berbew | 00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4

Analysis

max time kernel
107s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
Size

64KB
MD5

a322f8599fea9c56b5cfae9e30d75a40
SHA1

7961d5bd238eea54d1a80db1a5a747a3e77fbe84
SHA256

00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4
SHA512

3b4c502db47a1af72c499f7816c564fe686ec582e37efaf1287f905ff81dd2d4807eca7b41efa4a5f679f7b4739cd071e423cb710c9cee2f530b67c7f1552e4f
SSDEEP

1536:+Zyy7ZDWCmfMr3Rt56LXlnggt3EXyeO6XKhbMbt2:GyytWC5Ft56LX5nFENO6Xjt2

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obhpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppipdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkelpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djoeki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiecgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pglojj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amhcad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aldfcpjn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oodjjign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Objmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaablcej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amhcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndafcmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkdhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddppmclb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klhioioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndafcmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofobgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qldjdlgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqojhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padccpal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkdhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlbgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koibpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldpnoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnodgbed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiokholk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablbjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cceapl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiecgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmhbgpia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdjpfgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cceapl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lglmefcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obhpad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammmlcgi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgjgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhioioc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldhgnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldpnoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbmkfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epcddopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lglmefcg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
908	Jnlbgq32.exe
2756	Kiecgo32.exe
2476	Kmclmm32.exe
2820	Klhioioc.exe
2484	Kfnnlboi.exe
2512	Koibpd32.exe
436	Kecjmodq.exe
2120	Ldhgnk32.exe
2256	Lonlkcho.exe
564	Lkelpd32.exe
3020	Lglmefcg.exe
1784	Ldpnoj32.exe
1456	Lmhbgpia.exe
1420	Lcdjpfgh.exe
1976	Mcggef32.exe
2168	Mpkhoj32.exe
796	Mkgeehnl.exe
1780	Mdojnm32.exe
2648	Ndafcmci.exe
1776	Njnokdaq.exe
2216	Njalacon.exe
2044	Ngeljh32.exe
1016	Nnodgbed.exe
860	Nobndj32.exe
2304	Oodjjign.exe
2612	Ofobgc32.exe
2720	Oiokholk.exe
836	Obhpad32.exe
2828	Objmgd32.exe
2636	Okbapi32.exe
2996	Oqojhp32.exe
880	Pglojj32.exe
2428	Padccpal.exe
2824	Pbepkh32.exe
1348	Pmkdhq32.exe
2684	Ppipdl32.exe
2564	Pfeeff32.exe
464	Qekbgbpf.exe
2096	Qldjdlgb.exe
2252	Qaablcej.exe
2192	Amhcad32.exe
840	Anhpkg32.exe
1544	Afcdpi32.exe
920	Ammmlcgi.exe
584	Afeaei32.exe
1196	Ablbjj32.exe
2816	Aldfcpjn.exe
1400	Abnopj32.exe
2296	Bhkghqpb.exe
2616	Bimphc32.exe
2848	Bahelebm.exe
3000	Boobki32.exe
1192	Cgjgol32.exe
1708	Cpbkhabp.exe
2036	Ckhpejbf.exe
1920	Clilmbhd.exe
2528	Cjmmffgn.exe
1056	Cceapl32.exe
1280	Coladm32.exe
2244	Ccgnelll.exe
2960	Dhdfmbjc.exe
2552	Dkbbinig.exe
1352	Dbmkfh32.exe
752	Dfkclf32.exe

Loads dropped DLL 64 IoCs

pid	Process
2992	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
2992	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
908	Jnlbgq32.exe
908	Jnlbgq32.exe
2756	Kiecgo32.exe
2756	Kiecgo32.exe
2476	Kmclmm32.exe
2476	Kmclmm32.exe
2820	Klhioioc.exe
2820	Klhioioc.exe
2484	Kfnnlboi.exe
2484	Kfnnlboi.exe
2512	Koibpd32.exe
2512	Koibpd32.exe
436	Kecjmodq.exe
436	Kecjmodq.exe
2120	Ldhgnk32.exe
2120	Ldhgnk32.exe
2256	Lonlkcho.exe
2256	Lonlkcho.exe
564	Lkelpd32.exe
564	Lkelpd32.exe
3020	Lglmefcg.exe
3020	Lglmefcg.exe
1784	Ldpnoj32.exe
1784	Ldpnoj32.exe
1456	Lmhbgpia.exe
1456	Lmhbgpia.exe
1420	Lcdjpfgh.exe
1420	Lcdjpfgh.exe
1976	Mcggef32.exe
1976	Mcggef32.exe
2168	Mpkhoj32.exe
2168	Mpkhoj32.exe
796	Mkgeehnl.exe
796	Mkgeehnl.exe
1780	Mdojnm32.exe
1780	Mdojnm32.exe
2648	Ndafcmci.exe
2648	Ndafcmci.exe
1776	Njnokdaq.exe
1776	Njnokdaq.exe
2216	Njalacon.exe
2216	Njalacon.exe
2044	Ngeljh32.exe
2044	Ngeljh32.exe
1016	Nnodgbed.exe
1016	Nnodgbed.exe
860	Nobndj32.exe
860	Nobndj32.exe
2304	Oodjjign.exe
2304	Oodjjign.exe
2612	Ofobgc32.exe
2612	Ofobgc32.exe
2720	Oiokholk.exe
2720	Oiokholk.exe
836	Obhpad32.exe
836	Obhpad32.exe
2828	Objmgd32.exe
2828	Objmgd32.exe
2636	Okbapi32.exe
2636	Okbapi32.exe
2996	Oqojhp32.exe
2996	Oqojhp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jcgalk32.dll	Lglmefcg.exe
File created	C:\Windows\SysWOW64\Mdkiio32.dll	Njnokdaq.exe
File created	C:\Windows\SysWOW64\Bfdbgnmd.dll	Ngeljh32.exe
File created	C:\Windows\SysWOW64\Ippdloip.dll	Ddbmcb32.exe
File opened for modification	C:\Windows\SysWOW64\Fnjnkkbk.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Dbmkfh32.exe	Dkbbinig.exe
File created	C:\Windows\SysWOW64\Jnbppmob.dll	Dkbbinig.exe
File opened for modification	C:\Windows\SysWOW64\Kmclmm32.exe	Kiecgo32.exe
File created	C:\Windows\SysWOW64\Kecjmodq.exe	Koibpd32.exe
File created	C:\Windows\SysWOW64\Ndafcmci.exe	Mdojnm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnodgbed.exe	Ngeljh32.exe
File opened for modification	C:\Windows\SysWOW64\Bhkghqpb.exe	Abnopj32.exe
File opened for modification	C:\Windows\SysWOW64\Epcddopf.exe	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Odlkfk32.dll	Egpena32.exe
File created	C:\Windows\SysWOW64\Comhgndh.dll	Obhpad32.exe
File created	C:\Windows\SysWOW64\Bknida32.dll	Qekbgbpf.exe
File created	C:\Windows\SysWOW64\Coladm32.exe	Cceapl32.exe
File created	C:\Windows\SysWOW64\Fdffdghm.dll	Mkgeehnl.exe
File created	C:\Windows\SysWOW64\Eenfifcn.dll	Ammmlcgi.exe
File created	C:\Windows\SysWOW64\Njalacon.exe	Njnokdaq.exe
File created	C:\Windows\SysWOW64\Aldfcpjn.exe	Ablbjj32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmmffgn.exe	Clilmbhd.exe
File created	C:\Windows\SysWOW64\Cceapl32.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Epqgopbi.exe
File created	C:\Windows\SysWOW64\Abnopj32.exe	Aldfcpjn.exe
File created	C:\Windows\SysWOW64\Kppegfpa.dll	Bahelebm.exe
File opened for modification	C:\Windows\SysWOW64\Dkbbinig.exe	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Kgagag32.dll	Afcdpi32.exe
File created	C:\Windows\SysWOW64\Idcoaaei.dll	Bhkghqpb.exe
File created	C:\Windows\SysWOW64\Oomjld32.dll	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Bocjgfch.dll	Epcddopf.exe
File opened for modification	C:\Windows\SysWOW64\Ppipdl32.exe	Pmkdhq32.exe
File opened for modification	C:\Windows\SysWOW64\Qaablcej.exe	Qldjdlgb.exe
File created	C:\Windows\SysWOW64\Cfgnmg32.dll	Klhioioc.exe
File created	C:\Windows\SysWOW64\Lmhbgpia.exe	Ldpnoj32.exe
File opened for modification	C:\Windows\SysWOW64\Pbepkh32.exe	Padccpal.exe
File opened for modification	C:\Windows\SysWOW64\Jnlbgq32.exe	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
File opened for modification	C:\Windows\SysWOW64\Ndafcmci.exe	Mdojnm32.exe
File created	C:\Windows\SysWOW64\Pfeeff32.exe	Ppipdl32.exe
File created	C:\Windows\SysWOW64\Oiokholk.exe	Ofobgc32.exe
File created	C:\Windows\SysWOW64\Qobbcpoc.dll	Padccpal.exe
File opened for modification	C:\Windows\SysWOW64\Afcdpi32.exe	Anhpkg32.exe
File created	C:\Windows\SysWOW64\Qekbgbpf.exe	Pfeeff32.exe
File created	C:\Windows\SysWOW64\Fnpgnoqb.dll	Abnopj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgeehnl.exe	Mpkhoj32.exe
File created	C:\Windows\SysWOW64\Hajdhd32.dll	Pmkdhq32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeeff32.exe	Ppipdl32.exe
File created	C:\Windows\SysWOW64\Cgjgol32.exe	Boobki32.exe
File opened for modification	C:\Windows\SysWOW64\Bimphc32.exe	Bhkghqpb.exe
File opened for modification	C:\Windows\SysWOW64\Mcggef32.exe	Lcdjpfgh.exe
File opened for modification	C:\Windows\SysWOW64\Amhcad32.exe	Qaablcej.exe
File created	C:\Windows\SysWOW64\Hmekdl32.dll	Anhpkg32.exe
File created	C:\Windows\SysWOW64\Ibmkap32.dll	Lkelpd32.exe
File created	C:\Windows\SysWOW64\Ppaloola.dll	Cgjgol32.exe
File created	C:\Windows\SysWOW64\Mkjhmf32.dll	Mpkhoj32.exe
File opened for modification	C:\Windows\SysWOW64\Coladm32.exe	Cceapl32.exe
File created	C:\Windows\SysWOW64\Hcgqbmgm.dll	Kmclmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kfnnlboi.exe	Klhioioc.exe
File opened for modification	C:\Windows\SysWOW64\Lonlkcho.exe	Ldhgnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cceapl32.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Obffbh32.dll	Kiecgo32.exe
File created	C:\Windows\SysWOW64\Lonlkcho.exe	Ldhgnk32.exe
File opened for modification	C:\Windows\SysWOW64\Nobndj32.exe	Nnodgbed.exe
File created	C:\Windows\SysWOW64\Phbleodi.dll	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
784	2376	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klhioioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndafcmci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcdpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiecgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldhgnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njalacon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqojhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppipdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecjgio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oodjjign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aldfcpjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnodgbed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiokholk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbepkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qekbgbpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmclmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammmlcgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkdhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kecjmodq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkelpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldpnoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcggef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obhpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anhpkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfnnlboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofobgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padccpal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abnopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmkfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkghqpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okbapi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpkhoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnokdaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeeff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablbjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lglmefcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pglojj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeaei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahelebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djoeki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcdjpfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objmgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qldjdlgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaablcej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cceapl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddppmclb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdojnm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obffbh32.dll"	Kiecgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klhioioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogiamne.dll"	Lonlkcho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobffp32.dll"	Okbapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbleodi.dll"	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njalacon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aldfcpjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgeehnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahme32.dll"	Objmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afcdpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaloola.dll"	Cgjgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll"	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lonlkcho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgldklaj.dll"	Njalacon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qekbgbpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll"	Boobki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnmg32.dll"	Klhioioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanhfpff.dll"	Ldhgnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll"	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecjgio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efoifiep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmclmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kecjmodq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofobgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppipdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll"	Ddppmclb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhkobjh.dll"	Mdojnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll"	Cjmmffgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pglojj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hajdhd32.dll"	Pmkdhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afcdpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbkhabp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkgldm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmhbgpia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeddino.dll"	Koibpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfnnlboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qldjdlgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammmlcgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahelebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnlbgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lonlkcho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnpf32.dll"	Nobndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcggef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcggef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgeehnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amhcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll"	Bahelebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmhbgpia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmclmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdffdghm.dll"	Mkgeehnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkiio32.dll"	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefqbobh.dll"	Qldjdlgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abnopj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 908	2992	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe	30
PID 2992 wrote to memory of 908	2992	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe	30
PID 2992 wrote to memory of 908	2992	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe	30
PID 2992 wrote to memory of 908	2992	00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe	30
PID 908 wrote to memory of 2756	908	Jnlbgq32.exe	31
PID 908 wrote to memory of 2756	908	Jnlbgq32.exe	31
PID 908 wrote to memory of 2756	908	Jnlbgq32.exe	31
PID 908 wrote to memory of 2756	908	Jnlbgq32.exe	31
PID 2756 wrote to memory of 2476	2756	Kiecgo32.exe	32
PID 2756 wrote to memory of 2476	2756	Kiecgo32.exe	32
PID 2756 wrote to memory of 2476	2756	Kiecgo32.exe	32
PID 2756 wrote to memory of 2476	2756	Kiecgo32.exe	32
PID 2476 wrote to memory of 2820	2476	Kmclmm32.exe	33
PID 2476 wrote to memory of 2820	2476	Kmclmm32.exe	33
PID 2476 wrote to memory of 2820	2476	Kmclmm32.exe	33
PID 2476 wrote to memory of 2820	2476	Kmclmm32.exe	33
PID 2820 wrote to memory of 2484	2820	Klhioioc.exe	34
PID 2820 wrote to memory of 2484	2820	Klhioioc.exe	34
PID 2820 wrote to memory of 2484	2820	Klhioioc.exe	34
PID 2820 wrote to memory of 2484	2820	Klhioioc.exe	34
PID 2484 wrote to memory of 2512	2484	Kfnnlboi.exe	35
PID 2484 wrote to memory of 2512	2484	Kfnnlboi.exe	35
PID 2484 wrote to memory of 2512	2484	Kfnnlboi.exe	35
PID 2484 wrote to memory of 2512	2484	Kfnnlboi.exe	35
PID 2512 wrote to memory of 436	2512	Koibpd32.exe	36
PID 2512 wrote to memory of 436	2512	Koibpd32.exe	36
PID 2512 wrote to memory of 436	2512	Koibpd32.exe	36
PID 2512 wrote to memory of 436	2512	Koibpd32.exe	36
PID 436 wrote to memory of 2120	436	Kecjmodq.exe	37
PID 436 wrote to memory of 2120	436	Kecjmodq.exe	37
PID 436 wrote to memory of 2120	436	Kecjmodq.exe	37
PID 436 wrote to memory of 2120	436	Kecjmodq.exe	37
PID 2120 wrote to memory of 2256	2120	Ldhgnk32.exe	38
PID 2120 wrote to memory of 2256	2120	Ldhgnk32.exe	38
PID 2120 wrote to memory of 2256	2120	Ldhgnk32.exe	38
PID 2120 wrote to memory of 2256	2120	Ldhgnk32.exe	38
PID 2256 wrote to memory of 564	2256	Lonlkcho.exe	39
PID 2256 wrote to memory of 564	2256	Lonlkcho.exe	39
PID 2256 wrote to memory of 564	2256	Lonlkcho.exe	39
PID 2256 wrote to memory of 564	2256	Lonlkcho.exe	39
PID 564 wrote to memory of 3020	564	Lkelpd32.exe	40
PID 564 wrote to memory of 3020	564	Lkelpd32.exe	40
PID 564 wrote to memory of 3020	564	Lkelpd32.exe	40
PID 564 wrote to memory of 3020	564	Lkelpd32.exe	40
PID 3020 wrote to memory of 1784	3020	Lglmefcg.exe	41
PID 3020 wrote to memory of 1784	3020	Lglmefcg.exe	41
PID 3020 wrote to memory of 1784	3020	Lglmefcg.exe	41
PID 3020 wrote to memory of 1784	3020	Lglmefcg.exe	41
PID 1784 wrote to memory of 1456	1784	Ldpnoj32.exe	42
PID 1784 wrote to memory of 1456	1784	Ldpnoj32.exe	42
PID 1784 wrote to memory of 1456	1784	Ldpnoj32.exe	42
PID 1784 wrote to memory of 1456	1784	Ldpnoj32.exe	42
PID 1456 wrote to memory of 1420	1456	Lmhbgpia.exe	43
PID 1456 wrote to memory of 1420	1456	Lmhbgpia.exe	43
PID 1456 wrote to memory of 1420	1456	Lmhbgpia.exe	43
PID 1456 wrote to memory of 1420	1456	Lmhbgpia.exe	43
PID 1420 wrote to memory of 1976	1420	Lcdjpfgh.exe	44
PID 1420 wrote to memory of 1976	1420	Lcdjpfgh.exe	44
PID 1420 wrote to memory of 1976	1420	Lcdjpfgh.exe	44
PID 1420 wrote to memory of 1976	1420	Lcdjpfgh.exe	44
PID 1976 wrote to memory of 2168	1976	Mcggef32.exe	45
PID 1976 wrote to memory of 2168	1976	Mcggef32.exe	45
PID 1976 wrote to memory of 2168	1976	Mcggef32.exe	45
PID 1976 wrote to memory of 2168	1976	Mcggef32.exe	45

C:\Users\Admin\AppData\Local\Temp\00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe
"C:\Users\Admin\AppData\Local\Temp\00b8d3b1d39de6858f0b10bb64528287d011c90fd97c634c0d8531f3b39224b4N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Jnlbgq32.exe
  C:\Windows\system32\Jnlbgq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\Kiecgo32.exe
    C:\Windows\system32\Kiecgo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Kmclmm32.exe
      C:\Windows\system32\Kmclmm32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\Klhioioc.exe
        
        C:\Windows\system32\Klhioioc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Kfnnlboi.exe
        
        C:\Windows\system32\Kfnnlboi.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Koibpd32.exe
        
        C:\Windows\system32\Koibpd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Kecjmodq.exe
        
        C:\Windows\system32\Kecjmodq.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Ldhgnk32.exe
        
        C:\Windows\system32\Ldhgnk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Lonlkcho.exe
        
        C:\Windows\system32\Lonlkcho.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Lkelpd32.exe
        
        C:\Windows\system32\Lkelpd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Lglmefcg.exe
        
        C:\Windows\system32\Lglmefcg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ldpnoj32.exe
        
        C:\Windows\system32\Ldpnoj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Lmhbgpia.exe
        
        C:\Windows\system32\Lmhbgpia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Lcdjpfgh.exe
        
        C:\Windows\system32\Lcdjpfgh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Mcggef32.exe
        
        C:\Windows\system32\Mcggef32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mpkhoj32.exe
        
        C:\Windows\system32\Mpkhoj32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Mkgeehnl.exe
        
        C:\Windows\system32\Mkgeehnl.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Mdojnm32.exe
        
        C:\Windows\system32\Mdojnm32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ndafcmci.exe
        
        C:\Windows\system32\Ndafcmci.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Njnokdaq.exe
        
        C:\Windows\system32\Njnokdaq.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Njalacon.exe
        
        C:\Windows\system32\Njalacon.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ngeljh32.exe
        
        C:\Windows\system32\Ngeljh32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Nnodgbed.exe
        
        C:\Windows\system32\Nnodgbed.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Nobndj32.exe
        
        C:\Windows\system32\Nobndj32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Oodjjign.exe
        
        C:\Windows\system32\Oodjjign.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Ofobgc32.exe
        
        C:\Windows\system32\Ofobgc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Oiokholk.exe
        
        C:\Windows\system32\Oiokholk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Obhpad32.exe
        
        C:\Windows\system32\Obhpad32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Objmgd32.exe
        
        C:\Windows\system32\Objmgd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Okbapi32.exe
        
        C:\Windows\system32\Okbapi32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Oqojhp32.exe
        
        C:\Windows\system32\Oqojhp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Pglojj32.exe
        
        C:\Windows\system32\Pglojj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Padccpal.exe
        
        C:\Windows\system32\Padccpal.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Pbepkh32.exe
        
        C:\Windows\system32\Pbepkh32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Pmkdhq32.exe
        
        C:\Windows\system32\Pmkdhq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ppipdl32.exe
        
        C:\Windows\system32\Ppipdl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Pfeeff32.exe
        
        C:\Windows\system32\Pfeeff32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Qekbgbpf.exe
        
        C:\Windows\system32\Qekbgbpf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Qldjdlgb.exe
        
        C:\Windows\system32\Qldjdlgb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Qaablcej.exe
        
        C:\Windows\system32\Qaablcej.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Amhcad32.exe
        
        C:\Windows\system32\Amhcad32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Anhpkg32.exe
        
        C:\Windows\system32\Anhpkg32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Afcdpi32.exe
        
        C:\Windows\system32\Afcdpi32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ammmlcgi.exe
        
        C:\Windows\system32\Ammmlcgi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Afeaei32.exe
        
        C:\Windows\system32\Afeaei32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\Ablbjj32.exe
        
        C:\Windows\system32\Ablbjj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\Aldfcpjn.exe
        
        C:\Windows\system32\Aldfcpjn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Abnopj32.exe
        
        C:\Windows\system32\Abnopj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Bhkghqpb.exe
        
        C:\Windows\system32\Bhkghqpb.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Bimphc32.exe
        
        C:\Windows\system32\Bimphc32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Bahelebm.exe
        
        C:\Windows\system32\Bahelebm.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Boobki32.exe
        
        C:\Windows\system32\Boobki32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Cgjgol32.exe
        
        C:\Windows\system32\Cgjgol32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Cpbkhabp.exe
        
        C:\Windows\system32\Cpbkhabp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Ckhpejbf.exe
        
        C:\Windows\system32\Ckhpejbf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cjmmffgn.exe
        
        C:\Windows\system32\Cjmmffgn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cceapl32.exe
        
        C:\Windows\system32\Cceapl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        61⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Dbmkfh32.exe
        
        C:\Windows\system32\Dbmkfh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        66⤵
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ddppmclb.exe
        
        C:\Windows\system32\Ddppmclb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Djoeki32.exe
        
        C:\Windows\system32\Djoeki32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        70⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Ecjgio32.exe
        
        C:\Windows\system32\Ecjgio32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        74⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1440
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 140
        83⤵
        Program crash
        
        PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ablbjj32.exe

Filesize
64KB

MD5
a922815c842e48bea208a5de6c91e16f

SHA1
321cf0dd3f8e7647f5921b560695e3f6e94a9c82

SHA256
c0962db0140739ecd4f7f2cbcb61b4b6c4b95a2f26f52ee858db8830b3db588c

SHA512
198ce67dad13d472ec36165519fc652ab857c8ada7e831b5a92ee279df89466651a203c3209c3d1eb7b5f3b2a76f8c97db373e293e5fb3d7916c376ed6ed2c7b

Download Submit
C:\Windows\SysWOW64\Abnopj32.exe

Filesize
64KB

MD5
d84115fe0ebd7485bad298f1b7b8faa3

SHA1
c5418e5d3478e34b583503471e7ee73b228451ac

SHA256
61023924fb5900fdde02041598511fe6c33fce988ea8a9a9ec22e76a86da3ad2

SHA512
c50d73194be0c5b1bf52aec0d604258ce63b4b0cf5a26602b3e23cc0183da68aa708df47348f7d3fdcd6a22862d5cf2c83df8c39ff0a7c8da7dbe157b61aff5f

Download Submit
C:\Windows\SysWOW64\Afcdpi32.exe

Filesize
64KB

MD5
5bccf0e9a1cfc3570114d3f089a370ba

SHA1
59342a675d0a4456bb5b07aa6dfd840145e0a54c

SHA256
4e1c6533032f48f1b3c9729b0eec8298c5db9ba58f7309b03221dad808f5adef

SHA512
7b2b9e675512c857114687401a0335e9cde4c7d8f3f293fb3f4108225c7c00771a00de5ce8d4bb924ec6422f1259e038ffe5c73d61b4e2d0e815f24bb067c24f

Download Submit
C:\Windows\SysWOW64\Afeaei32.exe

Filesize
64KB

MD5
27aca5577b4f64fdc3e5a3968922c256

SHA1
5635fae85d2da484432f1b09346c5a86cec7aa94

SHA256
87e9aa1a4a20e64f58d90d8d977a60041719d954e2a7de4a126d8be9061c2449

SHA512
f073ccfd2261f8b490a802ba91a266b61dfbb663992b0a34c9d4645102fec7f569701dae235b15427618ed3e77c24939a1501f578e1618b11b2d0c376daef470

Download Submit
C:\Windows\SysWOW64\Aldfcpjn.exe

Filesize
64KB

MD5
a720bcdc8f6efa31099ec849c7cde710

SHA1
4b7f3a08ef13b0f9929eed775055ed75f011a9d0

SHA256
60b92cb5119553282f71b2e95dd6b9ba70c38e62fe3074ec58e568929d1f6cec

SHA512
c2e0db3c45fc5622b3bbbde1096fd11263852a65751382b1bec650382131a007a733b93a32fda59a195908a53f281b5e1bec31b3e020e029ee7b2020e077ff77

Download Submit
C:\Windows\SysWOW64\Amhcad32.exe

Filesize
64KB

MD5
1f6bf392fb7be56499c9314561e6034b

SHA1
3426bad30252ce32a96b11d8e6938358603ed99d

SHA256
16436734c05c372865c32d2917cf1fb474bfd4ed9cb48f16a36c1689403346fe

SHA512
e4654d8820a15a022fc66763d89205b6ab87275d32bf67b0b5ce1ae5356f292eaf2e2bfa51fa0b957c8d98505ca5c7d790fb0adf2974d69bfb18c51667acedd7

Download Submit
C:\Windows\SysWOW64\Ammmlcgi.exe

Filesize
64KB

MD5
7d92068af23a8aa1e193aa167d0b4f52

SHA1
ec5e890534bba26c699f1e317d6bd98646ed16f5

SHA256
edd2c2fe227d6055feceeb7418ab0000784ddff2f95a3385b3b63d565296ef1d

SHA512
5531db1b010c4f3e6d765e7cd5653ec638a1c3da6914cfe50db1f389fd67e49f578985779794466dcf27d1e599b9a860b6fa5965fa36917ac235098741df7c39

Download Submit
C:\Windows\SysWOW64\Anhpkg32.exe

Filesize
64KB

MD5
79a882d50b486d5c876c8fa190c4625c

SHA1
7b7edc72cb5e7b81bd009ce73acbb1054b3916c7

SHA256
184e91807a906d310f593bad61412e94149725d6667c62a2fe94ff6dd603e939

SHA512
48ba82a31359b1b68944f24db7e6984267127ea1e8a49cdd8b73a69ed4891324dadb1e665ad69c1509a199d07099d3bce6128e81d65fccc07ade503aad10f8fb

Download Submit
C:\Windows\SysWOW64\Bahelebm.exe

Filesize
64KB

MD5
aff6fabccc4bc87ecaf4ccea5c2b84d7

SHA1
6a4d8554a7e3b9f07bfd00d86cccc3920ab7b96f

SHA256
098dbbe8bb62e2cc2d2198586dc7a8a837c0eb1363b10319594e66560de7de37

SHA512
99864cd13d00fe85eac5a22a2879b3afff9ec9e5675bd4d5eaf509b5028194145b932c3453bf77fa3becef9d3274006d8c1b8f9ef18eecf092f1aa357d52b290

Download Submit
C:\Windows\SysWOW64\Bhkghqpb.exe

Filesize
64KB

MD5
e6f488d8c22429e57154a7cc5eea8efc

SHA1
c97f10b8842410e1c7006f8d0c6a188e95a6a5ea

SHA256
835d3d702f2a2f3426cd4e8c3a47330ae42b81e58ae33a640d67622279701251

SHA512
e8c9f0281a40698491d6cc67acb9bb7ad7d243b9fdf231feba969f00c1fecd9f7ee86f3558f8f5bd9fb09b5f2769b1ab8a3367e4ed71c054defd0a9d1836d98d

Download Submit
C:\Windows\SysWOW64\Bimphc32.exe

Filesize
64KB

MD5
54de4f403f661fd4fbdd19926466ac98

SHA1
3815f51bcea95708ba3b557717032c777bf1d954

SHA256
74bf52419e781fc10444fe5ab7f678b590dbe65e085427ff3063c08f124d72bc

SHA512
82f3b9b5e8db6384273b450b907ff784ac40f1204c2fb2f3e377f0d08fa51fb8a108891a81edd27fab671b214d70ecaf2fa71d7c29f2a8e5cd97a1ad769e750b

Download Submit
C:\Windows\SysWOW64\Boobki32.exe

Filesize
64KB

MD5
481ff1f31eae3a38feb41eb1c91eb845

SHA1
bc70903a193e8b835aeae215f75d7a96dad23e42

SHA256
1b75334047e34a5da777b88857d4883f7919707692d4555d8bd4ccdeed75a784

SHA512
41b6a9603817b0b329fa6ca542516f83a9cd39462273f9c80d9b66e6ac441cb7731bd432493a8b4ba6885771e62674ea950ce3b78708a13328668f93001d4468

Download Submit
C:\Windows\SysWOW64\Cceapl32.exe

Filesize
64KB

MD5
2d59603d545fe33f8b74044c2a238863

SHA1
195bc393cf70a1241ec6b5fba08ec34a42f1e4ec

SHA256
d63bb65b64aeaecaa8a94b4b2552dc10c728b6e1ee8dcf774348d1cc3d3cefd5

SHA512
8889da7f84b34aea94bb1d78451391ad36d5a3088d135e1eccbe60a2e0df2b7e4f56a2ac2f63e895a2715bb197738f7bd5f0f9865340715955d87bb72ceacb1c

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
64KB

MD5
311c4a434ba121698f0b3945e57e1069

SHA1
0e42626b56ff0dcd96d8d3a87fffb3717bee4683

SHA256
c418bf5e5c6a225723cf172cf78afaa32f8de7c30bb7d2998f16cec673acdda1

SHA512
45f0249c0e0c50c0334ba967660a219dd2d37a5f8f911b42f2a942e5256c1ff2fe4ee19603210d17c32f3af8f03a080f072d32e45fa3a3598c124035a1cf6832

Download Submit
C:\Windows\SysWOW64\Cgjgol32.exe

Filesize
64KB

MD5
e81968a5d4d8239febe7ad29be9eddb3

SHA1
97f673140cb363a8a19e09b82a6a22858ff37c62

SHA256
55753719591b881468deb2fa42f43a6fa0a75da8419dabdd8afc4e2e9b479f53

SHA512
5a96e51a104228b393a7e6ecc1bfd059e024c78c11631a7dd7590a4572cb9828d422a372b063ca39a5b1764461b4b7c0889a66bc9b214b1041b2a09ecfc66044

Download Submit
C:\Windows\SysWOW64\Cjmmffgn.exe

Filesize
64KB

MD5
eb18c819e3fcc2c0a6bdbe1f820fde59

SHA1
e4b3e8aec294211c97a1b0bdcf1c693880f94752

SHA256
eee28644b24b4d210318805bba37d827ad7a76621f4e53baaa9b272ff14112ae

SHA512
650ee03be7cfc5e7e91669b8c1d3c414da1bc106b84c969fb73b36fa8f46ed214861c1e58f10d0ef6865dd433e6b568818b8de7e466d1c703e184ed0a584c7af

Download Submit
C:\Windows\SysWOW64\Ckhpejbf.exe

Filesize
64KB

MD5
8d0c38a429d9d78115be9358363e51f8

SHA1
36f7be8e948498d7903a53899f2dd8443c30a336

SHA256
8c95575a546970e24583beca3da00a9caad09bc07ca39a613224f394e594ff10

SHA512
3428823bc614b84843f020be51b4a15e102331b8c0a70dc065c27ef1dcebb411c382ea206f3ccdb62c053d0a2ee75426de28a3217689addf883e94a9923fcf2e

Download Submit
C:\Windows\SysWOW64\Clilmbhd.exe

Filesize
64KB

MD5
2017450ce2fa5a6bb28d59771bc45837

SHA1
dbf4eb8f79e2a87a061dbafc0f61781e4375fb6a

SHA256
d6f0cb55e519aab7440c685a503b4ea2e82c0f95deb7809af10fc7dedbf45f7e

SHA512
0d0f05e9cefa2f93918251186f733aa4b6a131800134e11550fd07c796577c4a158b50ff0f63bf4cd10bb1b7256ffbd9887f39f06ecfdf653491917de494239f

Download Submit
C:\Windows\SysWOW64\Coladm32.exe

Filesize
64KB

MD5
5f72f9d60a76edb69f3b7a338a79b6f9

SHA1
6874b0bff2bf9568ea350f0475ae6b00e7517016

SHA256
a43bbf77299df427df85844003eda50147c41eebefaf85a60a82e0f6aa119d78

SHA512
e89076d2700e1fd8e43108d91b27635ad1ba8f578c0db54f764a4c34f997a0f4ab4eb02df817af0bd2ce4679e2ff1e851a91f6ab9fc20136bef5a87041bd488f

Download Submit
C:\Windows\SysWOW64\Cpbkhabp.exe

Filesize
64KB

MD5
802dcfdbcd33635cd191b4a8d7c95d0e

SHA1
f43eb96b01c0b33caf04fb728528ce3100c267b3

SHA256
6700b13d6e999ef69c89dd58f6b0fea3abc09c3965bbee4766970f2e6ee3dc26

SHA512
7de7278e28bb2e68f5ea165cde69113369661f56821d42f2985bed4a303061ceb2bf05573e76829c9237b7173d9e00d9ba85a635faf6ec9976805a0eb17e385e

Download Submit
C:\Windows\SysWOW64\Dbmkfh32.exe

Filesize
64KB

MD5
18fe0ae10c4671bed329d5cba0559c59

SHA1
00fe465c923bcb4da6e8f6821e896dd5653ac73b

SHA256
a4cc217269452f0be8808396531cfe3585518d5f62f792a8d26419428100597b

SHA512
2007ebab93168d2c97c61f1edfbc60bb21f5bcdb83ce2c02b1b2ac73be2c16a129e14724ac92feecd9d9014d5e66923c4bd9a91e86d1ee611eb98b5317b35b12

Download Submit
C:\Windows\SysWOW64\Ddppmclb.exe

Filesize
64KB

MD5
d283da811b31d8a4d0c7423ac492c731

SHA1
2e51d158cc8ce18d7dc7498cea3fdfb828042748

SHA256
2a70eb14a0d3382c94d152acb3085b96b51eb0170224ae9047b49c7cb223323e

SHA512
00038f42ee5dee06ceac9d868341d92cebba2c80c23be3964b4e3fc1382fb57140c3da0f91fb3c9828b4fac92e462425015221d78f0dc22d7ef204f079b8435f

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
64KB

MD5
8aaea8447c5840b06fbe0c769e14a5f8

SHA1
63dc1bd87238545c2164adbf432013bcfafb0f49

SHA256
0c28b99e556b7476072c6d1ad4fbc73e606e1def882c998250e4543f006d675e

SHA512
2f377155e164f7586fb50e69fcd27cbf99c6c340231e0bca80bc92377731576124600d7540763dbfcc8707cf6fdca5141c488f8387350661cdb9f4828133ba2c

Download Submit
C:\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
64KB

MD5
0036d9f6df73c06165c8342bba53508a

SHA1
0f36137986f5571478fd6e8a571f504040c93c5a

SHA256
a1e8387d1c62d334ae8a13638bac2d24b6b0c7ae1091fa7d96ca2eabf839c273

SHA512
7b2483c17d4ba62263728652705f42f832e9963c325f3a07a09ff3b7f451eaa867040d1f80d4cffc99cdebdb6cc70df89398df97acaaf99f922ea29aac942330

Download Submit
C:\Windows\SysWOW64\Djoeki32.exe

Filesize
64KB

MD5
6207a4d643e3020b6246a43850889741

SHA1
a30e325494338974a63e5763d2d65aeea6f392f2

SHA256
0615206685626155e573c99c27448a7054c0dd9634a7055508433fc540751da9

SHA512
bcd939984f0c8e107733bec2f0c79e4ff1fcb2202f75465774d60fe0d53ce7613a5b0cdbbd7295f1a4d5e4efbc9d2bb1290d02488fee71d36ecf8ae3b4888107

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
64KB

MD5
9319a9eecb56d974732306aa4e00f38a

SHA1
d2bbaadd69c2f4943948d0c036a812f7f6b92106

SHA256
111d27c22a7073a6b97369307e5f1e8f540a278228b831bd728cc0287c392853

SHA512
1c4457acd4b8c973e11dfe265c0e6655d6032c0781de9313d747b1f591f63fd4bb9b5dc2b3b37fb0e465ba3c6415b49fb80e0ae21424cba5e309d4cc7c337d0f

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
64KB

MD5
2a0e50db242bad224e49f7388d374e04

SHA1
3ebd9cdb4cb561ba6ad9189f8ff2ec79e415f102

SHA256
4e889f1616036974ceb03a8c15e2bbe68b594bc4a1e32dbbcd4c919ef404727b

SHA512
a4dc0c54edc96a2ebd4af7637e2cf57818a9b6bd9a68ff89d5ec0c3e5aeab7b9cd1adb838570e20f89be0cdf70c6fb252fe4c59ff6af21edcaad10a3a863cd74

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
64KB

MD5
1590ba4443a9859a63aebcedcad98f49

SHA1
c998aec83308f566fc5c75e295306ca312a61313

SHA256
973781064fcc41d82926869d40843abc2f10c0cbfc46798ea97fb58424f51240

SHA512
9a60f317928aaa22f029442d67b093202b03ef1220009a1c6e411cf0a307575fdfe9f8aba764abc6c634252d306cb696c18a7f31d3648ff8892910cdc87d47e0

Download Submit
C:\Windows\SysWOW64\Ecjgio32.exe

Filesize
64KB

MD5
5877c60fb668fb9b6529c30c0e200b0e

SHA1
9d7f3e2673f5300457f78a2029fcd82ef68f9b43

SHA256
b53972d22d198ffb4f22da34402b7066fd00ce27f0a03eeae7c8ae41858505df

SHA512
3d40be9a97783d07362c9fd9c1001db0e38ca2064bacd365d78d1c28527fe5f4905d3b7f3f892129a1ce430f232d8d9009b21b94993bb39a78c070239095fc2f

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
64KB

MD5
0d4b6617ceb9056f2d4a6b5396d6ab04

SHA1
b31442248b233e2fe837b4781d695b980062c268

SHA256
983efd79c433eb517f9b12e3da324316a2a73ac5b5b841053ddfd0deef3ddd66

SHA512
59324d180f968449d0055872fd410ba72b9b942b6861cb1441a42c2e8788609af5c6827a7780d76f37f05a46d8f25b958784d759fe389abc922a859e164f3b7e

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
64KB

MD5
2900fda3a82b562583de8d1f6aae59a7

SHA1
b969dbdf0273157c74ca7537c14c190c2b9a3f14

SHA256
019ae38fa519c8c01b01a3f2c011ba7a1325a8487d3230f2d149fbdb156e3d42

SHA512
144a0796f2dc4def6906af28cea2ada6e476f195dbd365500a9a47c67359d36f2ee322a874964577ac8b298101edd9d9cde3db9f0569b0ecd0dab52f893ce09f

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
64KB

MD5
d8ebc9034027d37b633042e75f152f21

SHA1
cc2421ede135130ad518ce37a8df21d342af0850

SHA256
6c81b00854022f5b464f5ff461f992c496152d623c74401dabf65c10db024502

SHA512
4a09de2c4b3350adc4d3c5e3efdc1fd57a5e9e06c978bc79e4890668f99657e98c88a8a7f5b69e92a8678d59c3978ecd627f78c2b047105e9fbfd09cddd550b1

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
64KB

MD5
8b2886c1760d89802a0479cd0416e7cb

SHA1
07ddca67931f5d1a66752e203fa2966c56d3e24b

SHA256
d1c877d2b5b9cad7d03efb444ef7dca6a0d24fd7a777d4ab26408e49d0e4d2c2

SHA512
fa3e4683cbcfe66707b52c930b554587431dceb31135e73bd8bcb9e8f6d22f56a3ebb0565663c80cd376a1b27c85b588bf8c5f1acebe3a1203a1ff20c08bb375

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
64KB

MD5
5260924dd15aa6325ab4817d9d77f8d5

SHA1
a99d453b9f2f4ae0af4496fe0088c676251d5752

SHA256
bef57ad614ed319251ff06b4ea47c8cf857568c29c2933f08a0aac0426c2e13e

SHA512
65b5e416b25d3af06894a2f7a7ffdf884cfef7f1b5f05d4f2e0ec8e4f78931d88c986081cb14ce9802e93d1f4b0bfd52fe7f1c2429a29e8e8aca5bc55782dd0a

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
64KB

MD5
31ceacce4c5fc0237837e08bb6f5e03f

SHA1
fecb2678210e198d7f3316b89825acc653f4bcf3

SHA256
195deef8b732353f1afa7bd2e752ca376e0f168a4d47bea64c39bd087eda4318

SHA512
9cddac952e0153251668888e690ac7683fa026cba6e185b1fca5e2fef03b38acf13250805955b88e3d08ca2cc415026e4d45c513dd82b0efaacb754b1c25b758

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
64KB

MD5
0b4a803b7117740c868e8711efcec5a9

SHA1
f541a8cac6cfc7175a4e156feeda2b125b59ff4b

SHA256
031861765df5351e04ecc4e0d6b4e60313ca46c553c15a61f6f49792dc0c20d9

SHA512
e0fb9f3fb5160bb404760af1cfb56e8baf94de53c2c7ff643b31331038fb620ce5cc3a6dcb89d5c2d8bdefd69ae63df31f08382d2a422b06bd631a761b542b43

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
64KB

MD5
f18954a672951137a86b448326877c45

SHA1
f6fc6d44e497c009f90994e6f34e25c5447cc99e

SHA256
e8e49e8bcbec68cfa1d55b378f751c38c2f77baff54e46a2fdf9717c49732900

SHA512
bd2aff34fc9acefb92f3673e0fc82d7db89d0d49700b2bb9443e5641ef4a1a6609ebe6e503b0dad07c74b1a662aa5381867016db27d5dcd65220ce90c701e05b

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
64KB

MD5
d2fd381603f89efcc65ce4f88ba3f8c4

SHA1
70e24e115c1ba8a78f0c8774e47ba37488a0925d

SHA256
43949261fc093b342fea5150c2c47f109fedaa5d53814cfa0b7f478a66295b29

SHA512
b10b61dafc285bbf05fc28eb4b7f7f05b322e7a1a1f354d1c8cf5ee7b6ddd361f43e2822f86fce08a12577e1692685b473c6da972bc0fdad4e2a1b9a46529672

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
64KB

MD5
1239f09bc8005ad522a0c4f0d8136605

SHA1
df2c76acb2194905b79ba55746de224faea15e4e

SHA256
0db35b59cc5910ce720e54e7a372bffed56748a9cbe4a886ccdfe7ac77114230

SHA512
c9f62edd5a10056098a93aa7414d671f137cc4ad100f5f50a723cbab246d8218268ee2b076984ce98f66f30eddedeeeeca9ec59f7d76bb157232c0bf25f1453c

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
64KB

MD5
209b3cc1c59f60c4a60397ab8e00627a

SHA1
420beab76797ae847a9611a3976ca0ab0fbff536

SHA256
71149d69eda3cd43c8910fb5e278c01018a0ab4293a9275ec7644857333cb23c

SHA512
a4f62408d3a92a15e6da732a4fa3c0a68b8a4717c2c1de8b01b79e82e3f85af213618ad7f6b9921a7dc7333cc71dd569b2b665a358a4456580c40a3c95f6b9a0

Download Submit
C:\Windows\SysWOW64\Mdojnm32.exe

Filesize
64KB

MD5
3e237dec503429a21a26dd27be2c464f

SHA1
1d7fe4675a4cbcc68e6fdf754bad432f7f19f040

SHA256
0f81aa91ca284d3ceb80e83b6303c665a09e4d793753140f1f5eef6f44290346

SHA512
9a490090e9b2435382ebbe625d3e9807c32965b99acda81851a30c14c829903b5a8b094fb1ee0400e06054b7ed4da2dcf490d607a0b59a680338d4cbff1f012c

Download Submit
C:\Windows\SysWOW64\Mkgeehnl.exe

Filesize
64KB

MD5
d03c8d7864bc311ddd789eab4a4797c8

SHA1
eb10067b6d9b9bd92560141ff6fc76fb43eb781c

SHA256
cb105690a23bb00cbac8f0aa63bd976a7555ab5c240b5143a848c3242b407599

SHA512
edf12d01c3e2aa178d4054ede1d79975995c5d5997365463cc52e2edda6c07d02d1ac11f4add49502bbbd2201d7c29938eb981aaaa820337bf05d3bd982ee82d

Download Submit
C:\Windows\SysWOW64\Ndafcmci.exe

Filesize
64KB

MD5
5b286f48ba3d8c61ea6e5a6770da8a18

SHA1
8fde20ea78370c5f776cac3e5dd64b04d08443d3

SHA256
9469689dfe74c439ef5c9fa5c2ea6f28a0be29ac0992b8ae3e9caf8134789c95

SHA512
42eafcf3797acd4eaf093d485e6afb88a7b0fa3b4345d66809c512279563afe0490af4c917f23efb4a6363df722fb78ee6713ca1974ad189f1dffd584d0271ab

Download Submit
C:\Windows\SysWOW64\Ngeljh32.exe

Filesize
64KB

MD5
a20509be843cab8ff2cd348f866af806

SHA1
7f353809aa862132e68007c04f62c8f1dc230db3

SHA256
26f5fea06a1e69ad0dc123be3cc35d71fed596f9cdbded53fe7eb40493ee0d0c

SHA512
591fbda8ccb3946666f9ea5d8afdfc12ec29ad073e77f9ef678f1056f6a8f584b926a771868bb2356faecaa7e9969d6421fd2de7297f6411ee23936c14377b10

Download Submit
C:\Windows\SysWOW64\Njalacon.exe

Filesize
64KB

MD5
9ba8d33364103435ca8c598e42ac87c6

SHA1
dc350829f2b6343aa1b96a69de8f41030688e3a3

SHA256
ad5d1f7a99bcd2da56862c952f7ebbcf0dc4a41f0a921b26bf38a8dc760e35b3

SHA512
a113e5241f56736d617c1cc76b4d2686bb943dc374e1d516ef8be772cb8ea7af9128dd8f076f0d831f5a52efb055f183e388792c33faf36b7894fdcb6528437b

Download Submit
C:\Windows\SysWOW64\Njnokdaq.exe

Filesize
64KB

MD5
f350c009e326bc1db9864ddffff72641

SHA1
1bbbddfafbbca2345d755bd75d5a68bed12109e6

SHA256
46f65a7c5183f2355433a8c1df0f940a89b83174d1631cea7708375cd23a6181

SHA512
de9ff24bcc7d790f65e7d08ddef92d716a8b0dc3d40f8f2449038f339e4e945fa07b80e24be47f9281934e37f87a7348d372eda4c6dd509669dd2830bfecaceb

Download Submit
C:\Windows\SysWOW64\Nnodgbed.exe

Filesize
64KB

MD5
9a1f9ecf55cda05bef56d11cc99ebc5e

SHA1
fb8d1615d3b549a50af9663ef88e0cd8ade84321

SHA256
f386677875edc266a4186fa4f87e06f306b18c3e8755bbe5f4696ecb42d68e76

SHA512
1005d3df6bb3c994ae17d0f93996b1380a623ad496a9870cc1fae762c6af1eeb193b78a9103ebffbeb71413b8b50901ed126ff02d58258a96e799c5bc5cbe10f

Download Submit
C:\Windows\SysWOW64\Nobndj32.exe

Filesize
64KB

MD5
73f841fce4dba52bb55544c041fe17a7

SHA1
4030c5a3a91772caf7507bf8d862657d3ef22589

SHA256
9d278d4b3488eaedcd0f5455b6b23371bf4ef948a9c39772e8c4b6692913212f

SHA512
207dc4374c1653e92a3b1617b7b6a21e7b350fc5485c629fa33d37b791a29218c05bf2c8c1e41ff3c6eba0d5d33d7cf17b805b5ac9921fa868a745ec8aeb7e87

Download Submit
C:\Windows\SysWOW64\Obhpad32.exe

Filesize
64KB

MD5
304a252a29d2ba929a3690dfdece845f

SHA1
d78824255cc11e33ea032838ad3dcbd594330ab2

SHA256
405e6c223abf8d0966718d9eb7abaed284c59145aa46eb4aee7903a53de69cdf

SHA512
897acbb6af5dc754c919a9a8b6f35ee1cad5da4879a8441aeec9a14f41481ed92dff1c696009e8f8b1c996506b2a1aecbb6be507111c6e0e6fbf4f249e782bb4

Download Submit
C:\Windows\SysWOW64\Objmgd32.exe

Filesize
64KB

MD5
516ed73c1afedaffdc1f42c573bc8fff

SHA1
6be14c79cd7ac94ad6dac1088d974aca948752d5

SHA256
cdd52c626991a6461111083f025e0172048bc685cc33e99ce5a4ca085a19d1fe

SHA512
25772598c55a90184b7d4036376169267688f8336bf5fb0cb7c48e78034d2c4255c474973e93cf7a815e6f355f271bbce8ff3ea7ad0fe4d85a00d85b71d48a09

Download Submit
C:\Windows\SysWOW64\Ofobgc32.exe

Filesize
64KB

MD5
e13da0facca8caf79ea966b918e47828

SHA1
2e3c50c8dd9ee3f5d9c7546c8e75016a900339ea

SHA256
1568758317d13d0d30caf2062ff324ab463919e6b6d900b01e8f8191b7ac08ba

SHA512
ec3a0d0e0a443c04058af57a0369be8d72c86b5e74bc73a7120f2b4c8573a1212f394dba2cc51e500cf44b43059683a6925b379833f982ee0cf35ce1fc43497c

Download Submit
C:\Windows\SysWOW64\Oiokholk.exe

Filesize
64KB

MD5
79b6a900c0fe65c68547e7c4434c03bb

SHA1
b3ae5dbe06c6d69a8eba8bf82e4347f483da3a86

SHA256
ea71d13bca3ef42cffc0e0c90eaee88e102430f1ac7ae29c5208dca03855ed2d

SHA512
aeced84e7911babcccf1751052e1052ae2a5a107ad83fd1ef811a8284cb9aa43e70ce4e9e86cd0911c1e3b170b16c972d31e1d48a5b522f1173b814064ec2b45

Download Submit
C:\Windows\SysWOW64\Okbapi32.exe

Filesize
64KB

MD5
43b2cba5c98dcb1efae3f7261d66e138

SHA1
0f0f53f71d7f4ad7dc738fddc7c5aa11cb9fca08

SHA256
d81521657c2dc97cd45c4db9492f5e67d9fd78f7410413be27b77be9d45b91ca

SHA512
79e89c9f476ed5fbae5d6e402f34d91390c620e7103b049ac34d2e7785dc48f31f9223ce8673d1a431f3138ba3bc3d3f0145ee9d4639eb0e5b1d691836e21e4f

Download Submit
C:\Windows\SysWOW64\Oodjjign.exe

Filesize
64KB

MD5
48c2d61cf276f43c314c82fd3614ea43

SHA1
b37cc71ac6ff50e27841af785f3c53c06760795d

SHA256
fbd605f57b16fa35d69beb09a43f2870e95b6611fcb72fb8b5c99a3a62036d9a

SHA512
f6d2ad885c2f301faff67fa4e309a19e83bd595b4c662c725c352bc3c63310d6db1f15f282b30d4d3e625397bbed728db3a523b041c9f2eb5056f998cb4963a9

Download Submit
C:\Windows\SysWOW64\Oqojhp32.exe

Filesize
64KB

MD5
36cf695cb9bb5044c056fea354803382

SHA1
09a11c829bb86b28c1c7cf75e362144ae9304dfc

SHA256
7d6de9f0266109fd9c49f0ff4b90f7a13f3c99a52e765895ecb0d1de3a81e5a7

SHA512
06874cb1e50acc2fa546f0698572bd64ac3eb8bc5542369422ce37453ed8d270b91cfa6a3a738f997fbb48f62893cd974e4e6092d121b0a5cf817ae8dc778fcd

Download Submit
C:\Windows\SysWOW64\Padccpal.exe

Filesize
64KB

MD5
43970b181c0c4c9ad11c6af55d457e26

SHA1
6ad23bdfb1857cf97ce5ed39634c2c4f9d5f32b5

SHA256
e076a0c8bf5d47d3ef4f1f52e7d907cf078770b3844f979fc96388a82bb8cc1b

SHA512
38b11008fd507eae0438d19e288d416d3bf4fc6f21b52f5d159adb4a063bc4c634b733978eec7121635a9f571679f4948b1c97cb94dff7e1ae227cd9c21c86f8

Download Submit
C:\Windows\SysWOW64\Pbepkh32.exe

Filesize
64KB

MD5
5185581e9d84b7122e647659da4e2098

SHA1
da966e183375c638a08d0aa2635d34d1558fd754

SHA256
27261e81b9686962ea14831847d8b19bb7c1f81c95e1abcb697582892911d345

SHA512
cce481389c33e0facea0ddd061f4a49c005c998d9eb59d397c38c3b3402dd53370b74e40ff7095e4d72e7472f7627cdb130c951c83f1c80ee067bebc37186937

Download Submit
C:\Windows\SysWOW64\Pfeeff32.exe

Filesize
64KB

MD5
3ae9d3b0b18dfd9a742cc7124a33e8e5

SHA1
9ac9ff9c6806e97056c927197b1c03e64b3e8c50

SHA256
99c5c8f32e9759cbfb8b7eea2ec279559cee186297b1a9d21752fd54a8479af4

SHA512
252b6b438f4e9976a73f31fdd416807009461c4742b744f759c39cf7aad86c4cec2fb236794c17dad56efacc3a3452cf71a9f417c60120a54e8600e85ff01a2b

Download Submit
C:\Windows\SysWOW64\Pglojj32.exe

Filesize
64KB

MD5
6d985d75d8357d9d7e5a7ca494198052

SHA1
fec8fdacac0b2d7832d038a72a23450dfb2331ae

SHA256
56b13aa6e350e5634d3b9a72ebbc78183752d1890808341678bac1b643459d33

SHA512
a84ac92a6633a5d53b3eceb317106300a7eedd499ac4067b2afa9987d1e1d4b6cb2a86bd2143ea1f44385f763590c7391b320f8d0dcb88a2fc9849e671849083

Download Submit
C:\Windows\SysWOW64\Pmkdhq32.exe

Filesize
64KB

MD5
1dfdbee16b154f02d683ef27705af5ff

SHA1
5dc2e4fdb4cd7410d916a4b8e1c82a8e33f579e3

SHA256
9289f47d020b1ccaab34891f374b9628dc0046fc5a8c6ada6ea59b21b7f7fe82

SHA512
ad91286d3fb146eb7cd4f5ad0e5038c8986d92acf2a27a425c74c73d85e45b367b2f7a8eeac02fa0b6b37b025db1c88645f31138cfaf984005af1789c09f8d2c

Download Submit
C:\Windows\SysWOW64\Ppipdl32.exe

Filesize
64KB

MD5
5216b884fdea9424f2b0eb892a3deffd

SHA1
2927ebfaabd8367aee9abf3b55f8f415270edf01

SHA256
a44c5fa9d2d0108890a9cbec85c8689af9b28c6d6c42c5eff0567d5c29aba450

SHA512
55520fa3d8ca0d799af6597a7854d26f426b0136cbdac198279c9d6d2e969c5e58481107ee46bd76dc5a35ed8f220e71916cf738738b049696b65c0c22c41259

Download Submit
C:\Windows\SysWOW64\Qaablcej.exe

Filesize
64KB

MD5
fed4648fe71b0359b361ad1b3f7030cc

SHA1
a06c7e11357c9812088e16f691ead50edc864a91

SHA256
393a8ea93344a38a922501aeb01cfe539ddfc03c90873166c64be9770f14ed50

SHA512
b3fd421a8a860a9fbbb06f693da88ce896b0beab538753962e8e428bde342e9a8927cbcea4aca77484a1b7e591d62ff90ae5eba9f297d7e3047065d79ddf64b7

Download Submit
C:\Windows\SysWOW64\Qekbgbpf.exe

Filesize
64KB

MD5
298b46cf2355c647062fce31fa63f1bb

SHA1
85b72ec6005d6467c3732dce89570c2bb0bd9de8

SHA256
b9ce9e3c97740f54bc01ec2910c20944946d980ccabf3005dd74c2792b85ee62

SHA512
5d77a2ede19e124e0702f46ea10ee254c4baa010bf9100e686c2dc43fcee7c0af6be02c87c6f0b6241c74f3050124ff49420b838dfe3b9702c8d6f67eac34e08

Download Submit
C:\Windows\SysWOW64\Qldjdlgb.exe

Filesize
64KB

MD5
ad58ad0f8ce0ea83cf8b9628e7989601

SHA1
41762c1108eb770281b9bb4260389b86d91ed560

SHA256
5b66dfdf066587ed469204fef7d0bf5f165f03eb165a55ec3c8cefdc511582ee

SHA512
c00512d05d36fecdf3adfc8329b9863e8aa827850f6a02ab5eb4f2439339140cbad938550f5a0cf17bab94607a7eb6fc070c2f206cc79871b72c18226c496d45

Download Submit
\Windows\SysWOW64\Jnlbgq32.exe

Filesize
64KB

MD5
e8746afc59c3d4ec5a089210a997224b

SHA1
1b706d666a028410021e47d6903fd85322d0f514

SHA256
3f4ef4053a99183c67f1976c11a2a8b0abfe7c2c1094ce6b3efe2fa9ace7ead3

SHA512
23070110ce1d79de8f9992dbe32938a258878eeea6d428940709dc34e3c0f53c9826b7bea8fc83b522779a54c1cb375810ac99baf50a7e77aed9858acbdd7f8f

Download Submit
\Windows\SysWOW64\Kecjmodq.exe

Filesize
64KB

MD5
ed8150007aefc09f1d6cc9ca2737535d

SHA1
3c2c55dfe9cdb557ed64b9877905bda5c93269da

SHA256
3e0ce0f7e1009a59defe90a314128c181228e5358def52f065055303021ecea6

SHA512
a340e3f1975cb059f1f3a81af35a8d0f13d2a1285055ee9ba0baae71a666543da03a569c574bd47919f4645e7185df5e83890c36f9b12cfeefb29c7717b53239

Download Submit
\Windows\SysWOW64\Kfnnlboi.exe

Filesize
64KB

MD5
899fafb08ac92a006bbf2541f49c2351

SHA1
c2671fbf177abbc17fb09e80ddb20fc6fa27f4a0

SHA256
71a97adccfc42c0107c4928df95ee4d65aa03e6ece965089b9e3df13bb82f182

SHA512
badecff4bfdfa980fb740262a27a8959b6a431757d8697825a8f5ae68e20c8bbc6a3de9cf48ccf745b253186de80fafeea8ad082f433a1397af9b21444e541ff

Download Submit
\Windows\SysWOW64\Kiecgo32.exe

Filesize
64KB

MD5
e7d5b0e36994a22b6cfcd9b5adfa7d31

SHA1
424bcbb357de81c51f9627af5547323bec8d7702

SHA256
7aff990306b5eec37df246b6e88ca57ecd5a272ee9073ea73d84b06c2198e0e8

SHA512
9f2506d5d282933b232de16bdd94fb620efc47058f6be6d3e05003595d346cc8ad4f5aaa9f1c345a4e304b77de0efeca7b3a2f3b3c7f0a9dc630e112c628522f

Download Submit
\Windows\SysWOW64\Klhioioc.exe

Filesize
64KB

MD5
438484ee76b8b9790439cf190fd97e29

SHA1
a942ba6e4823ae87870e8c4d4542437863b90d04

SHA256
4c6d3c33cf6c6610dfe2bacc4b10509af8a9905e243a75c3b0deb13a73bd731c

SHA512
fdc6d8060d081bca11590488e3b71bde0d3c91c4ef9cff6eac5ea879f1dbbda57c36ed7949cdce95493088639075c233ecf25cd222a702a779abb801918df8e5

Download Submit
\Windows\SysWOW64\Kmclmm32.exe

Filesize
64KB

MD5
f69edc8e0d4beff5bb3c4117a620e1e1

SHA1
732620a410b354eb4e7e4072b58c6c2484f2d340

SHA256
10d033cf2ec0431f1cfe1b9a1b5b50ec4b70b5bc066237e30da18a9055796bd3

SHA512
81e667a62f64a979879b93eac535e79407a6248958ed2a3a569f339f4b7982d6a34615841bac26699a06774cb9d9a9c9e1c728838569f27fb1a35dbf4030a7bd

Download Submit
\Windows\SysWOW64\Koibpd32.exe

Filesize
64KB

MD5
aa511d8e2e511b03d5394addfd9e2c1b

SHA1
a63fc93e93a8eaa663d738d8511bfd29e1eb3bd6

SHA256
a0c7101cac499cdb34e83eb2095e62aa0d86c69ed92610066c0f8cc8a8b8c8e5

SHA512
5a0f9e857a9088bc278f3ea8015999d890b08596a7e8c977e8c20ef66fe5a5730129b232541f132c68abbf3d1e231b43235c89b853fa52acf4f4de92bebe76bb

Download Submit
\Windows\SysWOW64\Lcdjpfgh.exe

Filesize
64KB

MD5
49bab9e1cc8aac1fbc45d70ea9e66900

SHA1
5567b681bf6c6f86162709711fab0bc7e1f0f9b0

SHA256
f51c3fb8d7252f597f9f437247b7cb33025455fe2f936fa2ac9ee12d24ab8fc9

SHA512
f020c13a705392278b41f26220307d787502d1577acf80c3a6a643fb8f0111d2ce8521b0f82f81b09f9dd43dc3cee32fc6aee2c3405aac8af00fe3afbfa06605

Download Submit
\Windows\SysWOW64\Ldhgnk32.exe

Filesize
64KB

MD5
1168040913f822da510c59dd28959681

SHA1
f9947af311decda4fb1c7c4e861e372826b37bcd

SHA256
8a842f6bf73cbfa50e5dc23f78f18b733d84a2135179238d91188dc2fd8b37ec

SHA512
489aef52257faeec83f73d6ea2298b8e1805a24af2d0024e665f3da5a3c0e743406cddf18f47414633512fe4e97bc9a8dac2e294a67763c688e886c7e5880108

Download Submit
\Windows\SysWOW64\Ldpnoj32.exe

Filesize
64KB

MD5
46bd075f3542be4165c7f9ebe5621d4f

SHA1
e6a0931cddd0cbe650178b9a954558a430ba4b76

SHA256
b6e1b1d1401f9a2d800c41c388a4cac551d732ca3d579a1ce61164acb64b168b

SHA512
9da20bc68877aec3bda066ee5df47a5871128fee18f0f5ee207f152de9308be9c8cccfb94a942595736e365a17c1844d5b77b09d29861c2d36dada009bfba6e1

Download Submit
\Windows\SysWOW64\Lglmefcg.exe

Filesize
64KB

MD5
9575106dc7191102a6d7e7c83f0fb4c4

SHA1
7fbb2b1a88669f19d9c6dda22115bc90814c3996

SHA256
56718b2d976de0ca94eef9aaccd8ae44411018fab5d607a412008f8c1ac4884d

SHA512
707ac79067fa57ed73a9f778f688801448da26668c77f3ef2499bec745d27f0193e53cc36082bfdef235078ffc9c41823f2c5e50000eb949b66e30a9fdd0fe48

Download Submit
\Windows\SysWOW64\Lkelpd32.exe

Filesize
64KB

MD5
1d32b45be0e27d94d9c7714933076cfd

SHA1
8533404e562ad17d31106e3a981c733b3869f467

SHA256
2421c9b229c2a0f4cedad1fd4edef59872ac13210bb1cf2e834540ad53dc2e16

SHA512
0af342076eb27ec516c41246aabbc2c4bc2e792edb7831b5718cf1e70fd2a6154c681bdd8a1b6755fa262c7fe45cdd11312839c8f6529771e04d4591efc8e820

Download Submit
\Windows\SysWOW64\Lmhbgpia.exe

Filesize
64KB

MD5
9b32c06887c4cd3cc161b0e329f2b0d4

SHA1
821f03a3002e418d2fd36d2647c280ad3f66550c

SHA256
1cb968d0bdf4f5374ef659f65106307ddc2e9312930813e6b3a3f92aad76fa5d

SHA512
8bd4c9f6f921cb93cdd658c04c36e5e24111654f6f4b0d4fc1bfab56fe831d281c942870057ef306cc8f02fb54c99548d8035f55e3f807d8338cb552165bb394

Download Submit
\Windows\SysWOW64\Lonlkcho.exe

Filesize
64KB

MD5
0399c14b0a506e50c3b5a6bd2f166ae8

SHA1
345a7107318e785419279762f52f23cbeafe0f48

SHA256
4be0c07c3853e2f26cfeb7e94483f7cce91d820d16a7ba41861b5d68f66b1d82

SHA512
38762c75d42103e982298df1d5bf6f07cc9ea1566477c84f909d02c5fc705115246549c3f4e48f4053c491fb0a70bcf6e583ea38c596b6727c0e0b3077a553a8

Download Submit
\Windows\SysWOW64\Mcggef32.exe

Filesize
64KB

MD5
4e21bb8698c373b22b379441b3cb1ec5

SHA1
f3b09d3c0760e4900d646c9e398ce3611ffb22df

SHA256
8f1c299961aca1b3084fffe0d98f9b2de79c9898587b56d37517ef6bb4afbf7d

SHA512
c28be9a7da78eefa32b36fc1ed34598b4c1a333c3eedd5cf4a3c67bfa8791983aea3b40adafd95906bee80dc4c354ddf39eb73fa70ff1ba6beb1d198e9d7afa6

Download Submit
\Windows\SysWOW64\Mpkhoj32.exe

Filesize
64KB

MD5
5f753e5101dfe66fa0cf1980bc55d248

SHA1
fde30783b322d7a0fe115bdfd3f65e01c7747e12

SHA256
a39b8e9a0cff959edccf7d014982883e95e3d11a3e4e1639b321a3fa6b81a579

SHA512
38c18ecd36b608bc2455d63a46e8e810c1b45af45bb2e2772f8fd810ba94ef0a55992a0999b4cfca56fdb605d9429708a82fef6e8370e58dcd34f6957f056321

Download Submit
memory/436-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-230-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/796-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-347-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/836-346-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/840-500-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/840-501-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/840-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-303-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/860-302-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/880-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-379-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/908-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-373-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1016-293-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1016-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-289-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1348-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-424-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1420-194-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1456-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-180-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1456-186-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1456-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-240-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1784-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-166-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1976-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-207-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2044-282-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2044-281-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2096-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-467-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2120-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-488-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2192-489-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2192-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-272-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

Filesize
208KB

Download
memory/2216-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-475-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2252-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-127-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2256-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-314-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2304-310-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2304-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-402-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2476-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-49-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2484-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-75-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2512-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-88-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2564-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-324-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2612-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-328-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2636-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-253-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2684-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-335-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2720-336-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2720-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-35-0x0000000001B60000-0x0000000001B94000-memory.dmp

Filesize
208KB

Download
memory/2756-40-0x0000000001B60000-0x0000000001B94000-memory.dmp

Filesize
208KB

Download
memory/2756-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-66-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2820-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-414-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2824-413-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2824-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-357-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2992-359-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2992-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-360-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2992-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2992-11-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2996-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads