jedeph32.exe	100
PID 3928 wrote to memory of 3284	3928	Jlnnmb32.exe	101
PID 3928 wrote to memory of 3284	3928	Jlnnmb32.exe	101
PID 3928 wrote to memory of 3284	3928	Jlnnmb32.exe	101
PID 3284 wrote to memory of 3776	3284	Jpijnqkp.exe	102
PID 3284 wrote to memory of 3776	3284	Jpijnqkp.exe	102
PID 3284 wrote to memory of 3776	3284	Jpijnqkp.exe	102
PID 3776 wrote to memory of 4588	3776	Jbhfjljd.exe	103
PID 3776 wrote to memory of 4588	3776	Jbhfjljd.exe	103
PID 3776 wrote to memory of 4588	3776	Jbhfjljd.exe	103
PID 4588 wrote to memory of 3348	4588	Jmmjgejj.exe	104

C:\Users\Admin\AppData\Local\Temp\3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe
"C:\Users\Admin\AppData\Local\Temp\3a94a3d77e6c13abd7e0bdc99fda94ced5ab4243094c7df8851f987bd28cd959.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\Hbgmcnhf.exe
  C:\Windows\system32\Hbgmcnhf.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Iefioj32.exe
    C:\Windows\system32\Iefioj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\Ikpaldog.exe
      C:\Windows\system32\Ikpaldog.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        23⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        24⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        29⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        38⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        41⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        43⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        51⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        63⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        70⤵
        
        PID:724
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        73⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        74⤵
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        75⤵
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        77⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        78⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        79⤵
        
        PID:244
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        80⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        81⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        84⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        86⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        87⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        90⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        92⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        97⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        98⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        99⤵
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:312
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1884
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        107⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        113⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        124⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        126⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        128⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        132⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        133⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        134⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        135⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        137⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        143⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        147⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        149⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        152⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        161⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        164⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        166⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 420
        168⤵
        Program crash
        
        PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5588 -ip 5588
1⤵
PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
90KB

MD5
440dd30d5489fd11789b3e22717050aa

SHA1
018c0bf73ba3663d3c632f2a8176e61ceb048dcc

SHA256
e673a4d4b044ff6e1baaa54bbbd22e0f45d2ab2fa5929cc281f72fbfaf7364b2

SHA512
882d991175e35010581ba868d8e763539df845de560b5a1e5503a0331df2f8d275d0c9ee33a78f69315335c1dfea39391997f69dbd9e8623149f79b83d7fe882

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
90KB

MD5
416fe3f3af5f12a3269e1e32e539747f

SHA1
33b79e5e793394f39f3ba4d5b0783cca15eff7f2

SHA256
4a0c5c523188433b071da93c17c8cb5920733bd6d2da70b6e8ce4977c5944b33

SHA512
451823e1aa3710af5cd33be3df1fba707cad29aa2623f0fcf9c0fb5b072293ada2a232e3fef41ae8a93d28a9bbdda3ab63fa7db21c7d3a5d79ca66c237bd33f4

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
90KB

MD5
4fbc42321d9e8b8eb6e4e07df191fec0

SHA1
776db77f33addbae820bec2cd26dc3d4f3ca0257

SHA256
e81d2d8f62949ab1a9c18277b5efb6844499b5409f1491adbb30af55b9725cd3

SHA512
93bdbeb3a1e0d08b592b9d69cb89be12e0775baa3925ef789f5c84190abbf921fd95d7db7c9c7b4deafbd4b0a0bf5446ce301521ed77e0df1ef5567961163b4a

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
90KB

MD5
6d3c84662a11a63cd36d33f0538589a7

SHA1
b5f7218c9d7d5a5a3c02e02feb5885f819739dd3

SHA256
6532e0a0ef107a892076d7c002c2d9a55103b9aa76d85f2b6a690397c35c30c3

SHA512
d125ff7353eba5799b467546d7a1928a2fdcf725b989c171b5a914589fb9ff41e68df8fd571e6dd5ed3c0c7441390f51cf355f3ba223d4260ed03f05721bc43b

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
90KB

MD5
dedd69973e0014b784ad479c7beaf925

SHA1
4093585f00de72daead6b2871bbea304c6ad4caa

SHA256
247e07cd293148148ba0e917901c5d86d540af038c2590ce326394795fd7fd10

SHA512
ceec0877dffef4c35b6f264bc22d71ac0afd05571b5f43b39e05b8bb3440155e1249d39d6999b6e703b11e237e56019dd30ab9df028d19c14d5e252a4ea2e860

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
90KB

MD5
031eb281eb151f777fa667e2dee2c394

SHA1
3dce085d541a28ee25b6137e5e328aa22fe877a2

SHA256
183167fec529276b82c6cd49a24ee18bd3875da14875c6965f8ba1a8847ab5be

SHA512
018d59d71bff8c13ca507b76e19603fc1785523448021f83b63a305824288aa5929ea6c1e9c0572453b0482a78db5c7a8ad716c40be1e1b9511cebf0781b4a39

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
90KB

MD5
587d06d38b40bc2e332cd70d0b8a1c9d

SHA1
2ffbf51de7ba24b48bb4420d73d3a99940971b2f

SHA256
9f2550f0e09ea11051d4d323ead7925b4cd79e09d88b877e14bdd3a3d1ddada5

SHA512
28320fa3ad01a0e669954f83d57f87f99ba001f859d8e4592ab76ad22cf6fc5bdde2ec51500c4667977805fae43ac740e408a38fd7fa3530739918c40c0bbfb8

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
90KB

MD5
57e7cfd1d12353c344e2a4bf38fe79f6

SHA1
43807079b68b126bf6e8d70df2ab01058fa7e3b8

SHA256
534ffa2f5fade643b99421a126171caefcc5bb97f6c55e7e6b7e160a012152b2

SHA512
e306d42b1b7b5d2067ccc8d18c9a38ccb9b05ebf257c23d53bb7f75de023229e3bf0961aa2c3f6f9e3634290ffffb103f8a716e66499e0feec0d8fb75354d36d

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
90KB

MD5
79e5044b6f97e677aedbd00ccf850cef

SHA1
d019b1b67b217c43658b958a7b06f62725282ee2

SHA256
2dd9ac0fbb3ff18ffbe448d98fcf87f729606cecd0bb90ac4660506dcb6952d8

SHA512
c6c6e4b624c0fe186f95edccba342d5d960ebfe860c30708b8ee74df7e8ccf365624f298ab1242ebbcf728724b3fd6f5cf6cb90c183868f91db68d461d672f65

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
90KB

MD5
a622f1b0ca1a667e40f35d246ebba57f

SHA1
4d59a883ff66ff159a5a6f50fe94c76ff7284c78

SHA256
8f06d6d5b3cf22258da71f1e7bce879ed9404c6fcba18e64042fa69ce0f08977

SHA512
459241300170047fdc77228931d5a00450b01e385e803c4d9172f0975217f452d1b82dc8cf928a816777672d3e574daec1128d72df0d7a4455240267584d1ea7

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
90KB

MD5
ee86b2bf10f5aec5fc55a4b3ec057f2c

SHA1
c234c98da9ef65f56cc9391d55fdcc09e5e14a3a

SHA256
b18a654b933121a4515f09102bc29c7ce128f888743084d0f66777f84c6e0c31

SHA512
0295c3338dd5d09dc90362f097015d9cb51d83750e3ff67596c3692ab0f9097aa01006d24c1c490178fe18250f8309d35a45c1bbe70a58ff3c6b661b3d7094d6

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
90KB

MD5
a5282e8da6b94dded028e3f1668a7c96

SHA1
b932e47485491be50c450ec1bca243ddb9adc662

SHA256
95af699fe1063c5c90fe906d91f60472c06371464c61c9519fa9f3ccf67f1dbc

SHA512
aaf589e28e294f00a179c85d05357ce940019bda7c7edb3d18c497bb4027eee2971935babd18329cbad791b4d2fbed3babf6589ebcc7289aa0a8a9c929b1fdf7

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
90KB

MD5
f8e13a251631536e2f5d386bb4746955

SHA1
b2ea51b4f855000c2b90639ad7660086b154b0f7

SHA256
95b5f059ca05f4029ed5f7ac587f1ba5f855a5fbc62c366dd6a0839a56658de7

SHA512
6c42991ef2986e8f1b2808057dbf6be9aaba93d27ef20d4ca9e4108524d93acfca1d4a6ee4d15941017df2b07a34c3fd3c110b638d0bca77d58095cf545cbfb2

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
90KB

MD5
e2c2259f3bfb469300a5d39ec1b9aabc

SHA1
696cfdcecd9fa42b699d9cf703a8710ea180012a

SHA256
991ed844953a6fd62e880e0d02b59d2d57875ba5f683ed90d998587d18153dbf

SHA512
52aae5a0e34d5e7f3a399821fa4afc489628a84f099208db9cb0323fe4a1902fe1a09d907ac00c62682091440db300a98d1ddcccada2878c19ff661ba269524b

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
90KB

MD5
1b30396e24ab592fa5e2d0c918523aec

SHA1
9f8cac08825d98d8529c65666eb8a38c2796cb12

SHA256
e0acf31d43887155c1f327d4fdc661f2e822d9b6e16de38e66e5838d4f982706

SHA512
f1b36f33f7240e8302ea58b6d428a28159eeda947813b1062c228073d89707638ead32fa65908bcae81c0727734cd315d15b01ae3ff05b93d2d1abee0832a618

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
90KB

MD5
2ce640b08cdaeb2b074cdcfa66eeaa36

SHA1
5a9e91b90dc382cb6199b819614a91e1df0f510f

SHA256
d0c8e47c19319e6fd8b3c3a9607d35516559314513d757fe4233b1d43ade63a7

SHA512
a0a550a3bd4088eb982bd9bd95582b06c16913a31eca22cb7657bdecd0f1279ad286c5d614d7dd9adcd0ab892791869cfc2401c623dc64552f96cbb65ecadfe1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
90KB

MD5
d380bf6810372d351686738b416052a0

SHA1
b4c5a593f184f988878658496b12c3a9315b30ad

SHA256
edf08af56f048c1cfd324807072a2967e490c2eedb8b400d6d97799407ca9d1e

SHA512
3d8e5e296f7e06d7d23522bad6b601aae7ec8ad9393e5d8dc37aff292a9f675894235b8af08d38f9297284a277f865c3c558de8f9d23854980cbbf315f62e319

Download Submit
C:\Windows\SysWOW64\Glccbn32.dll

Filesize
7KB

MD5
717810e61e348be54e058554331e8e50

SHA1
f8a8d8f54288b483e1405632bf2cc73b9ac4eb4d

SHA256
8bd7776262e08aab6da993da63f1451a95eda4368c22626685f62082c83d2e5e

SHA512
43573ce14e55db5a378d1815256401d36d5185f1e37c386837b9cb83969702660540c7596d0716e4427e6ee2b731a457a5b83ebdbf91b6db1022d74a75ba565e

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
90KB

MD5
80da6f15352133c2794f139b3113a5c3

SHA1
cd0664810475ab3393bdb2bcd5c3f649c4cb35e0

SHA256
6a3e3d9538747e954c345c1689a2e044d7f2591e6779254ff7f3b7e8649bcd48

SHA512
c4d804fa84f6b0ad8cef7e5298494206fc6eef75fdb335246d93bf81bfad7f83b965facf13cab90c26cc17937698ef0610c4eee44e902007c531f5bb8bb9fdd2

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
90KB

MD5
3c1ab36a1565b0fcda54e0fea0ce612c

SHA1
e0a40896fb21fd8f6c939f3ffc5c3ec584565535

SHA256
cd9e3df317a6e3792e66debb98e962c8f5f48b96d6622f07e994c30954b20110

SHA512
81c83da51ab01ed801aff6a3482612617b843263a6935df182bbe54b94319590b287e61513c393caf50b833b50c843b3a8db2b87cb3194a9b01a8029e8c5fbb0

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
90KB

MD5
ea10098c86e580830993782355093d72

SHA1
dc71104c97ee92932a855ccc0931229679efbb13

SHA256
27a3d8b4b095a5e77cb5f77755968ed6aaf65382130f7530f2b4ad5f547dfc6f

SHA512
3a4b34473d76936e87cbb66a8fa8e916962d07a290ae4410f27a0460cd137410e5d68a7e79e4fc447e7bb6783bcb3f99fbb5a6b459cc08aec354ab568022e061

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
90KB

MD5
7c25b31c101e80817bf447f1dc9e0356

SHA1
1f7b2e29f262dc27bb60927cdf14efaf4113d9cc

SHA256
0a13c047126cdd8dc14fcd098471bc65c12b854ed0803dbcb3edca8fa58ecf13

SHA512
e67637dccc01921d1585d07bdcbafd80584a07143e2a978e88436d486067d45ba49d1ba6f3d16088794594fa96dc439117ffa104cfa09b6996052ab26c8f9b15

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
90KB

MD5
5436c4a6c87aa0febc11ad98e185cce9

SHA1
cb3bba0e70afead59206d2341f55e9583442d6e5

SHA256
8caaa27d1be1bd2087bed9344e5d540e6f04c9a4b9702fc0e873a9153f25424c

SHA512
f1ce2053f0336c94fd1a0db91e742e37655572de9af6730adc5789187473a152a053d57cf11c1b3bb1ef4b4fd737950920c5cc9430d8f527d30feb863fe09f3c

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
90KB

MD5
8c069539f75e058658203228778b7ef6

SHA1
d0ad59acc88fa9f2848a1b77c9ee6146d65d397c

SHA256
c8ebbeac2733751871b042bc22260fdfb01f9a2b3bec5b961a40cf8199417437

SHA512
115778da0c7d61598aaf75d357628d6eaca7d5d4371fe49107caca132a2f5c3e8e35571ec95b70c60c05c9b2c277f2ddf746eb30a230d3df5d0f5a1a4c1c7313

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
90KB

MD5
2f04d514ccc46052ccc578df2cee8e93

SHA1
a253f301cf968104a6c0fb9e1d7dc776b15955bc

SHA256
b401a8454bbb8ce48ab64451a7483445d1d3e923c98dadc9ef0add52a3558dd6

SHA512
7036a647ad084e6327628ee4582ca65a71e82616de88fc41e85ee2907044b4e45536204ff3ea56e3aebfdd2d018e95d67074a63ef7764bc43713a12ef30199f7

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
90KB

MD5
3582a960c110fdaff3a4fcde7bd7d3fd

SHA1
4d7c9953e2581df9bbce746104666dee1b5d4344

SHA256
c9579458a4e9dbb69bb81896a0be2fc2aa433d875054bb78f9e38679961c3e6a

SHA512
8979f201d68df8f4b366bc73e0b58b29352dc81bd23a3abe96094da55d909f2afcd7b7050dd6663349a3db685b6cf85c82e977b275c5f90c9bfea2baaa7cca0b

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
90KB

MD5
a5581980f4b12dda7756e8dd59837dc1

SHA1
e59c5c93b332a683648c5e0dc0bcda6eeb67e119

SHA256
e66ff18f605e8cad0f9969bbf38284b1ff6582cb939df5cf4fc43527a8bdab3e

SHA512
d1ff2bf1cf73237402d5aaf82b11216f403b7718b9b517781c6d864ed23c5d304769ac12decb18df189b0b74e2ab277a1ec24368106c9407f650a3c076ad67fb

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
90KB

MD5
9d700db70756dec670b0ccd99dcf71db

SHA1
e6c2658889174d4eefa527a90eb14ae41b1d60a7

SHA256
1303d84af3c41b36aebeac4b269f95ff2f4cf2b0f39ea5879a66a9774211ed65

SHA512
cc8b2759ab3487961e752e2b967380499fa9154a734e36a3d6587a5c9dae288785ecc28a9ab178fd4442a95e40bc8baf178a67c7b1b023189e857364c096fdf0

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
90KB

MD5
4e475ef2615b62ee40d6d3d13fbc3bdc

SHA1
f3c5d10a028966a62adf88a93ef363453f3e08df

SHA256
1999720677d559034580bb5f85bfead6d233378cf95c481ae44a91bbcd45ebfb

SHA512
d0902709f17e2606358b711f140604295777634c0593257832aa51fde91e1b2a73b734e7a66256f3e30a613adc595212ad3a26f2fe6435e98bad6b4b8367ec4e

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
90KB

MD5
68e57bfc742db716379b8ec6779b515d

SHA1
43c416813fd971bc0fdbd8f4beed686271f9fb09

SHA256
6cefa49b39b677f7ceaf186852d5d563ec35d3e7b13713d80987e1c1fd5233e7

SHA512
893a06cc6c4c14ac4ea77885caca828ca0f1d136ae761a3f6f3af2535c65689d4fffd75d047fd7c4463d775e7cf6ed6d232c2b00c414c8aaea90cd41acbfdde9

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
90KB

MD5
2d7c5a8d4ccfe6d04228019d4abc33eb

SHA1
b568d9e9ba6467a6669f09d5465255f0feb9340f

SHA256
3c0b07a87d3ce31415eed5029f6b2bfa168eeaf333610d03b05145911abcb2dd

SHA512
a3eb53b01e96887f1d9a7b6b72ed05c87d7fb82e1acb3c26ac2f4311636a06f88d41c70fd2f9cbe9f0234d1458571fb6740eb01b19ef48d1a0d2813d5e335c0f

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
90KB

MD5
9495096e9c5e9ade3f1bfa2314b6965d

SHA1
15de1f10cb2c9adca2bdf7d882721893745fea22

SHA256
bcf9a3afa748c8ddf80b0771cbd455add578b1c38faea60908ebf64c68d56a05

SHA512
8ed5ce82ee43cc007aed994329321b23270589d0e971059824297496fcad4358d652d5ce785c16fe95a8dc4be70e5ebbc5805364ed945e450a355ce6df72cbae

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
90KB

MD5
c7387f3e51d95818da4d8b7477f55f33

SHA1
e3736e253a4d09f759e1e9c00d6fc200fbd3091a

SHA256
93af9be69e7db6bfcac7eef25ab17c595ca15f3c27cc138a5b2bc27440f5dff6

SHA512
19f3d5944240ca6f16050e0f8965ecc12cc8920e1095b50c57875b75c6c0c041eb0f879e8f863d2689b471d3d98f4333758ddfb580e162caf235682b3327ecca

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
90KB

MD5
71604f8f704bc6f24765ad0d88e9d3c1

SHA1
c47af12bd858d3d8f66e46d5fe306f8b0a3a0754

SHA256
4ee99b682f9220a8cf161fed374a3d2ecf5ba7641da86ddfe7615ba113e6561c

SHA512
9911de88bf758d3e3fd86877dce7dbcf10bf25f1dab637c2d7fad848914883c0c602742f3b02036374ca0b70e9ff40969d05e3a9ee4990d4c406cb6d6a219653

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
90KB

MD5
46f2f23a55b70702fe0f2ce0826fde65

SHA1
6be539c2ce751f2ab0958de6e1ac6f751ad85246

SHA256
08f7b541403a7eb9362834aa38843151c6a2eff703710aeccbdc30ab94fca52e

SHA512
8d070bdd4cbb78e21f8d26f2aaae5c6c171466e9521c5c024f0ecedb95839f7900822154254362d51c34e373fbe347ede6f10ae01651f84151937f59ab0d0692

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
90KB

MD5
c23a6151a1a7a4cbccd8a81e2c893924

SHA1
3a81a65f8615cbc7f05aee6d07a008c063b2e983

SHA256
f4a757f69fd1d2b1e516ab4530d87ff038e54fc2c37e83925c7a395c56e26b52

SHA512
883f0d78b37f6b3b94fdad8ebf5f4d0458c531f9220f0a9f511eb76a1853741da73852209cb9ef8d297db1668c42cea7d9b70de45126aedb3a04bbdf75ba71e1

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
90KB

MD5
78c4bf7b1f3f0a362883e2a080e8e80b

SHA1
c967705c927d3c0910716cff375f7dcd529367eb

SHA256
e84202514ea7d1d0a1495774d8277624d311dc60648a7d85fb2f8250e7961b64

SHA512
cd7dc803ad950bb8fafc7a3cce11bc04bc58f841371697529e89060c5b97a3253e29ea07b06596febe91ab25aa3a7a170c79bbc73e09ef57ffed1dffc2d988f0

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
90KB

MD5
3b13e09779aa9aaf14b8c575dbd3dcc8

SHA1
4600bb6a228eb3d32a336fe29945b40ab8a1d640

SHA256
2ae27bc3ad7a1fedaf10232b2f348b4845a329e5f2204435cb50e5c035d6dda1

SHA512
f4aef5c69e5bd2408002c76870a0169c710c55caab28c819a70b33051b53edea53ac5b1df306593c182f8d18a9152b47fb981e87fee177376631072623ac70e2

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
90KB

MD5
510e1bfdc8325657d407201e3b72abfd

SHA1
36d9feca399df158390a2b76aa328d0350a8890d

SHA256
021e6b3ca53a593bcd5804e0ebe7a4fbdbf2b5dd3d2530c319ace4a4fe46da44

SHA512
fc68f4b5acf112cd38c602b0e49966f1654f7f143545e47ddedc12a5b1338212cba856d0b5eadd5ffdf7c9dcfae9a44dacfa68cf99dbc68bbb0f13ec5812948e

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
90KB

MD5
17b25e683dc8adca15c2cdd6fc517053

SHA1
bd93881114acf0dbf3d98accc96778829e8b5637

SHA256
5492e9af3947637697f91e7663c701e70a97ee2b051c84a02cbc29ef83bb1727

SHA512
1897ba5a63acc59ff9d255eebc5bccfbca8e3fa6fbc5f6311bf428b4f972a011324d6188cc4e90f9ed5ad9ede5e1856eff8edd80e35ae866c702e2965df4d952

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
90KB

MD5
87cdddbfdb30b1a4e86b0d01f0128054

SHA1
312c6d9de95a6191f803a9119294d7c082eea416

SHA256
30f818f9c6f3d276e4ebc26b7794f64cf953750cff157456a25aa83ae7d36754

SHA512
3b31170605f758513bb7f95a82fce7724532c5c7e2beff72af8c536b8a04ce42e714114f07f3bcecde60525304f9f57d70d8c6f213304edcdec7d22ba31168ef

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
90KB

MD5
8cddb7a687c374f3856ecb3170094dc1

SHA1
12f17732e24a2b3d292482179207606f954a9aa7

SHA256
6baba16efd3c51a60775628518e86047dd48a4da6092bb868e47f7491fc98518

SHA512
f9a26e49400f5cbb9333312d3232b1f0531c185e764051cd8ae4310546a4d4798f8ddc29cea0d316b185250344cb96253336e68d6e765b8abc1a0bc9b1adeee8

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
90KB

MD5
a690bc73aadd77e87dfcd579ae69b23b

SHA1
4c246e43ef41042cc9886175c84a63db07daa128

SHA256
2d23519e7ff5e03c92b3c881115b81b82b062dad0d410ec11adbe33fa834ed17

SHA512
d1b6a010696becbfc579411318e54274d681b9fb2cb30b26d7335447d63d7955de7bc8f7734df9df10ea03f646fd3e0dd15fefad70a69fc10f963d54f3fd02a2

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
90KB

MD5
839c10b9117c7ec896bfd9954fa41841

SHA1
beeafd585e16f21e52e056c9a8755dca5818cb34

SHA256
53a8bb029e9e0fc1d95203a8adc55d6fc30a2c94d31c489b295df4f236c85eaa

SHA512
adadedbfca95bd4e5965112c1b4e83424423e7f7728209925d268a0e719bdce0edfb05f8e6fb516ecfe1e49379d0db87c624a07fdaff51d4087c3ea4b3b1d811

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
90KB

MD5
e440c55ac71a68b168da71a84aa65d2b

SHA1
6a5d8d74d7ab77291e5747b35d768205f38ca543

SHA256
255297d2bd602ae447c6dbb76165d0c3f730f30df905f232092755c5b60a8c25

SHA512
d849015b66a85860082894da10dcca18f057f1487d6ef7e9e1bd1f68053dbe073783f175150c1151dc2ca72d0a84e59a2fbb555ef1c35da7d431fc37b1f87d07

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
90KB

MD5
766ce205d130a4a0e33437c177da9a81

SHA1
008228344219eda2f7febd72161f016ed77a7ffd

SHA256
f7c16f9b80acff7ba9b24d0437f6da2e841c82b925095761ff9ae88c84bfd10a

SHA512
53c69d407ce0138611ebeb5095effbfbea286e83cd2e19add72770157c99a193de998dd61f9dec167fd4a8647255b6bf3d85ab8c2966159ec5ab7964feb9d676

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
90KB

MD5
e505287061a595b5a130345c3ff9398e

SHA1
7656892eb182714a34e66c96dd899c56bed58de7

SHA256
6abdc9578993aeb132370840637f5115a4cba1370030afb6a23563a04c36f54a

SHA512
0b5df60af8274d1d3dc978bbe6502f2ac4691f74139b76cabc489e2dd630712cce307883c4902e86206afdda4c0fbc68cfa9ba7a29caa829de03a340964394ca

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
90KB

MD5
167e792bc6c1651fa630615c2a918400

SHA1
6c1551fccacba140c9d490115db859cac1564516

SHA256
61c7bd3834e076de89581dd84ae81b8b2064e5052a149c7cd02414a25e58e71b

SHA512
e94bbdccff1557f6eaa63106111b36421276471d60f8e44913d0796a070ffddb7e3bc861463c469ded50420370c703b70b597a94cfac26d1d6024f5bcdeb9376

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
90KB

MD5
2783eee41ecafaf22d34d1bbc57a9c11

SHA1
28daa1343c37c423f9314b7e3129a22d373db3d9

SHA256
72c2853dd79c0b4931cc2399b96b6c3c82731177c31f6605a84ea2dea85836db

SHA512
01ee335b1368184b8aa0657bab11537b42f3bbc2858edc3767ea76acd71e830d54abdeff16786b16fd618e02e094c56d1e7d8a052db9de2e305a707b1e4ef594

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
90KB

MD5
0678f2c738f8a1f471d6554b126d0d0e

SHA1
0e23df57b583b061c62b3d42b24d366b82cc0ba9

SHA256
3f404afbdcffdca3009e61517b9a1910f8e458006ab47b7384b546b35e1602ea

SHA512
ad3a07607242bf7cc4336847f5dc1e7a184923026a5b7849a15b55a4d2665224889b3e02478e9b4f6b6a5250697dd9ed850d85e7b52b035a06cc3dded778e609

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
90KB

MD5
efbc874013af626d15f23d4b74a5b79e

SHA1
7b7b3c21cf958c40f1c199a16278eede02d1181a

SHA256
34dd7536d61282b69b2d85b559e943c44f32555064512ec1135b5a711a6701ae

SHA512
220fed1358db3b1b76fa00c6bda4badfc36122f72a9c589e2d5e0d0b430e35d93f6df882a6e6a9fd1695432ac86e7d31a401604af5df70803cf16b84e7331dd2

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
90KB

MD5
4ee057ab1bdc2fc5109b2662b40d59cb

SHA1
2709f2dc03ce665701b4ed6426cf162965e16c74

SHA256
80acb796007028615a5ae6c7b2e9013899e6069576f62f325153cfc279954403

SHA512
c751f976f6ea517898477e6ebf60c2ca3410b440e4b9f38bddaca7e6577c6e0cd093f185250ca80244fdd72c907a524ca59b5da857508e88e746e9200b6dc503

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
90KB

MD5
f001c0655c1458aee560ed4d4915981e

SHA1
f1eb058edfec5c97666740c2426626aff5c173ef

SHA256
ed2386f87308b5731227af6aabbcee8a9b8ecc062bda6da263ca3e5b4fb4929b

SHA512
292129fcfbd7ebd0f5ebe287f7bf092ec61dbc01cd3fbaddab30dee10eeac25b098496b0dd78205e441888c2e98a4f54109b32aa5107f9599c31367ac6c9cd28

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
90KB

MD5
8c3677ff16fa60ade7c6a0add45bcd35

SHA1
c66b1b295a5b86634ee960a0a3b45634523e812e

SHA256
3597ac90f96bc4c62a81594b3a5d37c802019fc8137450bfb0f6f24d3ad720fc

SHA512
86338809103a8a9b1ca94683b262d686ceba87b1bfbec35f7356ff40d65f27440f778df4afefe97530d415e872146fb35024afedc50e1eeb0dbc4b4780715bad

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
90KB

MD5
8f8d6dc8335b6beee900ae44c2836a0b

SHA1
0a2b62abd432abd0b83664159c88505c38ff5ae1

SHA256
08a3f992a3a4e6c62fb3039fe9bdbb26c6a5d75acb1048b172e0c2d0e59c72e6

SHA512
b55bc0e5f829710ce398597cfe34b516759f93970f2e78be988b6fe0858fe8daf0c6bea5469c67f67551f89969bb645977b7ffe752d65857e246049a9a5b0301

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
90KB

MD5
2404dc00f192d3cc5faeadf0cbb4d48d

SHA1
2c3b3a5b96cce698b2c1785b8a5515588f4df6c4

SHA256
c6c446a5b8356e5d4384ced39c8024d754ce41ef1c071175424f8d0825dbacb7

SHA512
e87596983ceb2eaa0ad6eda42f64d7079c3d284b1428bfee9e88c399f9548126142d71824f8a63eacf55dc73fa8f56e8dc1872fb18a66f67309804d2601739c4

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
90KB

MD5
c5dea57328d0322de74a356e4e5705c9

SHA1
be3b085a1858b6e6ef2bdb62eae143fd2ba49a7c

SHA256
2c60e4e0b834fcdf320d0c1ef17512389662b541c1d588e04b9c7dd90d8cc5a3

SHA512
e3cdf61bb0714cbd4d671bc03de0cbc6e43446eea34b43c0d05077ba301c192510702ac6b570414bf3029c337f9c832a599363b72f1fb070a5c92d902f2a761b

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
90KB

MD5
222a3bc5df7ab500a66f7b0977f3e8b3

SHA1
eff1c4151ec7746f7b9916bb2a3d442ae2dcd3af

SHA256
fada295e27142a9990c5720e7dd7c3416ec9c1d1b02dbd3961cd06a996ec5848

SHA512
0e97f53217613881956f4c00cfcf91f4d4a5898a42e7b033f31f7429a34e7492648769ddd1a5f0868f5e0c39cc85adb43c57d12e38a7d47479903f32d51694e6

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
90KB

MD5
de45745af2bb0836efe103b43b0600bc

SHA1
2f0aa7a4ee428e083b9060fa892c37cee7e69cfe

SHA256
503825fe028790e2cb7fedb428b7656fa1a0805e3d8cb349b224e65ea0cccb92

SHA512
aed73f64e1de0f5f096a0104106c46dda7af11a9006a62cb882183cce717a750b9e0d3751036186978cf39a3fb07b3e2aca14fcf11941171bff86b9e3ea98ccb

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
90KB

MD5
b44c87fc81421c3c2e1f2ef3a802918a

SHA1
e32469880ae6d652433c74e34cc88587a94b2106

SHA256
537ab4fe06c5e51ec35ca7722bf1e373e491abff917de30fd1d791c1746b2051

SHA512
26f7dc927f3c3a8aeb512635ca349cd1d0732a7db7e073c5ee84e05ad3a2534daba05817c5228a0b4358d59e3f7707a0cb43bad9c2bd29cc08fe4f734ee05e80

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
90KB

MD5
c584836671d20e17c5a342cff6b52351

SHA1
3c0a314ba5f9d76da2bc5b676493651e27cfaef7

SHA256
5ae589dfe158fd65edc28f8a6423defa11e656cab88300806fc69e0a629a8496

SHA512
115afdc1296ee386d66ee92ab39de40c7f911730ef8f0edaf332d2da80ba0134c500edff62da4e2319008fac558ebdbdf593ae7f7b02ce2ecede8d87f804c514

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
90KB

MD5
0d36b684da7e58320c168675da58ba36

SHA1
008491f6e5a708866ccbbecbf88a7af31d7ec2c2

SHA256
d7f8886c178efe2a028b989c342bc2200a899c82e0f07047f0451fc0acb839c4

SHA512
be02ad963aa6f8a4872b3621871a2485de4a3867ddb531286468753f01080b2e60b6b7b4132b583930390956af30b0317200728de647fe522ec524ac0f16efbc

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
90KB

MD5
349462cdfb7129180db6d3a116105b3e

SHA1
f7834ec5fc8f5bb97a232e160132ad6e3479b5b5

SHA256
953bdde02aa371b980fe70359a11cfd9b2835ce65773d03461417d2b48fd7155

SHA512
df93f6e4661022ed3bd9951761cad8a94eba150cc4eb36e311e07a83b616d23d6fc7ce05f03fa9f4d502bdf5e8c52a75021adf03ce344f0282bd3b34635e9b82

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
90KB

MD5
3578f0cef5a46a86c5729ee8a5bf3f38

SHA1
9f2cff254973fdd50ec8dfbcec76272370f30f31

SHA256
fb4782e283d0bb814e8edd2339681f2278e1b864cefb23b68e1c4274281d9038

SHA512
4f87bb5180d7b48ab137ecb0dacfe2d7e67089d0c448a56048bb78566dbdbb0514f6c8c8b5f569147c693b074280656c546a66745b03f5ce778ccd5fd8fd388a

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
90KB

MD5
bfac6858bad1eebdbf645a723d2bbd6e

SHA1
74efae1a4474390d4d6abece91209c4b6dcf5c04

SHA256
7ce61d8c4a90bf58b106bc9af977b3911eeb79ebbbc7c0471e7c9c30bb320501

SHA512
e9753ab501f82332b8a5454678ed4dd1982d114c34b66899d202e13ea20de5390b5ad231e1b6c2e002c8a7e13c9fcb5c1766d98b215c16eebd9db60e7d1e2863

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
90KB

MD5
30d1decf4084f907fdd92ec87757f176

SHA1
4ae999bea13f54ba392908b6848f1def813b3d1c

SHA256
9aaacc289c74aa4835b38380385589536a257d550ee90d7cd08f28eb58fd74b5

SHA512
fd27eea9abc96dc043170811bcc1b1cf92439ecbad36f5a1248a0ce66ab941c2947bf650e3145db8eec06f935b0a4513dd87cf9dee8923106cd5bd8d5e7116ed

Download Submit
memory/116-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/244-532-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/404-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/404-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/664-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/716-580-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/724-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/948-514-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1072-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1104-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1364-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1492-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1560-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1576-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1616-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1704-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1716-552-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1816-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1872-442-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1916-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1984-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2140-545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2148-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2292-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2296-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2320-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2332-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2392-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2392-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2408-598-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2476-566-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2616-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2692-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2880-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2952-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2972-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-551-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3032-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-573-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3088-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3096-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3116-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3284-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3344-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3348-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3372-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3452-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3468-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3500-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3512-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3552-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3712-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3712-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3752-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3772-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3776-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3828-191-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3860-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3928-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-572-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4060-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4152-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4216-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4220-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4248-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4320-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4352-587-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4356-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4384-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4388-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4424-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4468-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-565-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4560-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4588-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4624-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4624-586-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4668-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4844-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4896-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4948-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4952-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4964-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5080-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5084-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5092-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5092-593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads