berbew | 93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe
Size

128KB
MD5

bffc33672b486aedc34f921656cd84e0
SHA1

bb4d59ec7380f7122d477c4cb7d4f84ca882060f
SHA256

93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82
SHA512

14f4ab7c030eb4297a48587d3150c691890b9dc8ded08397b9ee40f87fcf519ef1810f30acfbf12fc99fa6e8360b96ac0f0aa3c0a3826f7741c2b613d5705397
SSDEEP

3072:smyrM0B5HsiLSKaCJ9IDlRxyhTbhgu+tAcrbFAJc+i:10BzmKrsDshsrtMk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhhhla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkgnojog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkecjajp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hagjohma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpkikbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daobpnoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efqdcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkndpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnknf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkmbbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqfcmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciljcbij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpklkkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmihal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gghckqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkoogn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhhhla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knomadfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmaijo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckagiqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmbkhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdcjednh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idhlgalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqaiaaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cckipl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epkebi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijlaiibb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddkcoac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkflaokm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggoilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqfcmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddkcoac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbmkhej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bichmcae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfghfgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fapkgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gabqci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhfdmobf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djejcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igmemnco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikmkilgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghjlkcjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdllkbfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpklkkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idfoaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjngefam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlghbkq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calldppd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiogcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fabhmkoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gapdni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faddbkmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdjgoefc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdcjednh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiogcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keheno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emmifn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdljng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmbmkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inijoghi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inijoghi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihakbp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3928	Bmlghbkq.exe
3540	Bpjcdn32.exe
4436	Bgakek32.exe
3032	Bichmcae.exe
3160	Bpmpjm32.exe
2328	Cfghfgpo.exe
3168	Calldppd.exe
2196	Cckipl32.exe
5004	Cigahb32.exe
4376	Ccmeek32.exe
4068	Cflaag32.exe
3924	Ccpbkk32.exe
212	Ciljcbij.exe
1096	Cacbdoil.exe
3224	Cfpkmfhd.exe
2840	Cmjcip32.exe
4560	Dcdkfjfm.exe
3864	Diadna32.exe
4552	Dpklkkla.exe
4452	Djqphdlg.exe
2256	Dajien32.exe
4540	Dfgame32.exe
2644	Dmaijo32.exe
4712	Dckagiqe.exe
2072	Djejcc32.exe
4164	Daobpnoo.exe
5024	Dhijmh32.exe
2732	Dmfceoec.exe
3536	Edpkbi32.exe
180	Ejjcocdm.exe
4416	Eadkkm32.exe
2608	Edbhgh32.exe
3972	Efqdcd32.exe
224	Emklpn32.exe
1536	Epihli32.exe
2528	Ejomjb32.exe
4520	Emmifn32.exe
4496	Epkebi32.exe
3552	Efemocel.exe
3056	Eakall32.exe
5104	Emabamkf.exe
2000	Fdljng32.exe
2352	Fkecjajp.exe
3560	Fapkgk32.exe
4600	Fhicde32.exe
4992	Fkhppa32.exe
1812	Fabhmkoj.exe
3992	Fhlpie32.exe
3116	Fimlamle.exe
2188	Fmihal32.exe
3164	Faddbkmg.exe
2516	Fhnmoedd.exe
3108	Fgamja32.exe
2248	Fafahj32.exe
2780	Fhqiddba.exe
3244	Fkoeqpae.exe
3568	Fmmbmkqi.exe
940	Gplnigpl.exe
2076	Ghcfjd32.exe
3508	Gidbalfm.exe
2904	Gpnknf32.exe
336	Gdjgoefc.exe
2496	Gghckqef.exe
1624	Gkcolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmmkfa32.dll	Knaigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjcocdm.exe	Edpkbi32.exe
File created	C:\Windows\SysWOW64\Gidbalfm.exe	Ghcfjd32.exe
File created	C:\Windows\SysWOW64\Cmhchomj.dll	Hnnkcibf.exe
File created	C:\Windows\SysWOW64\Ggdoejob.dll	Hgfolo32.exe
File created	C:\Windows\SysWOW64\Igpbbm32.exe	Idaffb32.exe
File created	C:\Windows\SysWOW64\Jgieil32.exe	Jhfdmobf.exe
File created	C:\Windows\SysWOW64\Pipilb32.dll	Ejjcocdm.exe
File created	C:\Windows\SysWOW64\Hpodedpg.exe	Hnpgiipc.exe
File opened for modification	C:\Windows\SysWOW64\Gghckqef.exe	Gdjgoefc.exe
File opened for modification	C:\Windows\SysWOW64\Gkkelngg.exe	Ggoilp32.exe
File opened for modification	C:\Windows\SysWOW64\Inijoghi.exe	Ijnnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dfgame32.exe	Dajien32.exe
File created	C:\Windows\SysWOW64\Djejcc32.exe	Dckagiqe.exe
File opened for modification	C:\Windows\SysWOW64\Iqhfkcgl.exe	Inijoghi.exe
File opened for modification	C:\Windows\SysWOW64\Idfoaa32.exe	Ibgcef32.exe
File created	C:\Windows\SysWOW64\Hcaofb32.dll	Ihakbp32.exe
File created	C:\Windows\SysWOW64\Iokegd32.dll	Gplnigpl.exe
File opened for modification	C:\Windows\SysWOW64\Gpnknf32.exe	Gidbalfm.exe
File created	C:\Windows\SysWOW64\Hniahj32.exe	Gkkelngg.exe
File created	C:\Windows\SysWOW64\Emabamkf.exe	Eakall32.exe
File opened for modification	C:\Windows\SysWOW64\Fkecjajp.exe	Fdljng32.exe
File created	C:\Windows\SysWOW64\Ibjpkeml.exe	Ijbhjhlj.exe
File opened for modification	C:\Windows\SysWOW64\Ihakbp32.exe	Idfoaa32.exe
File created	C:\Windows\SysWOW64\Jaiabinh.dll	Jhfdmobf.exe
File opened for modification	C:\Windows\SysWOW64\Gdlcdedp.exe	Gmbkhk32.exe
File created	C:\Windows\SysWOW64\Ihjeaa32.exe	Ijiecide.exe
File created	C:\Windows\SysWOW64\Jnejkfnk.exe	Jjjnjg32.exe
File created	C:\Windows\SysWOW64\Kqoecp32.exe	Knaigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ccpbkk32.exe	Cflaag32.exe
File created	C:\Windows\SysWOW64\Faniinji.dll	Hagjohma.exe
File created	C:\Windows\SysWOW64\Kcbpbodi.dll	Jnqqpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fhnmoedd.exe	Faddbkmg.exe
File created	C:\Windows\SysWOW64\Bnadjc32.dll	Fhqiddba.exe
File created	C:\Windows\SysWOW64\Ccpbkk32.exe	Cflaag32.exe
File created	C:\Windows\SysWOW64\Jeiidj32.dll	Hdcjednh.exe
File created	C:\Windows\SysWOW64\Noedad32.dll	Hjpbmklp.exe
File opened for modification	C:\Windows\SysWOW64\Kqmimped.exe	Knomadfq.exe
File created	C:\Windows\SysWOW64\Apehhkaa.dll	Diadna32.exe
File opened for modification	C:\Windows\SysWOW64\Djejcc32.exe	Dckagiqe.exe
File created	C:\Windows\SysWOW64\Dhijmh32.exe	Daobpnoo.exe
File created	C:\Windows\SysWOW64\Idaffb32.exe	Iabjjfbd.exe
File created	C:\Windows\SysWOW64\Ijbhjhlj.exe	Ihakbp32.exe
File created	C:\Windows\SysWOW64\Fmihal32.exe	Fimlamle.exe
File created	C:\Windows\SysWOW64\Gapdni32.exe	Giilml32.exe
File created	C:\Windows\SysWOW64\Nnelah32.dll	Edpkbi32.exe
File created	C:\Windows\SysWOW64\Lajbof32.dll	Jjjnjg32.exe
File created	C:\Windows\SysWOW64\Lenablif.dll	Kqklhpgg.exe
File opened for modification	C:\Windows\SysWOW64\Cigahb32.exe	Cckipl32.exe
File created	C:\Windows\SysWOW64\Fkhcmiii.dll	Emklpn32.exe
File created	C:\Windows\SysWOW64\Dldkia32.dll	Jgpkikbi.exe
File opened for modification	C:\Windows\SysWOW64\Kdfhho32.exe	Kqklhpgg.exe
File created	C:\Windows\SysWOW64\Fdljng32.exe	Emabamkf.exe
File created	C:\Windows\SysWOW64\Anijnh32.dll	Gpeaoeha.exe
File opened for modification	C:\Windows\SysWOW64\Dckagiqe.exe	Dmaijo32.exe
File created	C:\Windows\SysWOW64\Memkpahe.dll	Emabamkf.exe
File opened for modification	C:\Windows\SysWOW64\Gapdni32.exe	Giilml32.exe
File opened for modification	C:\Windows\SysWOW64\Dpklkkla.exe	Diadna32.exe
File created	C:\Windows\SysWOW64\Epihli32.exe	Emklpn32.exe
File created	C:\Windows\SysWOW64\Jkgnojog.exe	Jdmebp32.exe
File created	C:\Windows\SysWOW64\Keomkeoe.dll	Bichmcae.exe
File created	C:\Windows\SysWOW64\Dmaijo32.exe	Dfgame32.exe
File created	C:\Windows\SysWOW64\Ngnlmn32.dll	Epihli32.exe
File created	C:\Windows\SysWOW64\Plhbpf32.dll	Hhhhla32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5856	5716	WerFault.exe	226

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgakek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efemocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edpkbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fafahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggoilp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdcjednh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkgnojog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calldppd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmeek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjcip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkijdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqklhpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqoecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqfcmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdaompce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdfhho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bichmcae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdjgoefc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdljng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghcfjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpkmfhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghjlkcjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmfceoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejomjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdlcdedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijnnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkbddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cflaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciljcbij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djejcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cckipl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckagiqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijlaiibb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnnkcibf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inijoghi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqomlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knaigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjcocdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjpbmklp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gidbalfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpnknf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gghckqef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdhbmom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiogcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giilml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkhhgoij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqmimped.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgdbgoki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgfolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiecide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihjeaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikmkilgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmihal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkcolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hniahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knlpldhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jncmefpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhijmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fapkgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhlpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idaffb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikmkilgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccpbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnelah32.dll"	Edpkbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kepjpn32.dll"	Fabhmkoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgmoepe.dll"	Faddbkmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnnkcibf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakkik32.dll"	Efemocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhlpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkdhbmom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnejkfnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfghfgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdkfe32.dll"	Gidbalfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkejph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdjgoefc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdljng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokegd32.dll"	Gplnigpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbeogcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkndpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bichmcae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pioimjkm.dll"	Kkbmkhej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpmpjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efemocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkndpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hagjohma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdaompce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlghbkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlghbkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafjfil.dll"	Daobpnoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpodedpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjcocdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jqomlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkijdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcdfo32.dll"	Jngfqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjngefam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjcip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apibompj.dll"	Fimlamle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiidj32.dll"	Hdcjednh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igpbbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdbok32.dll"	Gkcolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfgeddi.dll"	Ikmkilgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpkmfhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkoeqpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efqdcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkcolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhoj32.dll"	Iabjjfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdobhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jngfqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccqhqmj.dll"	Calldppd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eadkkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epkebi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnog32.dll"	Dhijmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnkjk32.dll"	Ejomjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpccbm32.dll"	Gghckqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eadkkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlaflkam.dll"	Fmmbmkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjgie32.dll"	Ibjpkeml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eakall32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpepdco.dll"	Jdmebp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhnmoedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkoogn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djejcc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 3928	2568	93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe	82
PID 2568 wrote to memory of 3928	2568	93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe	82
PID 2568 wrote to memory of 3928	2568	93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe	82
PID 3928 wrote to memory of 3540	3928	Bmlghbkq.exe	83
PID 3928 wrote to memory of 3540	3928	Bmlghbkq.exe	83
PID 3928 wrote to memory of 3540	3928	Bmlghbkq.exe	83
PID 3540 wrote to memory of 4436	3540	Bpjcdn32.exe	84
PID 3540 wrote to memory of 4436	3540	Bpjcdn32.exe	84
PID 3540 wrote to memory of 4436	3540	Bpjcdn32.exe	84
PID 4436 wrote to memory of 3032	4436	Bgakek32.exe	85
PID 4436 wrote to memory of 3032	4436	Bgakek32.exe	85
PID 4436 wrote to memory of 3032	4436	Bgakek32.exe	85
PID 3032 wrote to memory of 3160	3032	Bichmcae.exe	86
PID 3032 wrote to memory of 3160	3032	Bichmcae.exe	86
PID 3032 wrote to memory of 3160	3032	Bichmcae.exe	86
PID 3160 wrote to memory of 2328	3160	Bpmpjm32.exe	87
PID 3160 wrote to memory of 2328	3160	Bpmpjm32.exe	87
PID 3160 wrote to memory of 2328	3160	Bpmpjm32.exe	87
PID 2328 wrote to memory of 3168	2328	Cfghfgpo.exe	88
PID 2328 wrote to memory of 3168	2328	Cfghfgpo.exe	88
PID 2328 wrote to memory of 3168	2328	Cfghfgpo.exe	88
PID 3168 wrote to memory of 2196	3168	Calldppd.exe	89
PID 3168 wrote to memory of 2196	3168	Calldppd.exe	89
PID 3168 wrote to memory of 2196	3168	Calldppd.exe	89
PID 2196 wrote to memory of 5004	2196	Cckipl32.exe	90
PID 2196 wrote to memory of 5004	2196	Cckipl32.exe	90
PID 2196 wrote to memory of 5004	2196	Cckipl32.exe	90
PID 5004 wrote to memory of 4376	5004	Cigahb32.exe	91
PID 5004 wrote to memory of 4376	5004	Cigahb32.exe	91
PID 5004 wrote to memory of 4376	5004	Cigahb32.exe	91
PID 4376 wrote to memory of 4068	4376	Ccmeek32.exe	92
PID 4376 wrote to memory of 4068	4376	Ccmeek32.exe	92
PID 4376 wrote to memory of 4068	4376	Ccmeek32.exe	92
PID 4068 wrote to memory of 3924	4068	Cflaag32.exe	93
PID 4068 wrote to memory of 3924	4068	Cflaag32.exe	93
PID 4068 wrote to memory of 3924	4068	Cflaag32.exe	93
PID 3924 wrote to memory of 212	3924	Ccpbkk32.exe	94
PID 3924 wrote to memory of 212	3924	Ccpbkk32.exe	94
PID 3924 wrote to memory of 212	3924	Ccpbkk32.exe	94
PID 212 wrote to memory of 1096	212	Ciljcbij.exe	95
PID 212 wrote to memory of 1096	212	Ciljcbij.exe	95
PID 212 wrote to memory of 1096	212	Ciljcbij.exe	95
PID 1096 wrote to memory of 3224	1096	Cacbdoil.exe	96
PID 1096 wrote to memory of 3224	1096	Cacbdoil.exe	96
PID 1096 wrote to memory of 3224	1096	Cacbdoil.exe	96
PID 3224 wrote to memory of 2840	3224	Cfpkmfhd.exe	97
PID 3224 wrote to memory of 2840	3224	Cfpkmfhd.exe	97
PID 3224 wrote to memory of 2840	3224	Cfpkmfhd.exe	97
PID 2840 wrote to memory of 4560	2840	Cmjcip32.exe	98
PID 2840 wrote to memory of 4560	2840	Cmjcip32.exe	98
PID 2840 wrote to memory of 4560	2840	Cmjcip32.exe	98
PID 4560 wrote to memory of 3864	4560	Dcdkfjfm.exe	99
PID 4560 wrote to memory of 3864	4560	Dcdkfjfm.exe	99
PID 4560 wrote to memory of 3864	4560	Dcdkfjfm.exe	99
PID 3864 wrote to memory of 4552	3864	Diadna32.exe	100
PID 3864 wrote to memory of 4552	3864	Diadna32.exe	100
PID 3864 wrote to memory of 4552	3864	Diadna32.exe	100
PID 4552 wrote to memory of 4452	4552	Dpklkkla.exe	101
PID 4552 wrote to memory of 4452	4552	Dpklkkla.exe	101
PID 4552 wrote to memory of 4452	4552	Dpklkkla.exe	101
PID 4452 wrote to memory of 2256	4452	Djqphdlg.exe	102
PID 4452 wrote to memory of 2256	4452	Djqphdlg.exe	102
PID 4452 wrote to memory of 2256	4452	Djqphdlg.exe	102
PID 2256 wrote to memory of 4540	2256	Dajien32.exe	103

C:\Users\Admin\AppData\Local\Temp\93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe
"C:\Users\Admin\AppData\Local\Temp\93d37fab9f00cd432f354d68db873f44756383605b5db2ddb0d1eec01232bf82N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\Bmlghbkq.exe
  C:\Windows\system32\Bmlghbkq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\Bpjcdn32.exe
    C:\Windows\system32\Bpjcdn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Bgakek32.exe
      C:\Windows\system32\Bgakek32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\Bichmcae.exe
        
        C:\Windows\system32\Bichmcae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Bpmpjm32.exe
        
        C:\Windows\system32\Bpmpjm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Cfghfgpo.exe
        
        C:\Windows\system32\Cfghfgpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Calldppd.exe
        
        C:\Windows\system32\Calldppd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Cckipl32.exe
        
        C:\Windows\system32\Cckipl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Cigahb32.exe
        
        C:\Windows\system32\Cigahb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ccmeek32.exe
        
        C:\Windows\system32\Ccmeek32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cflaag32.exe
        
        C:\Windows\system32\Cflaag32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ccpbkk32.exe
        
        C:\Windows\system32\Ccpbkk32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ciljcbij.exe
        
        C:\Windows\system32\Ciljcbij.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Cacbdoil.exe
        
        C:\Windows\system32\Cacbdoil.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Cfpkmfhd.exe
        
        C:\Windows\system32\Cfpkmfhd.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Cmjcip32.exe
        
        C:\Windows\system32\Cmjcip32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Dcdkfjfm.exe
        
        C:\Windows\system32\Dcdkfjfm.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Diadna32.exe
        
        C:\Windows\system32\Diadna32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Dpklkkla.exe
        
        C:\Windows\system32\Dpklkkla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Djqphdlg.exe
        
        C:\Windows\system32\Djqphdlg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Dajien32.exe
        
        C:\Windows\system32\Dajien32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Dfgame32.exe
        
        C:\Windows\system32\Dfgame32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Dmaijo32.exe
        
        C:\Windows\system32\Dmaijo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Dckagiqe.exe
        
        C:\Windows\system32\Dckagiqe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Djejcc32.exe
        
        C:\Windows\system32\Djejcc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Daobpnoo.exe
        
        C:\Windows\system32\Daobpnoo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Dhijmh32.exe
        
        C:\Windows\system32\Dhijmh32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Dmfceoec.exe
        
        C:\Windows\system32\Dmfceoec.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Edpkbi32.exe
        
        C:\Windows\system32\Edpkbi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ejjcocdm.exe
        
        C:\Windows\system32\Ejjcocdm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:180
        
        C:\Windows\SysWOW64\Eadkkm32.exe
        
        C:\Windows\system32\Eadkkm32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Edbhgh32.exe
        
        C:\Windows\system32\Edbhgh32.exe
        33⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Efqdcd32.exe
        
        C:\Windows\system32\Efqdcd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Emklpn32.exe
        
        C:\Windows\system32\Emklpn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Epihli32.exe
        
        C:\Windows\system32\Epihli32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ejomjb32.exe
        
        C:\Windows\system32\Ejomjb32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Emmifn32.exe
        
        C:\Windows\system32\Emmifn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Epkebi32.exe
        
        C:\Windows\system32\Epkebi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Efemocel.exe
        
        C:\Windows\system32\Efemocel.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Eakall32.exe
        
        C:\Windows\system32\Eakall32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Emabamkf.exe
        
        C:\Windows\system32\Emabamkf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Fdljng32.exe
        
        C:\Windows\system32\Fdljng32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Fkecjajp.exe
        
        C:\Windows\system32\Fkecjajp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Fapkgk32.exe
        
        C:\Windows\system32\Fapkgk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Fhicde32.exe
        
        C:\Windows\system32\Fhicde32.exe
        46⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Fkhppa32.exe
        
        C:\Windows\system32\Fkhppa32.exe
        47⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Fabhmkoj.exe
        
        C:\Windows\system32\Fabhmkoj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Fhlpie32.exe
        
        C:\Windows\system32\Fhlpie32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Fimlamle.exe
        
        C:\Windows\system32\Fimlamle.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Fmihal32.exe
        
        C:\Windows\system32\Fmihal32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Faddbkmg.exe
        
        C:\Windows\system32\Faddbkmg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Fhnmoedd.exe
        
        C:\Windows\system32\Fhnmoedd.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Fgamja32.exe
        
        C:\Windows\system32\Fgamja32.exe
        54⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Fafahj32.exe
        
        C:\Windows\system32\Fafahj32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Fhqiddba.exe
        
        C:\Windows\system32\Fhqiddba.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Fkoeqpae.exe
        
        C:\Windows\system32\Fkoeqpae.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Fmmbmkqi.exe
        
        C:\Windows\system32\Fmmbmkqi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Gplnigpl.exe
        
        C:\Windows\system32\Gplnigpl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Ghcfjd32.exe
        
        C:\Windows\system32\Ghcfjd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Gidbalfm.exe
        
        C:\Windows\system32\Gidbalfm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Gpnknf32.exe
        
        C:\Windows\system32\Gpnknf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Gdjgoefc.exe
        
        C:\Windows\system32\Gdjgoefc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Gghckqef.exe
        
        C:\Windows\system32\Gghckqef.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Gkcolo32.exe
        
        C:\Windows\system32\Gkcolo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Gmbkhk32.exe
        
        C:\Windows\system32\Gmbkhk32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Gdlcdedp.exe
        
        C:\Windows\system32\Gdlcdedp.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Gkflaokm.exe
        
        C:\Windows\system32\Gkflaokm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Giilml32.exe
        
        C:\Windows\system32\Giilml32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Gapdni32.exe
        
        C:\Windows\system32\Gapdni32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1948
        
        C:\Windows\SysWOW64\Ghjlkcjf.exe
        
        C:\Windows\system32\Ghjlkcjf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Gkhhgoij.exe
        
        C:\Windows\system32\Gkhhgoij.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Gabqci32.exe
        
        C:\Windows\system32\Gabqci32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:836
        
        C:\Windows\SysWOW64\Gpeaoeha.exe
        
        C:\Windows\system32\Gpeaoeha.exe
        74⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Ggoilp32.exe
        
        C:\Windows\system32\Ggoilp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Gkkelngg.exe
        
        C:\Windows\system32\Gkkelngg.exe
        76⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Hniahj32.exe
        
        C:\Windows\system32\Hniahj32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Hdcjednh.exe
        
        C:\Windows\system32\Hdcjednh.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Hkmbbn32.exe
        
        C:\Windows\system32\Hkmbbn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Hjpbmklp.exe
        
        C:\Windows\system32\Hjpbmklp.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Hagjohma.exe
        
        C:\Windows\system32\Hagjohma.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Hgdbgoki.exe
        
        C:\Windows\system32\Hgdbgoki.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Hkoogn32.exe
        
        C:\Windows\system32\Hkoogn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Hnnkcibf.exe
        
        C:\Windows\system32\Hnnkcibf.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Hgfolo32.exe
        
        C:\Windows\system32\Hgfolo32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Hnpgiipc.exe
        
        C:\Windows\system32\Hnpgiipc.exe
        86⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Hpodedpg.exe
        
        C:\Windows\system32\Hpodedpg.exe
        87⤵
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Hkdhbmom.exe
        
        C:\Windows\system32\Hkdhbmom.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Hjghnj32.exe
        
        C:\Windows\system32\Hjghnj32.exe
        89⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Hdllkbfm.exe
        
        C:\Windows\system32\Hdllkbfm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3180
        
        C:\Windows\SysWOW64\Hhhhla32.exe
        
        C:\Windows\system32\Hhhhla32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ijiecide.exe
        
        C:\Windows\system32\Ijiecide.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Ihjeaa32.exe
        
        C:\Windows\system32\Ihjeaa32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Igmemnco.exe
        
        C:\Windows\system32\Igmemnco.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:428
        
        C:\Windows\SysWOW64\Ijlaiibb.exe
        
        C:\Windows\system32\Ijlaiibb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Iabjjfbd.exe
        
        C:\Windows\system32\Iabjjfbd.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Idaffb32.exe
        
        C:\Windows\system32\Idaffb32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Igpbbm32.exe
        
        C:\Windows\system32\Igpbbm32.exe
        98⤵
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Ijnnoi32.exe
        
        C:\Windows\system32\Ijnnoi32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Inijoghi.exe
        
        C:\Windows\system32\Inijoghi.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Iqhfkcgl.exe
        
        C:\Windows\system32\Iqhfkcgl.exe
        101⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Ihoompho.exe
        
        C:\Windows\system32\Ihoompho.exe
        102⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Ikmkilgb.exe
        
        C:\Windows\system32\Ikmkilgb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ijpkdh32.exe
        
        C:\Windows\system32\Ijpkdh32.exe
        104⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Ibgcef32.exe
        
        C:\Windows\system32\Ibgcef32.exe
        105⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Idfoaa32.exe
        
        C:\Windows\system32\Idfoaa32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Ihakbp32.exe
        
        C:\Windows\system32\Ihakbp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ijbhjhlj.exe
        
        C:\Windows\system32\Ijbhjhlj.exe
        108⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ibjpkeml.exe
        
        C:\Windows\system32\Ibjpkeml.exe
        109⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Idhlgalp.exe
        
        C:\Windows\system32\Idhlgalp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:996
        
        C:\Windows\SysWOW64\Ihchhp32.exe
        
        C:\Windows\system32\Ihchhp32.exe
        111⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Jkbddk32.exe
        
        C:\Windows\system32\Jkbddk32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Jnqqpf32.exe
        
        C:\Windows\system32\Jnqqpf32.exe
        113⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Jqomlb32.exe
        
        C:\Windows\system32\Jqomlb32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Jhfdmobf.exe
        
        C:\Windows\system32\Jhfdmobf.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Jgieil32.exe
        
        C:\Windows\system32\Jgieil32.exe
        116⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Jncmefpn.exe
        
        C:\Windows\system32\Jncmefpn.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Jqaiaaoa.exe
        
        C:\Windows\system32\Jqaiaaoa.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jdmebp32.exe
        
        C:\Windows\system32\Jdmebp32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Jkgnojog.exe
        
        C:\Windows\system32\Jkgnojog.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Jjjnjg32.exe
        
        C:\Windows\system32\Jjjnjg32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Jnejkfnk.exe
        
        C:\Windows\system32\Jnejkfnk.exe
        122⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jdobhp32.exe
        
        C:\Windows\system32\Jdobhp32.exe
        123⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Jhknhona.exe
        
        C:\Windows\system32\Jhknhona.exe
        124⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Jkijdj32.exe
        
        C:\Windows\system32\Jkijdj32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Jngfqe32.exe
        
        C:\Windows\system32\Jngfqe32.exe
        126⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Jqfcmq32.exe
        
        C:\Windows\system32\Jqfcmq32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Jdaompce.exe
        
        C:\Windows\system32\Jdaompce.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jgpkikbi.exe
        
        C:\Windows\system32\Jgpkikbi.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Jjngefam.exe
        
        C:\Windows\system32\Jjngefam.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Jbeogcbo.exe
        
        C:\Windows\system32\Jbeogcbo.exe
        131⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Jddkcoac.exe
        
        C:\Windows\system32\Jddkcoac.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Jiogcn32.exe
        
        C:\Windows\system32\Jiogcn32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Kkndpi32.exe
        
        C:\Windows\system32\Kkndpi32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Knlpldhc.exe
        
        C:\Windows\system32\Knlpldhc.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Kqklhpgg.exe
        
        C:\Windows\system32\Kqklhpgg.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Kdfhho32.exe
        
        C:\Windows\system32\Kdfhho32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Kkpqeigm.exe
        
        C:\Windows\system32\Kkpqeigm.exe
        138⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Knomadfq.exe
        
        C:\Windows\system32\Knomadfq.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Kqmimped.exe
        
        C:\Windows\system32\Kqmimped.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Keheno32.exe
        
        C:\Windows\system32\Keheno32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Kkbmkhej.exe
        
        C:\Windows\system32\Kkbmkhej.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Knaigd32.exe
        
        C:\Windows\system32\Knaigd32.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Kqoecp32.exe
        
        C:\Windows\system32\Kqoecp32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Kkejph32.exe
        
        C:\Windows\system32\Kkejph32.exe
        145⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Kjhjlejb.exe
        
        C:\Windows\system32\Kjhjlejb.exe
        146⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 400
        147⤵
        Program crash
        
        PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5716 -ip 5716
1⤵
PID:5816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgakek32.exe

Filesize
128KB

MD5
2c5a7d6803dde22e9dd7b70185e92111

SHA1
3b38de8203de69a3a44c3ce8dec9de662f6866d4

SHA256
aa78ada42c89a12da8ae3fd8c505ebed87d8aa3f4171282fcec6953aea3f0dcf

SHA512
837e72f99046df245a764f9df19783404ec1c7826d9da386c894f7afbc630611cfe8abb6424cb4239ef86e2bb1732824795d924c476e7164849af4f2d5044175

Download Submit
C:\Windows\SysWOW64\Bichmcae.exe

Filesize
128KB

MD5
c2d411f5f848cbd3adf9aef81760527a

SHA1
bce23388aed8ff610336bd692c133e24b714823e

SHA256
16986889c6e1924e06cd78e08642879a221f25b3251c533832058a39140d65c0

SHA512
0560a5a1e0272120b471a29709e95bf565670629afbde2984e3e9a8da7e5ccdb81405ea0a96a33c64bb35a124d028352ec6e3f8a28617a8348caa1562174833e

Download Submit
C:\Windows\SysWOW64\Bmlghbkq.exe

Filesize
128KB

MD5
4fb158117e789feef072e114dc2ac827

SHA1
59430b70416f662cb5860f4faabe4890e32893a9

SHA256
0015d5e347df5af88680c087e2f6d5f6a5a5d09481e48bd55f5240456f285219

SHA512
127430c357026ca5824037c256dff013a0b9e8df00f3320cf3d246d723a49e8bd58763a214d8ae7028cda66fea571a1311197e64e8cc8004947c571e63695688

Download Submit
C:\Windows\SysWOW64\Bpjcdn32.exe

Filesize
128KB

MD5
11ceadcd9b467bf5bcea6d780e03d91a

SHA1
c8b198770399003632403cc1384b9b094006d487

SHA256
d342b50b9325e3d718e7b89e8ec26e3c3fea1ef4e6af0a8547f15011d2cd6634

SHA512
10d021a9474d674901c8d1932adbe0e7aa9ebfe768a5ef9f9f21c27cc37b352a499513b39fbc111b53c01dd9094825a0a2a8077cffe49c6333ef055bcef15144

Download Submit
C:\Windows\SysWOW64\Bpmpjm32.exe

Filesize
128KB

MD5
4cfbb515340bfc34c6b5fa364048bd6c

SHA1
02a2659b52030dc415f1a4334f99fe70a45d8b97

SHA256
daf3a794f754e0e82336a21c64a70d0f3d828ec2519c6b81c0a63c6a50d8e3bf

SHA512
f2705b7c21595004b0dd4c591026ebf2a7bf40ded0aac077307b3767e744c663eb6fe96018c5be1813e592ea40b873cea01abad60235d448f6946fb1f99e44e6

Download Submit
C:\Windows\SysWOW64\Cacbdoil.exe

Filesize
128KB

MD5
ad8e698d272c523d86dad1ec0ad97b60

SHA1
b9ca35ea9a169564cffac07a26d20a1c59949691

SHA256
b3645045cbd426fbdba81ac34093a6528fdff73bd4ff16a528d852c783417a6b

SHA512
dc0ab0b5ea95079748329081896671e2b2e7fae52592ac0ad83db52aeda524fd52bf1098d397480026f327d6148e89b0af368bf919ec1d399bd96e529dfb4b69

Download Submit
C:\Windows\SysWOW64\Calldppd.exe

Filesize
128KB

MD5
f96693499edda8e862905fa77181798d

SHA1
be4a1994fed75ee2cee7f6001cb1f061c8eb7f9a

SHA256
360f26659c6b8483fd3930dcd8b7adf803347a6d593be63c83f8dfc920d8ba21

SHA512
6653b53f3488608876ca22abcf28a95d99c6faf78ed96de7ce7d8aaf1b023d7999a92f3d34747ef1d83cc5db24a11a5a92472dad35033b5fe5328412c1c4524b

Download Submit
C:\Windows\SysWOW64\Cckipl32.exe

Filesize
128KB

MD5
e9b508b2e5924e6435d449aa75239a64

SHA1
e74a2da09e6df92ba173fa5841cb65fcb03f41d6

SHA256
adcb4e14ff45909f7573b4643477dd6c8cebd7e54df0bb081acfc8003df74f15

SHA512
4f35f743a81f0733d9c3b578d3d1f70721b199dc5681e214886bd5ace16370f333aa770c0856496c01113a1297d889b56284464b61bfafed89b06fd14edb84af

Download Submit
C:\Windows\SysWOW64\Ccmeek32.exe

Filesize
128KB

MD5
8d3923450be5f3a781c881a9c94e8297

SHA1
c5e62d44959956acbd9c08f975b4398e8a0c2e16

SHA256
9366a0f94bc8d8729ed32c0448c695831a6f37a92b1c8588e472ea471a42acc9

SHA512
9639290fde6aab0d554e9aca92de24aa9b4f90553d728f457d0c5076449e41d1efa116f7c5b9eedc5cf66267f68d2ebcb37397e24a79dafcc023c56e9141710a

Download Submit
C:\Windows\SysWOW64\Ccpbkk32.exe

Filesize
128KB

MD5
7bf7ea80da6ab6b73984251cdf762731

SHA1
5fe517b4b58613e815e0807aeb8cab23e29b59fb

SHA256
05271b39d1797e76a81c9a157e3213f413279021903ff2010ee08b1c6261533b

SHA512
403a320c3982b8f4f7327647b20a50152f16041e99af871bddb2110519523896b2058a9125d48b09734d5e7c5f26d67c5604e0afb7868d58430fcb2857b7fc66

Download Submit
C:\Windows\SysWOW64\Cfghfgpo.exe

Filesize
128KB

MD5
2bb494019e91da1fec5bf60d39d6aff8

SHA1
df1e7a807e69c57dfe1463943b56126f50c79961

SHA256
f7100b11a0535dc3899e9429bc9458b8e193586f48867c6d4cd596256c6b70d5

SHA512
d300d6f6e4facc370e21d1abc55b675e6e9a86cbc30d988dede601c25b75b716c0a9ac1d65f2f8a25f670abed58ad436cec761c309d4b4f54d07bd3ad38a2fbe

Download Submit
C:\Windows\SysWOW64\Cflaag32.exe

Filesize
128KB

MD5
1e4f4d4a3a52558fe26343e81e7ad2b4

SHA1
07e0c739ec88c77441a33ff0476fcc39104662aa

SHA256
991c8619df30f47ec4dea1a36a3b1b79db4754c6ed7fcd6801d3baee4f534679

SHA512
e3d9672f901646f5586b1fabc7b75155dd382c98ab1cba4c9bc0fe228ecd4cf188786835ee4d4ae57cf18cabfd2960d8337d2635c32f6bf92ab2b00a6166e08a

Download Submit
C:\Windows\SysWOW64\Cfpkmfhd.exe

Filesize
128KB

MD5
c9e5c084e492bbe5aefbfeb514275aa9

SHA1
18e778a9fcd252934dd293f998fe2a69b70d5fb3

SHA256
1296e0229516f3a5f00e0da5fe74af01e84bc7891a91e4a597c3d59098db08e2

SHA512
0e859a2dbee9a77c196bb9d2597e80099c9085874b5d8b81cfc388772805c9c1cd6f863893a53b22c1dafb03b2ac9c11a452138812ada94189b49ee80858cbbc

Download Submit
C:\Windows\SysWOW64\Cigahb32.exe

Filesize
128KB

MD5
c4685ab643ce9897e50ea13c510020dc

SHA1
c94c6ca98c612ec8e770e62a72bddd60a36e700b

SHA256
f78b94478be148bdcfacd8c44d26d1c6df3529899b4fc334385373b15d4afb68

SHA512
59b7b66db0e8b2c1f34b49fb44143c206a797eaaf77ffd4a2b71c6f5468e7061f6b0cf88aa3072abcb0c45b0f8648b9852237851a93a84bd4ed0d97316278560

Download Submit
C:\Windows\SysWOW64\Ciljcbij.exe

Filesize
128KB

MD5
e677f739bbe19da67f56293eb268bf00

SHA1
974628009ac35af2efd471b53a786f76aadd9cb5

SHA256
91913a5f6c6930323f49e8ba3bb6344317a76fc5de0b7011e3d85c33848adb76

SHA512
7ede8ab665afa6e2af219f3b0d90d1cce07236638662dc3b998a157b3dc0ad823ee4df6e6d3b8e5522a99277a7450d61ecd8a7fa591ae043d7250065674f57c8

Download Submit
C:\Windows\SysWOW64\Cmjcip32.exe

Filesize
128KB

MD5
d593e918bb2aeca3e6d1fb0dd3eb84dc

SHA1
8125d7c35902298a7d3baf42f5a642ad08de2055

SHA256
a04ab02633e1cb8ae354ee92d5e06af9ed84973ed61d5507308e119fa4e89b66

SHA512
6cc6ebdbce345236601e97933f988eb743bc7dd4a8263113fb26ebe392e263b8a96eece16c59f57f65b1ae813225a67d58bce9e31640d71dc3f9dc3be00447eb

Download Submit
C:\Windows\SysWOW64\Dajien32.exe

Filesize
128KB

MD5
5465cea915ea8246f499fa0ac7f8eb9d

SHA1
03b231e51eb8d69aea8c4355f76f54053c826a0f

SHA256
cc46a38c9e5c9a68e4345d141cc0b181398d4c7f85c89a2c616aab9a84796b15

SHA512
0a27d72bfbae1d4ab3a85dc5e210a152e7cf50f36b822a054c5405559b2b1ed0821f37f09d3bcd9e8e821618161b2f0dd5ab79aa2d2cc05c35299e630b819c47

Download Submit
C:\Windows\SysWOW64\Daobpnoo.exe

Filesize
128KB

MD5
48ed2a93f61375d883120c60d4ba9443

SHA1
8a68bdd38584aa661a58094c3fede39bb4844ba1

SHA256
70be6415c41172a261ef26791209f685f50ac7e4b2634242cd6ccd4ad39b4690

SHA512
106b5c2d480b4a3a6a39da10f3cde6d1968f50c9a3d9954b9373cb4b1db79e513331a5f5d135a02fb7170ae5bdec41e3952bb17b850e19c14ef37c6611594a12

Download Submit
C:\Windows\SysWOW64\Dcdkfjfm.exe

Filesize
128KB

MD5
9b0702338f3f1f6d7e561e4cbcc6dbf9

SHA1
e92d4a6aeb173208755c8583896c04bfd996bb8d

SHA256
440a4ef057bf126ce2d791aea948eb146c86238163338b300613ea84f93298f0

SHA512
45fa15f099688e05729d37aaf14353008f025f8855b26a58dd1b2d2e52b559f1cf2388ecb149394405c43497dccd30d838d7924833b50b3fd6b23627ab42fa33

Download Submit
C:\Windows\SysWOW64\Dckagiqe.exe

Filesize
128KB

MD5
85d206d4aebbe9c81d878a22dca1faef

SHA1
6aef2caf82eb06748f6f37b85edb7c40e4265a4a

SHA256
c1d9312c11162158eebb50a570f3396a96b2332c67f8f68c0feba9ab59dbf080

SHA512
539a04600954f33741f0727e2e0d34fd011f9195720ca72e7cb67b00debba0582243fcef6a0decc4197c10377a78445d231ce0b5e6f8658c64861259d895474a

Download Submit
C:\Windows\SysWOW64\Dfgame32.exe

Filesize
128KB

MD5
85111dde9c3e1d8bd70b665620e5a20e

SHA1
f1cc73e22a7d8cf6eacc4d9da3c02682e450bec1

SHA256
aeed7a4769a36dfbd9901a658168c2ba40060dcba93567cc2a861bac1a72c392

SHA512
6fc692fc475baa4bd9756e2f2cefa0bf35e50deefe7ba9d301553c9f3798ecba7472fba06d72f6f9acaebfb9241b92ca2b11541b5b604840ca1d0dd7376ea3a3

Download Submit
C:\Windows\SysWOW64\Dhijmh32.exe

Filesize
128KB

MD5
b4d95ec8f6443832ce1166851df56e3e

SHA1
74a78d5de08a9648a2742d44e237a269b25ffa9b

SHA256
10855f42ea77ee866c588709268505aec29dd3531d529788e3b4043dbd992902

SHA512
9605289bfcf502583921255b64b3609950e5d13e6e855ab0bd35e1842e22fe831ceb4e0f05d58d6f34a32cc038dcae0f75df5fa3bae1eea36ceb54960f7d0196

Download Submit
C:\Windows\SysWOW64\Diadna32.exe

Filesize
128KB

MD5
a6e7f16f103ead9806eefe5df4206103

SHA1
314cc6a8692603235c8cf18fc7236a77d23310c4

SHA256
0323bdcf59855b72f964d25361c1ffff42ba6230f0824b4ceb22c2f469f041fd

SHA512
76318804256ffc694f3645f9f28bbf37adea296bfed41dc84720e9b792810302ecf93fec909e93dc9443797ff6db96a641f3a14ef3e09ee98f6d9eb2f669a283

Download Submit
C:\Windows\SysWOW64\Djejcc32.exe

Filesize
128KB

MD5
7bc046f77ec74627ab96b2309a490ed1

SHA1
04693bcdb759877630a558038a0e0277506f5f5b

SHA256
24f4829ba2ac3faed0994713edce4f58bee894d8d03ee6593a3eb195d4ad9c35

SHA512
be233f014b9f620372e546726e9da690c04132a8bca302ff64643887bd70c7043484b3c7a5f28273ab5fe8b8bc29ff30e9442319aa4493eb9311f959b579dcea

Download Submit
C:\Windows\SysWOW64\Djqphdlg.exe

Filesize
128KB

MD5
e039e344ab6744ee36067b4518a00a63

SHA1
1f8f0187ba76d24e53050142949117f23d1e0811

SHA256
a48e878b33534b3c67da9726754370ea16cedb95fecef9e907697d326d17e21f

SHA512
390fbd2e1120b75569a3d038afe72ef7562e28bf30b564c9687931cc8462d3cd1942343947a135872f600173eb5914c32f02f23dfa99e6e3f8b863e1baaeadca

Download Submit
C:\Windows\SysWOW64\Dmaijo32.exe

Filesize
128KB

MD5
86fa2ea9ec67a1eb6c7fbda38a8e8426

SHA1
9ba03393d820ff204b0c67b4144585a2ddc296d3

SHA256
95af69354343c8a96a006871c1f9e2b8bfa5e40669fa88dbf3b72deeebf34fba

SHA512
c816c4cb7daed60da73d3228e1c1f365146c8a7c8a7fa35df6075c4f7a574521db9edddb6bfed14e52a35b7cf5c0ea0549d70c70ac443e3cbb47ad5fa195a695

Download Submit
C:\Windows\SysWOW64\Dmfceoec.exe

Filesize
128KB

MD5
ac265824187329da5216c4c4a9ce8684

SHA1
7544bf6cc517393dd6b1ab69cf480e3e25bf91a1

SHA256
b4354f1f7e1176b611687e04f4b1c96f5b395a2f38892af05db92dc198d7db45

SHA512
77ce17ff619ef3c74a2c1cf2172c2e2979b5acabe3f6510a7c181fc5574633817dd301547f8fa4284d875eab5626472b2f9580999ad7edc33cb0d293f8379563

Download Submit
C:\Windows\SysWOW64\Dpklkkla.exe

Filesize
128KB

MD5
9a933099eb8ce2371671586554fd6d0e

SHA1
3f66533969e54c835ff9bf11dfd0b8f6c45ad921

SHA256
d8c88b41ecc7c7d9da4d0179bd068f8f2a184f787c75119bdd402a21e8b10b89

SHA512
1931fb54f058187e819504944698d3066ede2bb7cad85cf793f1d505a70159cc66e3d8c353f0c48a972c8b2f00dbc87661c3de0551a29ea2d90ec80f1f0d6e78

Download Submit
C:\Windows\SysWOW64\Eadkkm32.exe

Filesize
128KB

MD5
57224995f05c8d5dac054dd46e0b467e

SHA1
587a13159e1847e4aa5068d1f5ed02657e648f78

SHA256
d14d1882d4d7efed2dfa65c5f9cd719460e6c318e5dfbd0f2d9fae4c4bfb7fbf

SHA512
c07448de529c11ffab3963b441138d9c5945cc82bd6a44a796b8774a6560945a53ac02bf4759db7d02771f3996d3cfa7228333cfecc88ba85949badffb02dd12

Download Submit
C:\Windows\SysWOW64\Edbhgh32.exe

Filesize
128KB

MD5
829744d9058fb163eb0dd35a340505d3

SHA1
b6315503a5559d029c158bbedbb4edd3a431d56a

SHA256
c192ebd20fb32fc0da23f281a41e482f19e985919f78df27b0bf2750b88da610

SHA512
ff242cc1ecdc6c8254a23a8ebb231c9d7c2d4135e4b29406f46b1a418a11c197fcb9d40e793eac28f56b6fbfb817e60e87ba9e330b7a478e37b2e2b80b661adf

Download Submit
C:\Windows\SysWOW64\Edpkbi32.exe

Filesize
128KB

MD5
93c2d7819d7f65841cbb599375e2215a

SHA1
52afa19ff6a0f3911d2b2da3970a6593aefc25dc

SHA256
dc1f1aef168e0c5bc3f8e63ced5ece0f77e90526648415ca200da7703c70437e

SHA512
d9bcff08b773f996390bffb41d5fcf05f7db18b017b9ec8bb4a20463c77def04d3ed9e87537c1a56dbf5eb52ef29b81c8defadc22c7f94c4958a74e695e59ff2

Download Submit
C:\Windows\SysWOW64\Efemocel.exe

Filesize
128KB

MD5
46ee62ec3ecaafdee87f394701b5f9fe

SHA1
44de57ccfe545c3445338e635591b5acbc26933b

SHA256
b0fba999c33d3c04de50422db377896f75bc49d3d1e99e80b7b65923f24f7076

SHA512
f947655ab01538a7eeb03863abb912268c2a8a072def2bff7ed67e07e9e90b70dab8c586fa1a010a582a370519790b5f3d9b48313b0064365f3904f13880d837

Download Submit
C:\Windows\SysWOW64\Ejjcocdm.exe

Filesize
128KB

MD5
0a8b63ed4ea98823f3889c0ba8787e26

SHA1
f39439c974d62181a996d6ba3e1798b8027f1f29

SHA256
c77bb248ca57be11cec9a12a372acea3fc90100c85133ed65e12cf84148e6dfe

SHA512
88de7dcafd71a4d6c4a2d5021696d84ea32b5ebba88dbd6a72d359a116b81180f30e7a967440435793ca863df29a58bd65fd6c47e184417b6d4de02952e06a97

Download Submit
C:\Windows\SysWOW64\Emabamkf.exe

Filesize
128KB

MD5
e51bbbd37a4238d57e61de845335c914

SHA1
1423a975cd6c614ebc345a0efc8cd7f1ff6f7b93

SHA256
0280a3bd3634685ea83c15de8e8b79d692c7db3853f044c80ad75e2199166d17

SHA512
7a5bc7355194e7a66fcefd81961e0d90dbfa39886238f8eabe37438277f7b563d6871e90347d68a3773580512109c954ab8736a4942083941e180c680d22ec77

Download Submit
C:\Windows\SysWOW64\Fafahj32.exe

Filesize
128KB

MD5
3029853323bd44b89b543b900c8f061a

SHA1
a6a16dfc607ae13ba2f9275a5735fafd7ee67090

SHA256
4636ef4d1c01315799c67f7d690a67b5acbfb80446f5cbf2c523fa1dbef9826c

SHA512
a14344589f01d2c945d2dd6dd06beb14bcc2083a99a50eb32b21a16103c91f0f34955553da33b7c2b9f907a52f574b9f7b9cd1652d4a567f32a42cdb6dead80b

Download Submit
C:\Windows\SysWOW64\Fkecjajp.exe

Filesize
128KB

MD5
8cead4c602a10d7bc287f37c052fb208

SHA1
263a39a53d330a9a6698f0f164ee1830d7c4dcba

SHA256
0b037e5a36ab7fef8610f6e251b2e65b035b92582206153ad999866f9ab699bc

SHA512
1e455eb8fce83fb4ae4cc31cb23c59824403601d5ec5a61e0a59a1ec32841d3ae1b43fbfec78489ec8a702476f3f004ccbf4739118493c13205c8e03cdb9a74c

Download Submit
C:\Windows\SysWOW64\Fmmbmkqi.exe

Filesize
128KB

MD5
1ce10120a32393c48e678b1774caf9e5

SHA1
3a1a0122bffe961d022c4674d5e52d1ae3127075

SHA256
d515af5e73e20ee31071d50f0f7df607794da4d7c5d47425673bd83536d62187

SHA512
7a181f6d1ae54b0e1265f3895c4f8ff19deadd35fb982322d0c7792f9498db3ccc65538b10c26e0a70ac28d79b556b3e72ee1d0fa76e05f26a56aeb65b125705

Download Submit
C:\Windows\SysWOW64\Gdlcdedp.exe

Filesize
128KB

MD5
cafcf7f3033c7ca2101871c060f1d54e

SHA1
e19a36b4e2ab2b59ebe47b552548dd600ce3105e

SHA256
da06be898adccc5db049b69847be63271851f0d22103ebecccd3259abd5bc18f

SHA512
7413e9ad4cc2d4c479eb539323f68b5a53fffe1e1e266baf1f4f5e7500c2d86cf422852417176d1c0a9ed6ebcd0211b84fb77a2421d83789239a206d5968aee6

Download Submit
C:\Windows\SysWOW64\Ggoilp32.exe

Filesize
128KB

MD5
f5399c9a7b241923f8ae7df22ece81fd

SHA1
fe3e5bb76c596ac76c837fd98c1fd411d2be023d

SHA256
f274dc90c20836aa5750e3339bd5b48dd2c051f217f420c3dbece1e156202128

SHA512
2478ce23562f22c5a7b2e7941232be89e861ea614172d1167cf864371025338fc63a72f225b20dc9691a82d9b9012efcebbc00c97a23c1b562743938fa82ae4a

Download Submit
C:\Windows\SysWOW64\Ghjlkcjf.exe

Filesize
128KB

MD5
764a72b04d4cf46cca7d919d2692c07d

SHA1
4f3f021da7b4b005fd67c3a1a613aa981509db75

SHA256
a971dca510fe5e0d06b6b05cb05d46def38059f445b839a600f22a5b5ad2b491

SHA512
1211d5f5252219db0fdb123e25dce7cdf6528447b9e6367224b4d389d6553f70b76ba19ed36cfdfd2e26d610454759591ea012463341a4af6c8fb0c637828b23

Download Submit
C:\Windows\SysWOW64\Gidbalfm.exe

Filesize
128KB

MD5
ec1bf21d4ab06c3f3d01789515c86a20

SHA1
4b62dab723a834b35c7ead783038c2ab71eaeeb1

SHA256
3d4cdf86e8f5ff4982ac56a938151471b0e0fcd97bcdfdc5d9a687f24e3d7ab5

SHA512
7d91ba7b002e4c4ce5cafee9d284acf7b789e09b6acc7e34d01617becbeda4524b3cda3e1f6689cfc37e2da16be37c836b0319f39d3ec0fd91e375a9e3bd7e1e

Download Submit
C:\Windows\SysWOW64\Hdllkbfm.exe

Filesize
128KB

MD5
11fe9eb12968c688f5bcfde7c99f5c4c

SHA1
764aa8388c69739fe0bd9d8c0ddd0df85bda2e6b

SHA256
1ce2a1106ea895bb85e01c467f41c553d6abb9962fc7fdac659c83cc0d51c948

SHA512
d51e4a1f3f0f2544ec8e7429788f8ffa02233295508173c39a1976beed9d5da0393488fa8f438e32c573f0623b177f30c65e72dd17791a94478979ac47431bc9

Download Submit
C:\Windows\SysWOW64\Hgdbgoki.exe

Filesize
128KB

MD5
3d9e54715d2ba153c1d5eb6713923e7c

SHA1
cc5ffd0d6fb6c8c72d54d204d92d4ee33968dfb9

SHA256
f03c62ba7d609da5fb39da111409a1279364da80982191bf3714665525e050ab

SHA512
b12ccc11a17e1acf504c77e2ac77584a5cea379a329083e7ffa273cdc46e59114e587d7c5ab6d26979951bc1512f7d823dcf23e3d3e0af49d78244bd2f84f9b0

Download Submit
C:\Windows\SysWOW64\Hgfolo32.exe

Filesize
128KB

MD5
975f3460293b72b51b3e4bb1e8134b7d

SHA1
b18f2d6795dadb2377f53da1037187a3c4837b07

SHA256
4d21537ddd35dd65c049efea0fa5a8a21148aade25220f2f80a8aa432131c189

SHA512
e434f1d31481cee4db322f7fe92cd62978637c9610a618b9465c9e37a5c21a9a6aee84d807df414f1449879ed6784671d112e55a87331ff1f7f8854d99d856d4

Download Submit
C:\Windows\SysWOW64\Hkdhbmom.exe

Filesize
128KB

MD5
5aa4a984b89082b59a2ba1d1d8437d20

SHA1
196e206be94b0db26f4b2895d956d75e7ec9c149

SHA256
1aeb71571e09ee97c38ed65efddf4a9b4b6912888b40245757920e0e8e8b5ede

SHA512
c1fefb32d0aa73a09673008b86a1279295be9462e8210885830e7464242d06d1fa5a12ad53ddfdcd134d1747e82df813ba4c5b56c82cbc27ab26720d2051d248

Download Submit
C:\Windows\SysWOW64\Hkmbbn32.exe

Filesize
128KB

MD5
8a114f681e5407bd86953e4357d53938

SHA1
700e93e93292c55a098c1196440cf5f75e9900f9

SHA256
4762b741c0aed0c20e85308b71f5763f0a5c126be3028f10f75c227c139c788a

SHA512
9841c46d02599e004e62b1c6eef026dacadd0e56afd0d4ac4bee2b008d780bbbe9dc063f8e79a22eb523985d947cc528111efc09d02ac777e8be807bd48c3cab

Download Submit
C:\Windows\SysWOW64\Hniahj32.exe

Filesize
128KB

MD5
b754a880b19696e0fbd1412f66094f37

SHA1
d447faf62697e1f31207c0155269d4de5a0a48be

SHA256
50b303fab587724c2c15278d991e70f24503be26a2ad6ff490550c81beb3ee1c

SHA512
2b1759e42424dddc0b5ef60c6a427042f93502477a60b767f2287de618a5d1755ced2ffdedd29b483dca9a9fb4c4b3eb93126760dfe315f0e1bcb492c832f8b7

Download Submit
C:\Windows\SysWOW64\Ibgcef32.exe

Filesize
128KB

MD5
42515f2404d6890f2a38e467dc4fa125

SHA1
3d3e7b081d8771da57a444819005f474c763fd2e

SHA256
e1241ddb05906bd2b55a4c8b3c6e2a46242aaa5faecfa9bfed8d3ce53d2f419c

SHA512
1b41874f61d9955b2a2ec17592a63373a190e355ef61ee5c824a8941783a84a806ffadc74f8eab3a304d65556388257be57d5e7f54d5b5e2957820352c44c0dc

Download Submit
C:\Windows\SysWOW64\Idaffb32.exe

Filesize
128KB

MD5
d1b6c788fc940c1867c4c99267375211

SHA1
a9375c3bf1218194de87589f3707b290bbcc38a9

SHA256
b3a4fa96a81f6cde1eb559a10d5082fbe67165e8c1f2b1596460cf0586426b45

SHA512
6291a06bce5b688b677891f2135eb9289320cd6d29a4797d5729adaf08158a1acf52319ea6aac1a60e0faa3e5e6dcbb22a6e1a6c940656cbd91b974be95c1952

Download Submit
C:\Windows\SysWOW64\Ihoompho.exe

Filesize
128KB

MD5
de007a170575b215ca4dba593596a629

SHA1
a2e5f7658b42d054721916ae27dba0640ca68e4a

SHA256
5da7c652475b5867829c7a608fed7897de5ee8ca33cf4344ab5be21e1aca61e0

SHA512
9d5ceccf98b05a46bf230c822a7fb74c50635f7f7d601c1124c0b0ba7484686ff53889f657cb2bde5c6c1df5e40fc72a3633f04ff64ed6db6deeb6a29e01bcab

Download Submit
C:\Windows\SysWOW64\Ijbhjhlj.exe

Filesize
128KB

MD5
ca4bd5b609689ca853198f81b2fc8cc9

SHA1
cb9f3ffb8716e3671ab322abd5692ff12decac77

SHA256
410b54aff7e226068590e76b891cad06afd56b367520e696554325a28f47a3f8

SHA512
7a4390cd23763a44a359738a032026f90ec450e4b6a505868890a3a46a71ece7f0664b5e15ea51a69fbb46ca5ae80593c2ce0a3933ba580e8e4843f55d485f7f

Download Submit
C:\Windows\SysWOW64\Ijiecide.exe

Filesize
128KB

MD5
be1e5c0c365b3934e4503f0ec93fa450

SHA1
f559ec944263b604fcc489cbaf024971f3ba87a8

SHA256
8ce078c0d0c565ee328a2af89882c74c938c938d418aa8a39ab89453d0269da9

SHA512
9602408ddedcd10387ce5c75ec49f5cd5c4f7a0ca8b58db5fcba74bde627c7bc113ccfe052ef2a56c9a8fdfb5f076ab2876cc14335b5106875009c525fc00525

Download Submit
C:\Windows\SysWOW64\Ijnnoi32.exe

Filesize
128KB

MD5
107d347998092553729e5149f5d86856

SHA1
6ffda9a5a896b5f934cbe3b000cae5bdb8cdbd37

SHA256
e6c881d2f1d95c65dea5b4a99a2e0fa0e9d4d85cf199d9c3ac181682346eb5ed

SHA512
ffb9b3be38cb88abcc52b3eb50aca19710b72efd2a25c894409a0a87faa5209bcfe5a57be276dcb82e8801c610e144d6ec53ea078c029d07feb13a29d88cd936

Download Submit
C:\Windows\SysWOW64\Jdobhp32.exe

Filesize
128KB

MD5
afbef89fc747123df21f590b6c237b34

SHA1
3014b867284c9c8e1189c3b10d87912ccb0d5b9c

SHA256
3a2e0b494b4ac6daa315c7a3bc9e57712ce43854fb2a35aed9569b228294e646

SHA512
1d0156a0d92f89dbb30e91926b73fc38c28778b68aab5789f3ab7f3fc2429a3a2ed263b90dc29d94e54c69bad70620abe776f380510a1a4ec2f489204e54b6dc

Download Submit
C:\Windows\SysWOW64\Jgpkikbi.exe

Filesize
128KB

MD5
7da2f352e5db165acee6e808a6c9ec45

SHA1
2f12e015c181c6ef9017f5a766c495cb284fbfb4

SHA256
b9ee5922ec635b1e2a5da717ca94f9124197fd2b12bbef9d3ccf9894f82e3efc

SHA512
2faf629445531fc45f825381ba84a1100b0abc8c643ea65cadd829b7583b65875a9426dc56152abd10d014583737073f1f32464eaa6667c01bd39a94774dca39

Download Submit
C:\Windows\SysWOW64\Jhfdmobf.exe

Filesize
128KB

MD5
8d26b6163e4bdae5f0bf0589aeb2fd3a

SHA1
6a5fab07449f00d0d34bf6063a401d0cf56c38dd

SHA256
284dd5cbfd1023f67f52896694ac32471873aa7f3b7e42ceabccb1a3d8a320c1

SHA512
8b1337376ec1a8f5b9dba9ee426f01cf0da6eee989ad03683be1b03592f196a594f33fac0c52029c4331ac4ef87d5653cee9929978923adaf8b72a6470fb60c1

Download Submit
C:\Windows\SysWOW64\Jkgnojog.exe

Filesize
128KB

MD5
9fe6041acaf7f4fb18d1603d50cc09cb

SHA1
56b8550ee028e08fa5645c2942efb7700f7f0cc2

SHA256
9e67de5ec84b736d12440a62095a9f8ea51e2884eeef7075e6041f2567964662

SHA512
b2d00b47f146c68835c38c3c6fa5800eee81411b4bc0e62d430d9700180d1a90784b53b389c41233ecac4fbf5366246bd818c7af75e307eae0959852fe0f247d

Download Submit
C:\Windows\SysWOW64\Jkijdj32.exe

Filesize
128KB

MD5
175c86f7374d5cb5652d419e85498d99

SHA1
2ab933f98b03b0ac1073a69c7e1ead257a8ed9bc

SHA256
e889490d2df39ff780bace1cdfee7177ffbd55ef5975f907aa3adf6485091fe9

SHA512
82dbac82ff25a303e973eeae948c821a01878f0d9833403764c4554e1a05f18adad924be5d31557c2387d1cfc1678b49e6d06356ad246f1474f94bb8be967e89

Download Submit
C:\Windows\SysWOW64\Jncmefpn.exe

Filesize
128KB

MD5
90914a0dc5af61868ac642f46e764469

SHA1
42e45850a08f0ed09d2b6e2ce975858970751520

SHA256
3da6e3078ea6dfd75e364af75104422b33ac2cf67fac5479acf6e8ed53b769da

SHA512
77660cdc31caa04c9b2e62f491c5a9faf6c504fa0fc4127ef70523962e01a0f38c7cea15bf362de3555d5f055674bbfbf65b65f0b0bba643a23d0a71c87076ad

Download Submit
C:\Windows\SysWOW64\Jnqqpf32.exe

Filesize
128KB

MD5
b832baa186ab8609671af87e39b85535

SHA1
59c8ba6fad2ee6766ab745bcfeafc57d1df95961

SHA256
ac66f2599eef959b48200e241546a0212d977619d6ab4d28ee53ffda5b7b4104

SHA512
19d752884c3b14a4952a66ea6fb1e0392b29537ec5021169b95a0e7937105cfff79fd62aa48b7a8ec122d2fee1380f980df9aba3672521c1c3cc7e96fea8222d

Download Submit
C:\Windows\SysWOW64\Kkbmkhej.exe

Filesize
128KB

MD5
43975a06146633d40b6cff3e98c38b52

SHA1
69054c294daf7ad3613ea8e6b7c9458df2cedf5c

SHA256
3f6f39a2f8c310b0cee55c2772f278f446f1d51e98f79272c991c39581378a79

SHA512
52dad97f15b48ff36cae02be11943329982ad13f5e24a77178bfa5bb0b442ca69fd3a350cdbbe460c46aa9bf506b449159e69e1650dd6fecbe05d5526be8c105

Download Submit
C:\Windows\SysWOW64\Kkndpi32.exe

Filesize
128KB

MD5
94cd6a48929f4c1a023d84a133b3f1b5

SHA1
505dabfeab956518a36b89f165b4354a7ab7b67a

SHA256
33df2b1bb73174f7ead6705c4a0c0443db3d4dd60a2ddd2507f19e612a1dae98

SHA512
d3b05cbeddcfb77514685f5005b3705f9dba16b161b36bcd4da3ef5721a1b640ffd116c8db78353609ff1b0350768b39d43883d0def5dc8335216dea7aaef903

Download Submit
C:\Windows\SysWOW64\Kkpqeigm.exe

Filesize
128KB

MD5
c1d9bec93007febf134d34a0c5fe5abe

SHA1
c5f1c49ac49b9107b8ae03f3bfcb0b7fdce59405

SHA256
903e2eda35ecd53b69d417afa8452586142b6a33903f1a6c94c9fda1f5cea408

SHA512
018d4462b170f7055bf4456326e1a7fb36b4038be5522d7329fffced1efe8c31b45c072c776dde33d008bb804ea3bab77249ba57397266312e7cb11ad2365356

Download Submit
memory/180-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/212-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/336-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/836-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/884-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2568-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3568-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4132-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4200-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4452-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads