berbew | 83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1

Analysis

max time kernel
93s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
Size

109KB
MD5

70cd090eb8e4ab43c57ce60bd9fd0790
SHA1

a856cfc71dfd8ce1231b02c61d09bed392c06a43
SHA256

83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1
SHA512

985c5fd28bcdf6b43c1d811acb7247d9f26611fffbc0a3dae9422653e48c0c7c6d86c4ad8ca2cfe8136dca6122d0c0d4154dbfbf79c6ea0c58c1fc67e209dcb2
SSDEEP

3072:OVtmA0QUHpnpVnBCJ9mLCqwzBu1DjHLMVDqqkSpR:OJ0QUJnpVEJ9iwtu1DjrFqhz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iqfiii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kecjmodq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdojnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bihgmdih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jngilalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmalgq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfpnl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cceapl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelhmlgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jelhmlgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldpnoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnjeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphghn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpdnpif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icfbkded.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmcilp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehebbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qifnhaho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gigkbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joppeeif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jngilalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kecjmodq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnhpdke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphghn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boeoek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjlemlnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpgfbom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klfmijae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmmbqgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kngekdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okkkoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gigkbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piadma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Albjnplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbnhpdke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klfmijae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2744	Gigkbm32.exe
2516	Hijhhl32.exe
2708	Hjlemlnk.exe
1412	Hdefnjkj.exe
2588	Hhcndhap.exe
2488	Hgiked32.exe
1744	Igmepdbc.exe
2852	Iqfiii32.exe
596	Icfbkded.exe
560	Iomcpe32.exe
2356	Joppeeif.exe
1420	Jelhmlgm.exe
2312	Jngilalk.exe
2212	Jjpgfbom.exe
2952	Kmaphmln.exe
2140	Kbnhpdke.exe
1048	Klfmijae.exe
968	Kngekdnf.exe
2956	Kecjmodq.exe
544	Lbgkfbbj.exe
2408	Lmalgq32.exe
1276	Lmcilp32.exe
628	Ldpnoj32.exe
2388	Lilfgq32.exe
2704	Lcdjpfgh.exe
2660	Meecaa32.exe
2644	Mcidkf32.exe
2616	Maoalb32.exe
2548	Mdojnm32.exe
2520	Ndafcmci.exe
2908	Nphghn32.exe
2344	Ndfpnl32.exe
1544	Nnodgbed.exe
936	Ncnjeh32.exe
2580	Okkkoj32.exe
1960	Oqmmbqgd.exe
1292	Pjhnqfla.exe
1044	Pjjkfe32.exe
1752	Plndcmmj.exe
2196	Piadma32.exe
376	Pehebbbh.exe
1696	Qifnhaho.exe
780	Qncfphff.exe
1848	Ahngomkd.exe
944	Abjeejep.exe
1852	Albjnplq.exe
2592	Aifjgdkj.exe
2236	Bihgmdih.exe
1956	Boeoek32.exe
2232	Blipno32.exe
1612	Bafhff32.exe
2756	Blkmdodf.exe
2648	Bahelebm.exe
2512	Bnofaf32.exe
1328	Bggjjlnb.exe
1104	Chggdoee.exe
2012	Cjhckg32.exe
640	Cnflae32.exe
528	Cdpdnpif.exe
2144	Clkicbfa.exe
868	Cceapl32.exe
2984	Clnehado.exe
2412	Ccgnelll.exe
2832	Dhdfmbjc.exe

Loads dropped DLL 64 IoCs

pid	Process
3064	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
3064	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
2744	Gigkbm32.exe
2744	Gigkbm32.exe
2516	Hijhhl32.exe
2516	Hijhhl32.exe
2708	Hjlemlnk.exe
2708	Hjlemlnk.exe
1412	Hdefnjkj.exe
1412	Hdefnjkj.exe
2588	Hhcndhap.exe
2588	Hhcndhap.exe
2488	Hgiked32.exe
2488	Hgiked32.exe
1744	Igmepdbc.exe
1744	Igmepdbc.exe
2852	Iqfiii32.exe
2852	Iqfiii32.exe
596	Icfbkded.exe
596	Icfbkded.exe
560	Iomcpe32.exe
560	Iomcpe32.exe
2356	Joppeeif.exe
2356	Joppeeif.exe
1420	Jelhmlgm.exe
1420	Jelhmlgm.exe
2312	Jngilalk.exe
2312	Jngilalk.exe
2212	Jjpgfbom.exe
2212	Jjpgfbom.exe
2952	Kmaphmln.exe
2952	Kmaphmln.exe
2140	Kbnhpdke.exe
2140	Kbnhpdke.exe
1048	Klfmijae.exe
1048	Klfmijae.exe
968	Kngekdnf.exe
968	Kngekdnf.exe
2956	Kecjmodq.exe
2956	Kecjmodq.exe
544	Lbgkfbbj.exe
544	Lbgkfbbj.exe
2408	Lmalgq32.exe
2408	Lmalgq32.exe
1276	Lmcilp32.exe
1276	Lmcilp32.exe
628	Ldpnoj32.exe
628	Ldpnoj32.exe
2388	Lilfgq32.exe
2388	Lilfgq32.exe
2704	Lcdjpfgh.exe
2704	Lcdjpfgh.exe
2660	Meecaa32.exe
2660	Meecaa32.exe
2644	Mcidkf32.exe
2644	Mcidkf32.exe
2616	Maoalb32.exe
2616	Maoalb32.exe
2548	Mdojnm32.exe
2548	Mdojnm32.exe
2520	Ndafcmci.exe
2520	Ndafcmci.exe
2908	Nphghn32.exe
2908	Nphghn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndfpnl32.exe	Nphghn32.exe
File created	C:\Windows\SysWOW64\Qifnhaho.exe	Pehebbbh.exe
File opened for modification	C:\Windows\SysWOW64\Cnflae32.exe	Cjhckg32.exe
File created	C:\Windows\SysWOW64\Ccgnelll.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Pjjkfe32.exe	Pjhnqfla.exe
File created	C:\Windows\SysWOW64\Hmcqik32.dll	Ahngomkd.exe
File opened for modification	C:\Windows\SysWOW64\Eepmlf32.exe	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Igmepdbc.exe	Hgiked32.exe
File opened for modification	C:\Windows\SysWOW64\Joppeeif.exe	Iomcpe32.exe
File created	C:\Windows\SysWOW64\Dfkclf32.exe	Dhgccbhp.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dmmbge32.exe
File opened for modification	C:\Windows\SysWOW64\Einebddd.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Nmkmnp32.dll	Emgdmc32.exe
File opened for modification	C:\Windows\SysWOW64\Gigkbm32.exe	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
File opened for modification	C:\Windows\SysWOW64\Jjpgfbom.exe	Jngilalk.exe
File created	C:\Windows\SysWOW64\Kbnhpdke.exe	Kmaphmln.exe
File opened for modification	C:\Windows\SysWOW64\Lilfgq32.exe	Ldpnoj32.exe
File opened for modification	C:\Windows\SysWOW64\Plndcmmj.exe	Pjjkfe32.exe
File created	C:\Windows\SysWOW64\Glgkjp32.dll	Ecgjdong.exe
File opened for modification	C:\Windows\SysWOW64\Hgiked32.exe	Hhcndhap.exe
File opened for modification	C:\Windows\SysWOW64\Okkkoj32.exe	Ncnjeh32.exe
File created	C:\Windows\SysWOW64\Bahelebm.exe	Blkmdodf.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Dgnminke.exe
File opened for modification	C:\Windows\SysWOW64\Meecaa32.exe	Lcdjpfgh.exe
File opened for modification	C:\Windows\SysWOW64\Maoalb32.exe	Mcidkf32.exe
File created	C:\Windows\SysWOW64\Dhgccbhp.exe	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Emgdmc32.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Cpcpnokb.dll	Hgiked32.exe
File created	C:\Windows\SysWOW64\Jcgalk32.dll	Lmcilp32.exe
File created	C:\Windows\SysWOW64\Lilfgq32.exe	Ldpnoj32.exe
File created	C:\Windows\SysWOW64\Inalmqgb.dll	Pehebbbh.exe
File opened for modification	C:\Windows\SysWOW64\Klfmijae.exe	Kbnhpdke.exe
File opened for modification	C:\Windows\SysWOW64\Kngekdnf.exe	Klfmijae.exe
File created	C:\Windows\SysWOW64\Qncfphff.exe	Qifnhaho.exe
File created	C:\Windows\SysWOW64\Eknjoj32.dll	Blipno32.exe
File created	C:\Windows\SysWOW64\Dgnminke.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Iomcpe32.exe	Icfbkded.exe
File created	C:\Windows\SysWOW64\Bfdbgnmd.dll	Ndfpnl32.exe
File created	C:\Windows\SysWOW64\Qpdhegcc.dll	Plndcmmj.exe
File created	C:\Windows\SysWOW64\Ipoidefp.dll	Bggjjlnb.exe
File opened for modification	C:\Windows\SysWOW64\Enmnahnm.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Kmaphmln.exe	Jjpgfbom.exe
File created	C:\Windows\SysWOW64\Pehebbbh.exe	Piadma32.exe
File opened for modification	C:\Windows\SysWOW64\Clkicbfa.exe	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Gigkbm32.exe	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
File created	C:\Windows\SysWOW64\Lnfhal32.dll	Kecjmodq.exe
File opened for modification	C:\Windows\SysWOW64\Nnodgbed.exe	Ndfpnl32.exe
File created	C:\Windows\SysWOW64\Clkicbfa.exe	Cdpdnpif.exe
File opened for modification	C:\Windows\SysWOW64\Hijhhl32.exe	Gigkbm32.exe
File created	C:\Windows\SysWOW64\Lcdjpfgh.exe	Lilfgq32.exe
File created	C:\Windows\SysWOW64\Bpmoggbh.dll	Dhdfmbjc.exe
File opened for modification	C:\Windows\SysWOW64\Dmmbge32.exe	Dgqion32.exe
File opened for modification	C:\Windows\SysWOW64\Kbnhpdke.exe	Kmaphmln.exe
File opened for modification	C:\Windows\SysWOW64\Lmalgq32.exe	Lbgkfbbj.exe
File created	C:\Windows\SysWOW64\Okkkoj32.exe	Ncnjeh32.exe
File created	C:\Windows\SysWOW64\Oqmmbqgd.exe	Okkkoj32.exe
File created	C:\Windows\SysWOW64\Ejfllhao.exe	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Emgdmc32.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Einebddd.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Gjhiaadn.dll	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
File created	C:\Windows\SysWOW64\Gaeddino.dll	Kngekdnf.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fipbhd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	1416	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joppeeif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmcilp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgiked32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphghn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfpnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjlemlnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhcndhap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jngilalk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piadma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpdnpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gigkbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lilfgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmmbqgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahngomkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aifjgdkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clkicbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijhhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmalgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifnhaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngekdnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albjnplq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cceapl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meecaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnodgbed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qncfphff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhckg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhnqfla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihgmdih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bafhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkmdodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iomcpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kecjmodq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoalb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnhpdke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnjeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahelebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjeejep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdefnjkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelhmlgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcdjpfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldpnoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkkoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjkfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmepdbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqfiii32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jelhmlgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmqaaj.dll"	Kmaphmln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojkndbh.dll"	Hjlemlnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qncfphff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbnhpdke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll"	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmaphmln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnodgbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnofaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blipno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoaeb32.dll"	Jelhmlgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qklhgdgp.dll"	Piadma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qncfphff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll"	Bafhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll"	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll"	Nphghn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll"	Einebddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdefnjkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iomcpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofohkkf.dll"	Kbnhpdke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdjpfgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aifjgdkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befaceaa.dll"	Iomcpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dochelmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbnhpdke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmalgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnoim32.dll"	Lcdjpfgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dochelmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kecjmodq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgalk32.dll"	Lmcilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maoalb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplkbo32.dll"	Oqmmbqgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfbd32.dll"	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcpnokb.dll"	Hgiked32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgiolk32.dll"	Icfbkded.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhnqfla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abjeejep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlhlg32.dll"	Hijhhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icfbkded.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpgfbom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll"	Ejfllhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfpnl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2744	3064	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe	30
PID 3064 wrote to memory of 2744	3064	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe	30
PID 3064 wrote to memory of 2744	3064	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe	30
PID 3064 wrote to memory of 2744	3064	83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe	30
PID 2744 wrote to memory of 2516	2744	Gigkbm32.exe	31
PID 2744 wrote to memory of 2516	2744	Gigkbm32.exe	31
PID 2744 wrote to memory of 2516	2744	Gigkbm32.exe	31
PID 2744 wrote to memory of 2516	2744	Gigkbm32.exe	31
PID 2516 wrote to memory of 2708	2516	Hijhhl32.exe	32
PID 2516 wrote to memory of 2708	2516	Hijhhl32.exe	32
PID 2516 wrote to memory of 2708	2516	Hijhhl32.exe	32
PID 2516 wrote to memory of 2708	2516	Hijhhl32.exe	32
PID 2708 wrote to memory of 1412	2708	Hjlemlnk.exe	33
PID 2708 wrote to memory of 1412	2708	Hjlemlnk.exe	33
PID 2708 wrote to memory of 1412	2708	Hjlemlnk.exe	33
PID 2708 wrote to memory of 1412	2708	Hjlemlnk.exe	33
PID 1412 wrote to memory of 2588	1412	Hdefnjkj.exe	34
PID 1412 wrote to memory of 2588	1412	Hdefnjkj.exe	34
PID 1412 wrote to memory of 2588	1412	Hdefnjkj.exe	34
PID 1412 wrote to memory of 2588	1412	Hdefnjkj.exe	34
PID 2588 wrote to memory of 2488	2588	Hhcndhap.exe	35
PID 2588 wrote to memory of 2488	2588	Hhcndhap.exe	35
PID 2588 wrote to memory of 2488	2588	Hhcndhap.exe	35
PID 2588 wrote to memory of 2488	2588	Hhcndhap.exe	35
PID 2488 wrote to memory of 1744	2488	Hgiked32.exe	36
PID 2488 wrote to memory of 1744	2488	Hgiked32.exe	36
PID 2488 wrote to memory of 1744	2488	Hgiked32.exe	36
PID 2488 wrote to memory of 1744	2488	Hgiked32.exe	36
PID 1744 wrote to memory of 2852	1744	Igmepdbc.exe	37
PID 1744 wrote to memory of 2852	1744	Igmepdbc.exe	37
PID 1744 wrote to memory of 2852	1744	Igmepdbc.exe	37
PID 1744 wrote to memory of 2852	1744	Igmepdbc.exe	37
PID 2852 wrote to memory of 596	2852	Iqfiii32.exe	38
PID 2852 wrote to memory of 596	2852	Iqfiii32.exe	38
PID 2852 wrote to memory of 596	2852	Iqfiii32.exe	38
PID 2852 wrote to memory of 596	2852	Iqfiii32.exe	38
PID 596 wrote to memory of 560	596	Icfbkded.exe	39
PID 596 wrote to memory of 560	596	Icfbkded.exe	39
PID 596 wrote to memory of 560	596	Icfbkded.exe	39
PID 596 wrote to memory of 560	596	Icfbkded.exe	39
PID 560 wrote to memory of 2356	560	Iomcpe32.exe	40
PID 560 wrote to memory of 2356	560	Iomcpe32.exe	40
PID 560 wrote to memory of 2356	560	Iomcpe32.exe	40
PID 560 wrote to memory of 2356	560	Iomcpe32.exe	40
PID 2356 wrote to memory of 1420	2356	Joppeeif.exe	41
PID 2356 wrote to memory of 1420	2356	Joppeeif.exe	41
PID 2356 wrote to memory of 1420	2356	Joppeeif.exe	41
PID 2356 wrote to memory of 1420	2356	Joppeeif.exe	41
PID 1420 wrote to memory of 2312	1420	Jelhmlgm.exe	42
PID 1420 wrote to memory of 2312	1420	Jelhmlgm.exe	42
PID 1420 wrote to memory of 2312	1420	Jelhmlgm.exe	42
PID 1420 wrote to memory of 2312	1420	Jelhmlgm.exe	42
PID 2312 wrote to memory of 2212	2312	Jngilalk.exe	43
PID 2312 wrote to memory of 2212	2312	Jngilalk.exe	43
PID 2312 wrote to memory of 2212	2312	Jngilalk.exe	43
PID 2312 wrote to memory of 2212	2312	Jngilalk.exe	43
PID 2212 wrote to memory of 2952	2212	Jjpgfbom.exe	44
PID 2212 wrote to memory of 2952	2212	Jjpgfbom.exe	44
PID 2212 wrote to memory of 2952	2212	Jjpgfbom.exe	44
PID 2212 wrote to memory of 2952	2212	Jjpgfbom.exe	44
PID 2952 wrote to memory of 2140	2952	Kmaphmln.exe	45
PID 2952 wrote to memory of 2140	2952	Kmaphmln.exe	45
PID 2952 wrote to memory of 2140	2952	Kmaphmln.exe	45
PID 2952 wrote to memory of 2140	2952	Kmaphmln.exe	45

C:\Users\Admin\AppData\Local\Temp\83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe
"C:\Users\Admin\AppData\Local\Temp\83b61d2ebbd4bcf88aeef7b0fbc11c94858332c020b7992b7751d07a24bb7be1N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\Gigkbm32.exe
  C:\Windows\system32\Gigkbm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\Hijhhl32.exe
    C:\Windows\system32\Hijhhl32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\Hjlemlnk.exe
      C:\Windows\system32\Hjlemlnk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Hdefnjkj.exe
        
        C:\Windows\system32\Hdefnjkj.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\SysWOW64\Hhcndhap.exe
        
        C:\Windows\system32\Hhcndhap.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Hgiked32.exe
        
        C:\Windows\system32\Hgiked32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Igmepdbc.exe
        
        C:\Windows\system32\Igmepdbc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Iqfiii32.exe
        
        C:\Windows\system32\Iqfiii32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Icfbkded.exe
        
        C:\Windows\system32\Icfbkded.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Iomcpe32.exe
        
        C:\Windows\system32\Iomcpe32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Joppeeif.exe
        
        C:\Windows\system32\Joppeeif.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Jelhmlgm.exe
        
        C:\Windows\system32\Jelhmlgm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Jngilalk.exe
        
        C:\Windows\system32\Jngilalk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Jjpgfbom.exe
        
        C:\Windows\system32\Jjpgfbom.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Kmaphmln.exe
        
        C:\Windows\system32\Kmaphmln.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Kbnhpdke.exe
        
        C:\Windows\system32\Kbnhpdke.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Klfmijae.exe
        
        C:\Windows\system32\Klfmijae.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Kngekdnf.exe
        
        C:\Windows\system32\Kngekdnf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Kecjmodq.exe
        
        C:\Windows\system32\Kecjmodq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Lbgkfbbj.exe
        
        C:\Windows\system32\Lbgkfbbj.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Lmalgq32.exe
        
        C:\Windows\system32\Lmalgq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Lmcilp32.exe
        
        C:\Windows\system32\Lmcilp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Ldpnoj32.exe
        
        C:\Windows\system32\Ldpnoj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Lilfgq32.exe
        
        C:\Windows\system32\Lilfgq32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Lcdjpfgh.exe
        
        C:\Windows\system32\Lcdjpfgh.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Meecaa32.exe
        
        C:\Windows\system32\Meecaa32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Mcidkf32.exe
        
        C:\Windows\system32\Mcidkf32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\Maoalb32.exe
        
        C:\Windows\system32\Maoalb32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Mdojnm32.exe
        
        C:\Windows\system32\Mdojnm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2548
        
        C:\Windows\SysWOW64\Ndafcmci.exe
        
        C:\Windows\system32\Ndafcmci.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Windows\SysWOW64\Nphghn32.exe
        
        C:\Windows\system32\Nphghn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ndfpnl32.exe
        
        C:\Windows\system32\Ndfpnl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Nnodgbed.exe
        
        C:\Windows\system32\Nnodgbed.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Ncnjeh32.exe
        
        C:\Windows\system32\Ncnjeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Okkkoj32.exe
        
        C:\Windows\system32\Okkkoj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Oqmmbqgd.exe
        
        C:\Windows\system32\Oqmmbqgd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Pjhnqfla.exe
        
        C:\Windows\system32\Pjhnqfla.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Pjjkfe32.exe
        
        C:\Windows\system32\Pjjkfe32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Plndcmmj.exe
        
        C:\Windows\system32\Plndcmmj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Piadma32.exe
        
        C:\Windows\system32\Piadma32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Pehebbbh.exe
        
        C:\Windows\system32\Pehebbbh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Qifnhaho.exe
        
        C:\Windows\system32\Qifnhaho.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Qncfphff.exe
        
        C:\Windows\system32\Qncfphff.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Ahngomkd.exe
        
        C:\Windows\system32\Ahngomkd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Abjeejep.exe
        
        C:\Windows\system32\Abjeejep.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Albjnplq.exe
        
        C:\Windows\system32\Albjnplq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Aifjgdkj.exe
        
        C:\Windows\system32\Aifjgdkj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Bihgmdih.exe
        
        C:\Windows\system32\Bihgmdih.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Boeoek32.exe
        
        C:\Windows\system32\Boeoek32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Blipno32.exe
        
        C:\Windows\system32\Blipno32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Bafhff32.exe
        
        C:\Windows\system32\Bafhff32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Blkmdodf.exe
        
        C:\Windows\system32\Blkmdodf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Bahelebm.exe
        
        C:\Windows\system32\Bahelebm.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Bnofaf32.exe
        
        C:\Windows\system32\Bnofaf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Cjhckg32.exe
        
        C:\Windows\system32\Cjhckg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Cdpdnpif.exe
        
        C:\Windows\system32\Cdpdnpif.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Clkicbfa.exe
        
        C:\Windows\system32\Clkicbfa.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Cceapl32.exe
        
        C:\Windows\system32\Cceapl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Dochelmj.exe
        
        C:\Windows\system32\Dochelmj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        75⤵
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 140
        85⤵
        Program crash
        
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjeejep.exe

Filesize
109KB

MD5
b8de8a3b41d94c4aaabe7b131ab2c6ca

SHA1
77d9a61f9bbe5e85e06edb854398975b5f2da5e9

SHA256
42c3e6dc2a32359b29b53b5acececf1fde5bf6514c448537c4a75a3519d98271

SHA512
8a8c24fc64531c0e19622d715d3918d115f0a29b0a8ee227113cbb7a5e30a72fd57828bad5ab0a4c11c7d4dbb896e50f09d838d655334ac1e164765bc3a7f6ae

Download Submit
C:\Windows\SysWOW64\Ahngomkd.exe

Filesize
109KB

MD5
d236a4a961b0a87b9aa3a600ae4a289c

SHA1
8e237acab914b69451f60810e51ae208f3600bdf

SHA256
ceb25132ca1bb34c8e20f96174fb3b75485b3c3bac3a2de31c7a74e5d0769cd0

SHA512
a3a610ad0745eb1965e04bbc1e9f6727a546cf4d1b4141dacda461e5ebb76362e4fb2067c07dd9901ef8424af75dc4759151ec9788c4d7b0e9397a924d084d80

Download Submit
C:\Windows\SysWOW64\Aifjgdkj.exe

Filesize
109KB

MD5
19de668466a45002aa3c7990946e1082

SHA1
cbc44aba474251a3505f67021f915463b21d5a62

SHA256
79081a8857aa3f4da9ad26d8c0c06fed45a0275e51fdc6563c7c1879e69c4fed

SHA512
339f2b85dd7e69f52e5e3e16b6f4fc981470285f07351757772f99e50ea305c88058beb0a3cb41d542ae88d7900ba7ef98d0d323aebeb4c7d2a70e3bd2fdd589

Download Submit
C:\Windows\SysWOW64\Albjnplq.exe

Filesize
109KB

MD5
38d220fea1d843b8c61dbb89ea137352

SHA1
49d4f6874445aeea64d3b28362e6c8a10324fc4e

SHA256
0ec8f0ae541cec8dfe1c079bfb064df316e9023efdde3b9bd48a50f1f8f7463e

SHA512
e2ac8a25067821607224bf6d882230b7b97d01e06e0a0b1d935af3adc5209fb4ca0f00478162de10341e2daa44641aaf718a87859434a39cb97ceaf134d18512

Download Submit
C:\Windows\SysWOW64\Bafhff32.exe

Filesize
109KB

MD5
208782ab747382d75baa706b40a2f806

SHA1
306d2455cfaf9902fcef054fc4ea77e7a7198831

SHA256
b0c97dd46f2b1fa7329be41d5e4aa5413fdd6bcca8b1c463252f635452b5c694

SHA512
ca6cef825e4d840d9ab6547a4b8beff34d50798169e3567b8dc0eba2ae5862fcc0d728c94b3b928785ab8a4749b5c6c4f308699f2a1013730126cd767d84816f

Download Submit
C:\Windows\SysWOW64\Bahelebm.exe

Filesize
109KB

MD5
2b3e45a6aa97b447256303335eedb5d6

SHA1
adba94301784ae59357d8db25373a92264e1e922

SHA256
80b84f928ba1b4c3e28e7b06ebe748644a371001780d05804d797df7bbcbe337

SHA512
79c66b7a2adda25bb6d715cb242c16e64db92da95fded902144122cf9893042f7f3933654fc9203ca562ad590907df42a7677632d720011dfcdd53bcaf57f02d

Download Submit
C:\Windows\SysWOW64\Bggjjlnb.exe

Filesize
109KB

MD5
edcd57aee354a68b23e1b88a55bab9fd

SHA1
08009e0632acbafc4b7de0d6f504eff750f52828

SHA256
a66c8255a6617e1826e5e0794064ff57b1c8bf31fa786b750276bfe6ccc6d0a9

SHA512
3050da7fd448204ab3ee15a987683755a17f84e3b90d09174c0e86d2fc488528460404240002e5c4a6bcc788c41bac8ac6b6ae7080dcb5803ac591d7c0a56ca4

Download Submit
C:\Windows\SysWOW64\Bihgmdih.exe

Filesize
109KB

MD5
a0a7c3b6165a032fbf5972fc4c7a78a6

SHA1
55660b39a648e06d874a4799832a1025f1c16cd9

SHA256
1b41c0ce0f88399d9e0834bc1779f949176ae8e5dbda4a7a15d7ab0b1e00e812

SHA512
cb03972426c2e60f5b9266170921556af40f177c98ee2d1b514c8760387da652cdff054caf4d17e3cee8ce6bce66c0bfe3507d85465bb731a945e849f433caa8

Download Submit
C:\Windows\SysWOW64\Blipno32.exe

Filesize
109KB

MD5
d30a4f9a7feeecfab1ddb8be87f91e34

SHA1
b98e228c710babab2c4ed329095db822b78fa9d2

SHA256
a0c8225f83aed2e5554635c1e8546cfba963bed8606cc468248f1a6d5d0bb101

SHA512
febf72b391269b1a8f8cac9792a471c3779336261f928b2a0b0edf19dfd837ea5f2ff1214dca12c29c44f6ed3f48452bbdd805bf233fc4f01d65cfaf4cb16482

Download Submit
C:\Windows\SysWOW64\Blkmdodf.exe

Filesize
109KB

MD5
427de9844c3ba28b4253a001bb94e345

SHA1
08cb32caca1118411191e1f3925de1febc1003ea

SHA256
200a2777ac71a517dc2d5532489d0e9529ef65335b0ef54e59a7d550dde55bc8

SHA512
27203ae29a086326b7a862271fb95080c4cd4d59ec697d891ad3d522189a50299afb953bf974ae6ed15293ab05efcef5a674bcdde120714328c21bf8a689bd36

Download Submit
C:\Windows\SysWOW64\Bnofaf32.exe

Filesize
109KB

MD5
0c8b0fac9594956aebfbcfc92baf197b

SHA1
7da37c125004f36c6fc8126f5581095f57964020

SHA256
dd7a146831008eb28a69fa8e62bb9db6174d1198819775febb2f5249873fa15b

SHA512
0e735a76b3b6c67c93379dd7ad1af71b8b72bdd1240afe6d391bd1ba99d8abd90f984914c53b56eb5ac7a92773ecbd0634e248e5a94e8b1d693c3b3417d6467d

Download Submit
C:\Windows\SysWOW64\Boeoek32.exe

Filesize
109KB

MD5
1d61139e79c2caffe3b854c8cb88c128

SHA1
455421ac42b3016aaf5db0156e642a23b5a813da

SHA256
c7bd86aa6d0fc8bece97ad6df3756b7d920110e78012a5e582e81906b268716b

SHA512
c4110cb65b855e479dde0a2843364e66fbb50d723c5c1a4dcfd71c6a172dbdbc4aec6457ec45190a508b4fb891501086ef4c478ebbb887516a34b7864eb83ade

Download Submit
C:\Windows\SysWOW64\Cceapl32.exe

Filesize
109KB

MD5
cff13aeb2e95faa3e2ad3ebb393db105

SHA1
1ec9ff67473af31b023623a2d640c7d19371d3d6

SHA256
f618e2dbe89c5675e560161cd37a254ced8cdc62a0893774ea7961fb9c9b3d59

SHA512
a568821fd9e91b0e7ea02aba94e9730059e004ad768a10202cb40a33eaca5c195c8cf99545bdcbff3e74a094e5bd580e0941f34bba37936353e0dbdcf56f0de6

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
109KB

MD5
37d31b36720b45d6b4bab1ac6234d6d8

SHA1
d7d63f08418dd79b391519b6b41f5b21b59dc1c3

SHA256
aa5e48423510b7f389b8f5ebf6083359e6280c161c953b806b1826adb0a041f2

SHA512
6789b202d896e540e6c224ddb8776b5e38890d00d421fbe7b9f93e6b49acb9b4d53499a59290657455f6ea6522a15d8bb5b74434d2f9fd0bc873ccda73b42296

Download Submit
C:\Windows\SysWOW64\Cdpdnpif.exe

Filesize
109KB

MD5
331e91c52a2e4ac88eeec5461e5d98b9

SHA1
73553b64d6564d50b57527c7f6008e6732191f6a

SHA256
a4fe116fba48432e29525fa959d418ea4760198ea1866f458c0d35d0719be7cd

SHA512
6d59c183c51ff0460b682ef08bbe4a5060298e4d6ec0154386e8b8559b6df920cef728501210eeed3c634b788f6c66b3b8136ecba4eae0c6009c2f08265e4be1

Download Submit
C:\Windows\SysWOW64\Chggdoee.exe

Filesize
109KB

MD5
42cdee1895d26770e2b2e7711cc241eb

SHA1
b6b3c3b17dfb536adc05785609b22e19b2ec5834

SHA256
a4e3c4524e6677dec3c95744b3990d7bd2dea146175b3d20497514cc5c61fcc6

SHA512
b4512a7e0c48fdefd3ac4c05f6962ec842335ffe0a2d862b6dc4f3970b6479e6d9dd1b59f3dae3f4e38bd1434c76497339293a1ffd033cf4219501813134bc8e

Download Submit
C:\Windows\SysWOW64\Cjhckg32.exe

Filesize
109KB

MD5
1707c97af46354f96e32ea7d33f4ff37

SHA1
adaceca19087db225a7a0062bcb4b9d736dbae66

SHA256
2a598ea04168ba0c522f0811e9786f7617eb9dadf9284dde073d23f1bb52c3dc

SHA512
7b0146c7e4155a48adaed486b100ade3624fe673a42375f498ca589d21208231e19d5fd4fc4ee8d3f7451e4d969d384f42794bebdef0d71fd2e0fb4ea8e2a0d3

Download Submit
C:\Windows\SysWOW64\Clkicbfa.exe

Filesize
109KB

MD5
49af1fd156a06651e124ec70db0ec0e0

SHA1
bb0403d37ab221f8c86b2894727182542f05230a

SHA256
da3718338e030d0d30a1e2b969deabf76733fc96b7f1cff7c15456cdc544d3b6

SHA512
e7a7a86709b4c5b4a24bcd80547811c1189ac6f664a9fdf9dcaa8c161f2ab3560b9069788aed460425d15d4a114888204d31c4157477391cf66b42aa561bfae0

Download Submit
C:\Windows\SysWOW64\Clnehado.exe

Filesize
109KB

MD5
dab5662c1b533aca47e9ec8efa69e46d

SHA1
45834269543d2b3db5dc2170cec3782d2fca52d8

SHA256
91f0bb4cd66017bca665857bb1e07802341cb1fb158107ef5180addd87ec48d8

SHA512
95739cb4e94982717bf6e94f832428138f81605da8d93097ca752eddb50699b8c69bfde53c6b797201c55f23a148f360079dbf6c927ce79f783090439639839a

Download Submit
C:\Windows\SysWOW64\Cnflae32.exe

Filesize
109KB

MD5
ff871a4da31562e66196429895abb433

SHA1
2ab22228f42116caee9866132963c4a9ef83e434

SHA256
1cc598238667485dfb047ba8539b6d596af5e9fbc9f2204f706ddcbd5040f42e

SHA512
cd36f42d1a18dbace9e5771733ebd5d1283f81dd61931cdd9efe573f1aa6a10ea48a0ef51edb1d5bfec2eca7369234fee7e7fc03846f58270a3d81b5dbe69652

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
109KB

MD5
05f92d400b401d02ccbe86e8d922c5ec

SHA1
913715f875187676a3f42dad80c7bd3ad4d775d0

SHA256
be3cc2c1c784b17790eb307d111059a539e2a38ce66f6adcc1149632969b0764

SHA512
b3317632d193b836fa4a16de8220745dce05be654ff8d4ae8ce27701518609116a6199c2b086017e959142875117919eb6e20d50775dad6b65b054f69e5cab4f

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
109KB

MD5
907561b2ba1ee986eaf3a0fe6facacc4

SHA1
863fadd5d63d73bddcbc666efe6c7c6308162318

SHA256
f28b102c57272005a6463ce6c58c431de29fe8af0f74c756694959aad418ec42

SHA512
2cba28524f5fb45e153e096644187f25725fa9bf22a268a4535872ee8aa8a6a790a4041e9cdce615aae408ecfd7c9040ecd93051ddacf68013736a8ef7f1b8c5

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
109KB

MD5
5fc663beaf161781e34f4449e46d8895

SHA1
5169cf327e7bf482060e096b084e2146126c1da1

SHA256
87fdec35e251ceea46f7bb9c0eb55bdefc210e3e9f52af4d1b296b0ff3dd2927

SHA512
c905f4835b8bea314c6cac6a858c240d5751e0a1b0ab115a8654dcf1d69b2a4b2591a14dd32bc2b02d9fd8dd25e2a671b58d0045867fce52d15a66546da2f073

Download Submit
C:\Windows\SysWOW64\Dgqion32.exe

Filesize
109KB

MD5
343517e221ee8bb25d7924f2756234f7

SHA1
ecda12546300bb89289fad07ec16858d77613823

SHA256
99bb473a193f379798ffa3dd5d2cbe8d2e855e4a22fbbb15f7c3bd625a864234

SHA512
8b07a4c3756458e8d1c317428aebd1f4a735c4afaf3de26f152d035bad63eac8b88e58f634d196e5d17784abd1ec6e63159326a32273e55d836b21a473b747e5

Download Submit
C:\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
109KB

MD5
ca5bd2bb17e0ca5464c6c177b0e87e7d

SHA1
be21a3de1050632f69cd197a3170814c982db76b

SHA256
ab4422c85548eee331cc845fe10187506ad1cd778b743b9722ac00c084bc413f

SHA512
c5b2f5b46e7d1a8961a517721cbf4dc39823cb32497918e69d3413fd3843416fcecb71d002f458a62d1277bc2ae989a002eba42340934ebf0db2320463841dfe

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
109KB

MD5
dd9f5118bd0ddc3dd53fe0b5787ab6ef

SHA1
1321362fbebef9eacde9df17e158dce9c060afa3

SHA256
cbacc4446d02679b23182d35738f52e27b0040d4dc0b3d5cc0cd02e996a14cd9

SHA512
644d29907757d2f5cddbf12617c187839f8863dc8970d025e9ee2880f97d2e7194b0c15850bdd904d262e2d1cabbe4701bc49fe6c9afb6b18cac3b164bd0e67f

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
109KB

MD5
57335749c4ca2feb76c928267483f9f8

SHA1
1927a306869538f6cce2e312f9ba4b169df95762

SHA256
04d2ee511dcdeeee65847972a25020334924927376d2778850a4487b82387d18

SHA512
0b24a8618ed0acd91d08cf7c744e8ca9a6bc3f2d0107480b6f427bd8625a5d5bc25ca38590dbf6ab6322cc6e5cdf715c7f396c66523fe6b5544646cda50049e5

Download Submit
C:\Windows\SysWOW64\Dochelmj.exe

Filesize
109KB

MD5
df49f29d2653de3b9b5ec0d11777e3fa

SHA1
f188831bf11b83d19b12267e7512959f7dd83a97

SHA256
d94ccf0dfe6dbe18d013b6f880747bf77f619563b2872e805410a6fcb224dfdd

SHA512
4e2c5024daf472bdb05533f118667a900e426e4121bcfa329c4663530c80f12b970e20971fe2755429d5e0387393c04d539e8be821c66e3d84a369238f96e028

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
109KB

MD5
3ee395db6bf4e59bb61c505cdd21efac

SHA1
cda98b7a245ec30136b033fd9682377fe8415935

SHA256
b77fa1db64c5b2aab0e1c44432d551095a00a205877470465128e1b0b819dacf

SHA512
41f6ee71f40155562ff95e283a6e9a7c873b6442560a26a72835101a9507355ecee608d0a8d097209e287faf3cec3d4836a38937c6959caa4c08302ff99ecc06

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
109KB

MD5
5cf84156cc7077b25c127661b02d54e8

SHA1
5ce746e12e524204348cfdde693c20a6d0797603

SHA256
769e1ce77895dcf9bc64154a3d59d6bdad865cd78b7c8e0efa37ca310b4dc03b

SHA512
5cb2e7683ac6d66211be300b552d12bf110f4533bd08fc58a0fb07ec2660a3ad12572fe6faa485f8ea9a8cf7f5deaf63f0c7c9f3be90e459d270fecf09f0adc3

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
109KB

MD5
bb9be1789c4bedf60dee29b6b2844b43

SHA1
5a9399687be9ab3ca1ae842eaa71294e4751b5ff

SHA256
0ec4b71091fbe43febac82a00861e96847ca41a1d46a1e403d6b97db83d7aa2c

SHA512
f77fdc4e31e7383356f7edec525d88b2bd093bfaa049481aa53034718459cc27410e50839b7301b4cede5a70d5889bb6091a97ecfe3c58ccda36d6bac3600df2

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
109KB

MD5
570166b64cb54ac10268b26c0d21ea81

SHA1
2d97331238675bf5c17f06052364fe6cacbb4c5d

SHA256
bc8a0409682e3d27e3e2145db82026bed454b15c2d60681055b69d4c46f31867

SHA512
f40f0f5e945f47ea6b58cde721131d1fd618ee4f7560570850897cf6b7365db2957fbbc938ec7f4c8e1de561169874d65a340f4e00cbe9f65383ba7f85d76fcf

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
109KB

MD5
72aa073a463321099cee6bc5378fc10c

SHA1
a50793bc69f310f633681fa09172261f8af9e9d1

SHA256
ebd5c033489fea9e17cf38349a62d446eadd86de2f378290199e98fe7a98c6f4

SHA512
3f166bd4638b7c089169bad9121f03e2c724fec42565b7c6c0ce3520236a34f3a04d3a7ff3f39e44293b3187359e344d216be56de706c8801d0f9023d7403579

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
109KB

MD5
c7cc41e484c3bdda7446b754aeed1ff0

SHA1
c56b9647e33f5fbfa8f5cc8a9ca503e927d4898c

SHA256
429654951ea0611e4686e734bdd4c8e084bdac3c843b916bd295b6a3083d97f9

SHA512
0fed24691586779f5f5ac58eeb933109705efdaede37775366135f9669cfc6be7e2c2317c2dbbac8966d368c2fe0445040afb9a8070e59e60ef7026a37d42f40

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
109KB

MD5
e4213926ae6509cde370f9ddea44baa0

SHA1
c30b10d89fbc86977d7f4244c3610e0007359bef

SHA256
2f065e6bf9fbd9788de95b18b791c830e86938f48e319806a0e6c82b086ff26e

SHA512
119debd98c728fca8a4db389bfe3f42b166d64e4375a459f0c9b1eaf9075cdf27f616ae6909fda86aa79552793306d20873c831197527be64ba9b7806cc9eb0b

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
109KB

MD5
e74354b79e0d32b01c369f2530e1f40f

SHA1
662a3ee00e60c08745d87da459392a963809e84d

SHA256
747b8334aecea6a5d3d9050123f2a748440699f429f537b97c655df8559cd633

SHA512
de13a93b122bac8e45831177b9ecd451800a4e3f5e821d1763596c548f6b28a18677a24278559a7b31675bfefa702ae9c7eddd9a9819e78a69f71d3828d495cc

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
109KB

MD5
f42fd0e69bb50e17c131ec41ea593c7d

SHA1
2feec6594cac080770eddaafd4131ac420b3c82d

SHA256
39392f70f13212419115e15065ab47adc22babe298ea00f28d3285f110d5a8d0

SHA512
d354098a1f7cededa0d2a9d6ec936a95d5894955e6e9b18a35311502607c9c17f3a154454fcf15e0677066139f1a476778726b86ea913102862c4e060d21a05e

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
109KB

MD5
1d8d1f2b226065a23efde8099ae92b8b

SHA1
c0b0b491d4c377578634681b5644825856f26dcf

SHA256
63169d20dbfc57f0f5ba13c09368080e039028817815007336716b0789ebbe6c

SHA512
96a91b86b0d532941aa16adc127c86349cf6609d36c32e6587f4372fd072f8eb91e6815e53cf05f60f98e0a076e062e5f2eff356c17e37f74596ba1841a5e9f0

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
109KB

MD5
c1a42dd5dacccae01496b598d360d7e6

SHA1
3045d0715d9be6131901ab8bb0c987612d157b16

SHA256
032dfa668b71e138b86af53065ec5c5e9fa59fdf56c934e3607abbac80111272

SHA512
ee0d12f4df8a1f56465789607c785b2d304a6d3e0b66a48d8416d06add5b4c7a870021d590217e4d95c852d6ec8c4a65a6cce4aacb827830559b7b1d2e229245

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
109KB

MD5
4b10d4df2025ca58273707c4e40d12e9

SHA1
722d327124bd2675a67d6c8cdadac6740ba4ed81

SHA256
cab77a414d139024facfcd44cc93753321c9cb4759da9eea0eb215e6e2eb9872

SHA512
833aba66b85ab1d2626399d602fdaef9c5b507a85e6a944015d5f4597bc04ad95932d813c8ce67929f74a6b2576e5df12c21eac9ccdb21df09559f0d0e4140b3

Download Submit
C:\Windows\SysWOW64\Hdefnjkj.exe

Filesize
109KB

MD5
501758e24cfed6e7fe4223f3464a2b0e

SHA1
e6d57dc0f157bea65100e865eee8e3a1da8c080b

SHA256
32948e52d261c1a724f7bb5f81da3d7e36ea66db5e5abb0d33eb2b4d31331c6d

SHA512
8c3fc7afba31c396deb340629db9c2395c80ef1d4af6333c5b641a6b156bc6cebdc95d8d0b1b892aba8fbd00f24365188d5939d2ec94c4e198f439afd86b66ac

Download Submit
C:\Windows\SysWOW64\Kecjmodq.exe

Filesize
109KB

MD5
03c414d8c3ecd22402343c906aed2894

SHA1
6e78bd1bcc6f0634577a67d73a34b180aaef90fd

SHA256
b993f08d7122d7a84b6c019a4f7f1a01e2a6c45ca33998a131bbd26ead260baf

SHA512
133f0a3b7e0f9d7b94eb17031f5288346e79b1981cd5406c78e579339dc6483c329eefd2dc2acf6e5f65c9fdc914b673ea966998d7b2ec791cfb3eca65defb7b

Download Submit
C:\Windows\SysWOW64\Klfmijae.exe

Filesize
109KB

MD5
22687da2b539b1ec66bc7976bbcac75e

SHA1
765accf3abe261a9c3d593508d064cef1cc01880

SHA256
2845c1149cbd33df3b7b9d25e3f79679d50f0b6a7aa722af6c2ca9c50c23feaf

SHA512
b1d3be861764f12dc7dd170a94ab5da8c78fe1f3fbaf124e749fc5f4c03df4dc48745da50b4b7587ac477db77308ffcb2f97a372b2777962ba8f14e1fddd66fe

Download Submit
C:\Windows\SysWOW64\Kmaphmln.exe

Filesize
109KB

MD5
fbc89899375108ec1d0b560034ef5190

SHA1
683ef9088702d9a6a0d4e73e52091085692c2fd9

SHA256
9d558a4882b30946213a8dfe16774deca53adc97234e430b5e58e8426b2753e4

SHA512
1b3b434db27f9dba4500d687bfef112a969f4edcb4d21b456820b09ea1e3f17b46292de1654bfe5c919ad339ce8efa166f3a120fd778eccd83bfaab89a9a4062

Download Submit
C:\Windows\SysWOW64\Kngekdnf.exe

Filesize
109KB

MD5
cb8f727a20e117dd0cde001034feeb41

SHA1
fae7a44214c94073227d2a7bf97f642011edd257

SHA256
196712d0c54bb25b2fc6e4d6e9d6743944f84e6399a8c749976f6a266be0ce7c

SHA512
e2054a83d9178dc914924ba9481d0e12dcb1d0e971e430b3530e71fff3b00ef357a448eed1837871341856e1f0805e8e5aacdd8edcb4a833af38a5256f8d7b82

Download Submit
C:\Windows\SysWOW64\Lbgkfbbj.exe

Filesize
109KB

MD5
c8e1ef0eaae1245313d7269d4b1b14b9

SHA1
3cdabeaa3749f9df58a482483ede459e47ffcc62

SHA256
ed8a050826dcf49a124bc7a92a2659c92f44909e8d225fdad6cb1fbef06cb2a0

SHA512
dea07a6897d162d3a3012bb386260e2325ee185f79f985bf53b523f80975fd77abe098a5cf24e38ccd5c0ae037bb8569033afb265277eb9474124a163dd58b4a

Download Submit
C:\Windows\SysWOW64\Lcdjpfgh.exe

Filesize
109KB

MD5
b97b35bb39364b1b6d32b10c1e17568b

SHA1
decdef4c188d40e163e94ba3dfbbba722e169803

SHA256
46bf1eac2e0dffe4a3295c7d3c7e9fc4c787989b872279dd8762d77c7e9dd701

SHA512
27e38e5df953b2639a5cdcd899ddd67f2cfbe023b85b77680a22bdbf348d9cf4397131e4f93a32bc9ec38d8f7a3d360371f130d7a9dad4c39179c8ce281d1610

Download Submit
C:\Windows\SysWOW64\Lcjmleem.dll

Filesize
7KB

MD5
be88c4eedd47e48e406afbad02030cad

SHA1
373ca54488c0a2f112cbe27285e90e7acde103fe

SHA256
ee69b4616c480845c6d5f3c20273c37dee48fd2487c54cabba264b8349c9c45f

SHA512
f0979d2dd0555fe5ef1c175674dc9d1f211bd4fbb9be4a38dff99d25e88e37f7776402c715263d1d60559e7c89dcd88856f94ae1c838cf56fe39b3a3228df28b

Download Submit
C:\Windows\SysWOW64\Ldpnoj32.exe

Filesize
109KB

MD5
71e25dd9ef3e35eddf97138c57071bae

SHA1
c1cd283ce14219ba60c2a4cac8f43bd7b6cb4395

SHA256
e9c9cc57cb33a66d1331dce4c117b9a6a310a3c901ecdae9556b33156b0ba3d9

SHA512
2cf0fedbc9299a9f60a8580dbcfd6d6907000189406c15554565c2195aaa13b14d496a92444f3351d821fa5719553a5a5102bc175daa517a0023f8bfdb3a1794

Download Submit
C:\Windows\SysWOW64\Lilfgq32.exe

Filesize
109KB

MD5
b39b9579ad72e16377f31497d28d096d

SHA1
c968028292880783b62e6b1672198f44ee1d0b49

SHA256
310617723a431fdf7374c4789b23ac3dc13f0a695417db667d3ab263458f7086

SHA512
0992fd3942367de13e0b4e13201811c8596967d6306dd240895f16b5cc4731a667c742b2c0a7bbe0cea2885d992f29a2cea159c6e0f891e37149d5a6a9e4f107

Download Submit
C:\Windows\SysWOW64\Lmalgq32.exe

Filesize
109KB

MD5
455f109c3140b17305bcfc22537a9c5f

SHA1
9cde522d47898c01193f9cbefdf82d2dc832189a

SHA256
231a6ed9fbb17cb6623b235836a195da0a5e3b05e33565a959f1094f77cde1d4

SHA512
117fa2a2dee7536187a0d7ef2afa7206f62b5c1e710e3a61beb5adfb62d075cb1549a37bf13ea761697ad0c985ace7a96846c491575ed379bc302bd6f1bb337c

Download Submit
C:\Windows\SysWOW64\Lmcilp32.exe

Filesize
109KB

MD5
8be3e317509790763be803c4bb432f72

SHA1
43af46f5d7032b75a9e1a48d62e2672c6c95aac9

SHA256
e939193e12e905cf9c55b327c983d50eda33f82fd06eca0eaf94f159dd2c5b40

SHA512
a777e8cb46297bd0ca225377765c711840281536a021aeb026f819774e30a71130de279a966da77da4f0e938f3968996f801e81a5f43324b58318028d8f03dd4

Download Submit
C:\Windows\SysWOW64\Maoalb32.exe

Filesize
109KB

MD5
7fe6d83b4ce6e11144a21f2459124a96

SHA1
ed5f0f62a009090195d01d6fc1de616908e17874

SHA256
dd6b3c7d4055a6a13bd2af1df2cb00b779290e3b252c992754de599427b8a0b3

SHA512
1526179f33a03ac8fc092764babb12c2af81e95301b341210963f9701c3a3c709cd0890bdf3c26bbccebc7484d090ca2d2cc1273dd35ec7017bced74dd9b6774

Download Submit
C:\Windows\SysWOW64\Mcidkf32.exe

Filesize
109KB

MD5
639c254e623a39d9f3971882bdfc1860

SHA1
6b977c0d990f8d896576034ffd02e04854ae9492

SHA256
a497b40ea0be7a984b47b6103f616f81af61b438a369dfc41426295fba9ac3bd

SHA512
0c204425c52d5772577bcaaece82e59ed7a9a5834369430e1945857530a31d99a24774d6c38d7d7adc1e2ccb982de1691616582bb61c9efd2c2d8bd2f2f637da

Download Submit
C:\Windows\SysWOW64\Mdojnm32.exe

Filesize
109KB

MD5
d47b708b9e0414a1aa773179b4762b29

SHA1
8e63a11a779cb58793bfa3ef578ad80a662bf243

SHA256
4beaacb8e5b91f7cbff3a01d2970705fdc1b77443e4f942a3e2b52d4c6addacc

SHA512
d4d1a4bce6c4c0d8625ab726f5576f8486fbece41100562bdc322de5f78a006c0c3e846dadca7ac6080063d81518cd03839db4b354cfcf706e76ad94bbfa1a73

Download Submit
C:\Windows\SysWOW64\Meecaa32.exe

Filesize
109KB

MD5
f554c17997964f39d267d8a5aba6fc3d

SHA1
c4a82a9613c27b115c394320959875e5b96fb374

SHA256
7112b7dbe1050aa076e02f5737e9f39f7782021211c2b36acc2ddf2c63e250b4

SHA512
0aca724c25114e3d6aa435fbf92c3376da5545b21b06f3ef71bb85104ddc5d69b752971ea8be751d3b651f53db8a952423586428788e46339f4f7292387c0634

Download Submit
C:\Windows\SysWOW64\Ncnjeh32.exe

Filesize
109KB

MD5
f7de009a082e114286af809e73f48bc0

SHA1
0cc9b8310714b50908db5ec18b03cbb16a281442

SHA256
d5baee2ea4dbdb896458d54096a2d65f67c9d6f3993c79f4a06f6addd7f155f4

SHA512
9b58f9534c700d631c958355bcb34e6e1d7d1111ef3a8196fdc1a9dfb4e60e561e4f79fec74af5864c4a1c282a0fe7a484870c5fcb9f919ffc750c8fb80375a0

Download Submit
C:\Windows\SysWOW64\Ndafcmci.exe

Filesize
109KB

MD5
278a7951e0906fc8c3522a03d4e9ee89

SHA1
21c6cb7130ce4204ab61e172f836d220f7cc3a72

SHA256
a346ea05abd8ef04a38e1f4ba450c837ed8fa4d908ca899941fe363c6586c148

SHA512
1609cf06856f466be62777139ef9fa25e9fedee0fa634d2009a804e2f4f84a9739008635f2b634304677c61935efabb661c9e906cc5fd7e07e9830951d094e93

Download Submit
C:\Windows\SysWOW64\Ndfpnl32.exe

Filesize
109KB

MD5
1d28bbd61a6f28bed1a51a1ea66ef810

SHA1
c6dea82faa10eb5c3aad5837254287e41cb95a32

SHA256
9fe0f258709e954d86fa3d5f7cf06f2de6bafb1f0beae68dfc3581c055fa8531

SHA512
e050a6a6d68f72d6a69c977471136ff9582e95a1200d6d4cbc9a9f878249d52629cb80513f46622bb6a01d62206cf907ab50f2ea05b39aa10782e5d6881168be

Download Submit
C:\Windows\SysWOW64\Nnodgbed.exe

Filesize
109KB

MD5
3ee94c72513628a83203917250cb92d1

SHA1
da134b362233509afab1a366a48e71a054d24baa

SHA256
b05710d3fd11175c1d9ce45c27adeb6912d150fcc8d37c1b82d5567b882b993f

SHA512
f8db0da21a57db24dc241923b458c91cea267e8ab641b82255670666fb640e4d49a69ddf343aec3fe9d073947a0ab051dbef7d594776f862c0220f235be7dfd4

Download Submit
C:\Windows\SysWOW64\Nphghn32.exe

Filesize
109KB

MD5
54d4328a18588571d76c0af695de51d3

SHA1
835ec3216537c65995aee1c6dfc5ed876b0906ca

SHA256
a7ca3d0d43b12d512fe84f0d20e6e2257aa47285b0690308ebc11a8e762039b0

SHA512
1de28aaa3b162f6780e41232635cd5602a252b1d07d0b356315ac89ea29a8cd9b2aa6154d8dc92ffbd50ad209f0c4b67c828975de1e286fdffb69f14cf5099e9

Download Submit
C:\Windows\SysWOW64\Okkkoj32.exe

Filesize
109KB

MD5
c3cc1b4b30f9f1ecd1639e939f644cff

SHA1
db5c77aa8d14a39133d27965bc1ddcf84fbc09a4

SHA256
b8d09a8ea9a44aa1472c48a9e34b1895a3962e8175e17b86023eee1b9e5bb262

SHA512
25159a15fb38ee745771b986269c2c912d36f271b29cf1122759515a4818479b2971f3b29711aa3edf240255bd81d44611481a8c9a09fb6fd0154e3dd820074a

Download Submit
C:\Windows\SysWOW64\Oqmmbqgd.exe

Filesize
109KB

MD5
67a46029501ab391ff4b57e0872eda38

SHA1
0aa33a71ce316794743315f2b4c54a4868a16d3e

SHA256
7abf1f93c1ad839ef72fedf905f39a4fe000ac0f18af216c7a5fa501e76704d2

SHA512
0619666175f4abe5341e069eaa1e324bb1b2651e30ead42442308fce83a8695cdd5ccb6eec275c5dcfd224b842e36cf8068b4a909269af0232a3c054855887e4

Download Submit
C:\Windows\SysWOW64\Pehebbbh.exe

Filesize
109KB

MD5
dfa474c5fab53704abf5df9991f3bcbb

SHA1
12b0af648fa45ba88b890ba54e3ce96645d80e06

SHA256
cbb3acabdf144ca3484d5cc5311c4e4a075a14fde6c1b60deeabe70c4a46f044

SHA512
4f42753517c46a3c676811e30bfd59fa5fa3de729072934a1a9cb30d9170f807ca8089f6a6803583ccb0875d6629c1646279d288df316e04dd778bc51777fab7

Download Submit
C:\Windows\SysWOW64\Piadma32.exe

Filesize
109KB

MD5
30dae0ef834fb4471bf994e3775d9b5e

SHA1
630af1d223e7e809d448736ac6a195fa3d3d3787

SHA256
cdcb01e40730909f2cb7de36b46fc0b29f8a66ac3bf67780c6b5bddbf8bf7f93

SHA512
518a2374477c0f387ca39c07fe49a07b10d6d4d50b08f55dfbf1310669e547289526f259e846dc953f750ab415c2eb35659b68b3f7266a1505ae698d131d9619

Download Submit
C:\Windows\SysWOW64\Pjhnqfla.exe

Filesize
109KB

MD5
5ddf7311106973ea12f82d078920b4b8

SHA1
759d681ff35c15a7bf4b0a53978e3f9e6b8ef756

SHA256
b7b7311f43eaada6cf5c0dd6f99ec87412c7dca93a110640f9604a64f8744d31

SHA512
1b132cde6a746b3b2fe820958617c587275097830dc53a0609382c2dcc2d4c92e33dfa21279979cdd87ac1cfcabe2161a66d266a3fa5dc9de8d107633ddeedc4

Download Submit
C:\Windows\SysWOW64\Pjjkfe32.exe

Filesize
109KB

MD5
5124450c420504045ec46d9a67919fb6

SHA1
76fdf9146f20b4a4b0170f22d1f44209d55f6c10

SHA256
12aca364cd3e625d4f05b5b2dbb586451ee8ffbd62864896ebe9815ef31a6e13

SHA512
b66ae09fd6081aa7130419c2c63cb4a50924f80466296a595ca3aececd03189c5456f28c2d83d49f53592070156107fe7ed8b9908fd2e93fadcd2f63174ea3a6

Download Submit
C:\Windows\SysWOW64\Plndcmmj.exe

Filesize
109KB

MD5
953b8e21a3604e5386de5c91f3356873

SHA1
91bc7a37d35085c93f65cd628a42fee17b85b5f9

SHA256
7b849866b3168712a905e928c24a1743a10b765c58e8c5e2a5f52e544f2e351f

SHA512
8fc72c981219420b0055a99f0750239081d1f2b9ca9d024770dc19ef0af67657b3f0bcb5deb167381a7aaeb5fd79469ee7b669b84db359e773bfba5724273111

Download Submit
C:\Windows\SysWOW64\Qifnhaho.exe

Filesize
109KB

MD5
60e5039b8499e0c994921e4ea0862209

SHA1
d2e3f52e37fb9fb89d8488e01de49d96147b498a

SHA256
2cb22f6613846c8e51d2602774ce9a43ecba2adc0ae5cb4dbe778ab66649995e

SHA512
a452181360e28046c8c57f9acc9646bde81996f72c2f31d3f5059da0bc2739d1c8460f29841ed643015fa4e26920122896e1cbaa5c94a2f112f65ea9fe534c12

Download Submit
C:\Windows\SysWOW64\Qncfphff.exe

Filesize
109KB

MD5
36ca7dee3d5b5a75c208b60cf8209feb

SHA1
fec0bfa367cfd73bed7de71db5c6588b5b53ffa6

SHA256
66c6de3dc580535c50787641f24e7f96e1525c15706145922827c6ade2fd1029

SHA512
985b1c9bdd61e04f851e74c9a68201c72fd9a9e343ca7efcf4ef399c5f862b0dbcf2ad95ba2dca4aa031406a1e98b2fe80b7ba3acc526fbad66d08d4f38f6802

Download Submit
\Windows\SysWOW64\Gigkbm32.exe

Filesize
109KB

MD5
0eabb496d6d20d1047383269af4d620e

SHA1
0103b158c4b1d2f453c7ab1754dfffb9c1279d78

SHA256
231aa857f78daae8e5284c37f3c13851ba3ce09be0f52ad24a94fd0a814c791d

SHA512
b38e352f2bfe72d97d1260baeb12be59f4b2fd849b24857d5b7b6ddf426d6bbbeb0a44b7658ff7d5b2a052528b39f40b39726c8d74e28e24f0da1a3882838a57

Download Submit
\Windows\SysWOW64\Hgiked32.exe

Filesize
109KB

MD5
4f825654ba949a21a80f6ae6183d8f40

SHA1
af00374bba07b0e936b9ff1631ab0dcca320fb1f

SHA256
e389cdbc66aaf6ac1b87c2cbaa1a7e15b0fe2d3f334687df44b7e04e80541014

SHA512
7b2ffc0b178f21bd9d76afe2301f74d42fc328f25217ce7beed64de73b8531a9c129845dc672a5e32c86ee364b81828d2fc28417e6eb051d26c5e1a47a4983aa

Download Submit
\Windows\SysWOW64\Hhcndhap.exe

Filesize
109KB

MD5
c8843e6ff40dc8d49a0eef0ca16b07db

SHA1
2ffe370495f7545d68f72cb3a58af29bda68d5d2

SHA256
82038eff58a6f6100cf8f3b18bdb0d5ced9d5dfc49c26a64627de4a0e4276430

SHA512
52760416c626ef53b26a8675aaf1a9aed6c0cecb12e96a2a8329fe058df7eaab0c387f025295f13b8325c107ccff2d7e5c5ed23a72d6ab9d75c86d6c95486fe6

Download Submit
\Windows\SysWOW64\Hijhhl32.exe

Filesize
109KB

MD5
71e3f45563a96f1a03475bb089e4aec3

SHA1
877a87a94b06747b399527601433f202cc007aba

SHA256
bcf148c1b6393cac8b64069c074aa976e9df54f074059fe5a1ecce75c578cde9

SHA512
17f55370240fdd991127a3875b3dfe28a24df436a542df6cd8a6bba40387fd07cd42c6d0d6ce6bf00dcfee2ffe054a364aac4d5c5e6db792f96e9b3c58d67018

Download Submit
\Windows\SysWOW64\Hjlemlnk.exe

Filesize
109KB

MD5
0bfb958f632a897e1bd2cf77875752bc

SHA1
c22f0b7fc7d756aabee4342038f7e624f1b3a0d1

SHA256
2ad28d1e16919ec68cae426a38fd04553a84fdb577f40f3178e9158be4269bee

SHA512
94b657cb5f11078c7528dabdc619ae706895cfb222e17773e720671f6c113b4520876c296922b22f3a1ba002630052c91f66e747d7f26250c159ac7267034971

Download Submit
\Windows\SysWOW64\Icfbkded.exe

Filesize
109KB

MD5
2c5d398b62c42cc3a5b740036f5c7171

SHA1
3abc6961d48919cae84b82846b38f4853d47a04e

SHA256
0044adaa010b6c53394bce21f3d07a98a0fb35154273a1695053b3ecb5e8a8ab

SHA512
f84d102df31c2fcd21e5efb9499f9c2b8293ed3a5507dff0c663a040a41b13a51a9a9656935995cc2578fc4582edaa92fc671bd29a89800cea3e3e7cb29945f7

Download Submit
\Windows\SysWOW64\Igmepdbc.exe

Filesize
109KB

MD5
203b9ff0f7a8a881724a7c5b19d02069

SHA1
d83d340f23cb88edfdd9679694db00f19278c88e

SHA256
b15509a21d6dace2681eac9b0d0047789f04fbe77bb3d4bfc5ca3c4683d8a526

SHA512
8c8de4de232a5949fb03ad01c3de21fd098e3038a51452646ea4abe7755df499297a1e12733a8e86682c6c85dfbf7f0d87eca200e6d03572d18176ff18b013ba

Download Submit
\Windows\SysWOW64\Iomcpe32.exe

Filesize
109KB

MD5
185878eee7439513c8d571965756fd1f

SHA1
9b6c3a8ac4158edbf80482c65efed4df7161179d

SHA256
51ebe82c39f62c1a803e6975d7ecee444b5849fb53254f28f897154d12982333

SHA512
82a478d5e00db3f0b912431dc0dfdba557cdc825517896bab15e27790e2ffb083790da9cb0bc7062f9e3539874bfa0570b3b853ae8daae298d0299618aa41d10

Download Submit
\Windows\SysWOW64\Iqfiii32.exe

Filesize
109KB

MD5
335763ee54361cf89b2cd5dee9db2fa1

SHA1
592220d7fc33a96863edf56892e2e8ac41085d9e

SHA256
0395af521a9cc87878ce61fd2ef140364ed223a2d8d29dceffff4cceb3d83509

SHA512
6e304813cb67e9a8ad91551f08c0a9447c116b96004f71de7cac59a9536e92fc71e23154f39c2068f8e8422e0973c1474a56ec4496f4aa8e5827916ee2921306

Download Submit
\Windows\SysWOW64\Jelhmlgm.exe

Filesize
109KB

MD5
b429bef53b7e3ca3582d16f9adba0cb9

SHA1
b7d7a623ca8550748625cd803c034a99efcd93e8

SHA256
9a2510a6ce31830ae87f372b916787641d3286de75c32a173a9782fbfe568e2e

SHA512
245b507db310bb7b1026bc9599aa090413a05926a2740351bb3109cf5cc16ade9ab15a28805f1732f38b798a82435c82bffc8f8c59a59c4524cf0014b494cfe1

Download Submit
\Windows\SysWOW64\Jjpgfbom.exe

Filesize
109KB

MD5
4fe2d9b1ed9f464440163764491d6a7b

SHA1
b2c42f6c3dcdee72c3c3755fec39ddc97228341f

SHA256
762eb6825abad119a824cf235e97c32824e9519e5d9c2ef02d1f26fd5cc168cf

SHA512
4d134b2da93451e2caf3d1f127e94c936def2f83607d88203c4f8dc9626c1c75a272453a0be9a7fcde209548e5cd9a390bd4d3b76e1ef13961d02af1b3b52241

Download Submit
\Windows\SysWOW64\Jngilalk.exe

Filesize
109KB

MD5
477e59a8f36a90db7088004de88c9de1

SHA1
728f6eb8f7306f1da30f43dfb4f62f8d8c28feba

SHA256
539e74b4e56b9048b6a16fe57fdeac637e7053acafacac062e7413d099af71a5

SHA512
c1bf548888bfc881ee58d4d8d39c1d637d926cf793a6c613588df736b685152fa2b1e8a234041cbe4e90b9a539c7aeb875d930afefb76f198eb55b5f8826a22f

Download Submit
\Windows\SysWOW64\Joppeeif.exe

Filesize
109KB

MD5
030af6fd797dd29b958b47ef0a5d1925

SHA1
98282d81a78a891e391ef21840270a8da2e963a1

SHA256
07088635ea31600af5844563e0f00c69f04cd5c9922af809d353bc57c9c1dc0b

SHA512
edcb93a0c9070fc52d25c6c75f56b887753749c9a4ea0ad7c691adaad077c1a631124e56f2903d3ad8822709b847a227eddaa281d5d9974f621617c8ad80726b

Download Submit
\Windows\SysWOW64\Kbnhpdke.exe

Filesize
109KB

MD5
d104980a6a56f9fc76718af203d22a25

SHA1
9d75c38c2411e39e6476ab3cecb35547293ce7f5

SHA256
534f6b9f31615f6c4bd3826f06610de1eda6c484633b32f04bd6f2480d75b8b1

SHA512
a61593d179821129467be13cb95bd1f7d586100b0c0ef33fc5c71287e2775d69f5c56da96cb517554ab6490e9b4425bb4506f043fe0685bc2dba59230681bd73

Download Submit
memory/376-491-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/376-486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-263-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/544-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-262-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/560-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/560-469-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/560-139-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/560-131-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/596-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/596-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/628-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/628-300-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/628-295-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/936-416-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/936-417-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/936-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-241-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/968-237-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1044-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1048-231-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1048-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1048-227-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1276-285-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1276-284-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1276-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-448-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1292-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1412-60-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1412-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1412-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1420-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1420-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1420-168-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1544-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1544-402-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1696-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-502-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1696-501-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1744-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1744-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1960-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2140-211-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-470-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2212-196-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2212-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-503-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-394-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2356-471-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-480-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2356-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-307-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2388-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-303-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2408-270-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2408-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2408-274-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2488-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-26-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-34-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2520-368-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2520-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-360-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2548-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-428-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2588-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-349-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2616-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-338-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2644-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2660-328-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2660-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2660-327-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2704-317-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/2704-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-116-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2908-384-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2908-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-380-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2952-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-252-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2956-248-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2956-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-7-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/3064-12-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads