berbew | 6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
Size

90KB
MD5

92c1b53d249c5427e1eaed3b28ba42bd
SHA1

a73a6c136837b15fc26deeba6ee14bb3d64c69e1
SHA256

6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2
SHA512

aaa0d7cbde1b3be30dcfb61c5e7b9442c473500c4b2b6a318edbb97a365e16df6da083a35062d7329992eca59e5e6fd6bd1fa292427e04183c01e7e75d792e76
SSDEEP

1536:Xlhlk+HyXfUW7aZSttbGHO0g9WI9yVnQQC4fl8k/7TZPf:nlvSx2iGHO0uW83T498a7TZPf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hcnfjpib.exeNqkgbkdj.exeJjhgdqef.exeJhlgnd32.exeKifgllbc.exeGnhkkjbf.exeGgbljogc.exeMglpjc32.exeMoahdd32.exeOfklpa32.exeKadhen32.exeKlimcf32.exeIfceemdj.exeJafilj32.exeKiamql32.exeLojeda32.exeLghgocek.exeIcponb32.exeImkqmh32.exeHefibg32.exeIjhkembk.exeJplinckj.exeJpnfdbig.exeGhmohcbl.exeHjfbaj32.exeOfmiea32.exeNnfeep32.exeImdjlida.exeKihcakpa.exeGgeiooea.exeIamjghnm.exeGocnjn32.exeMliibj32.exeEpbamc32.exeFimclh32.exeFiopah32.exeLppkgi32.exe6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exeEkeiel32.exeHcqcoo32.exeHnjdpm32.exeJhndcd32.exeOpcaiggo.exeFoqadnpq.exeIadphghe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnfjpib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqkgbkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgdqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhlgnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifgllbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnhkkjbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggbljogc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moahdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadhen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifceemdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafilj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiamql32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojeda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgocek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icponb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imkqmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hefibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhkembk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplinckj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnfdbig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgdqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiamql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmohcbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfbaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmiea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglpjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdjlida.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhkembk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kihcakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggeiooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamjghnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gocnjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghgocek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mliibj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moahdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epbamc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fimclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiopah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfbaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhlgnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lppkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekeiel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnjdpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekeiel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnfjpib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnhkkjbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhndcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhndcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadhen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mliibj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foqadnpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hefibg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iadphghe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkqmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifceemdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 47 IoCs

Processes:

Ekeiel32.exeEpbamc32.exeFimclh32.exeFiopah32.exeFpkdca32.exeFoqadnpq.exeGocnjn32.exeGnhkkjbf.exeGhmohcbl.exeGgbljogc.exeGgeiooea.exeHjfbaj32.exeHcnfjpib.exeHcqcoo32.exeHnjdpm32.exeHefibg32.exeIamjghnm.exeImdjlida.exeIjhkembk.exeIcponb32.exeIadphghe.exeImkqmh32.exeIfceemdj.exeJplinckj.exeJpnfdbig.exeJjhgdqef.exeJhlgnd32.exeJhndcd32.exeJafilj32.exeKiamql32.exeKifgllbc.exeKihcakpa.exeKadhen32.exeKlimcf32.exeLojeda32.exeLghgocek.exeLppkgi32.exeMglpjc32.exeMliibj32.exeMoahdd32.exeNnfeep32.exeNplkhh32.exeNqkgbkdj.exeOfklpa32.exeOpcaiggo.exeOfmiea32.exeOhnemidj.exe

pid	process
2028	Ekeiel32.exe
2172	Epbamc32.exe
2904	Fimclh32.exe
2888	Fiopah32.exe
2936	Fpkdca32.exe
2748	Foqadnpq.exe
2812	Gocnjn32.exe
2672	Gnhkkjbf.exe
3060	Ghmohcbl.exe
2312	Ggbljogc.exe
1476	Ggeiooea.exe
1072	Hjfbaj32.exe
2660	Hcnfjpib.exe
2260	Hcqcoo32.exe
2180	Hnjdpm32.exe
2420	Hefibg32.exe
2232	Iamjghnm.exe
2364	Imdjlida.exe
1664	Ijhkembk.exe
308	Icponb32.exe
1160	Iadphghe.exe
928	Imkqmh32.exe
2040	Ifceemdj.exe
1572	Jplinckj.exe
2344	Jpnfdbig.exe
1244	Jjhgdqef.exe
2532	Jhlgnd32.exe
2528	Jhndcd32.exe
2968	Jafilj32.exe
2228	Kiamql32.exe
2304	Kifgllbc.exe
2692	Kihcakpa.exe
2752	Kadhen32.exe
908	Klimcf32.exe
3024	Lojeda32.exe
1928	Lghgocek.exe
2676	Lppkgi32.exe
1208	Mglpjc32.exe
2448	Mliibj32.exe
2540	Moahdd32.exe
2872	Nnfeep32.exe
2492	Nplkhh32.exe
2200	Nqkgbkdj.exe
1548	Ofklpa32.exe
1784	Opcaiggo.exe
1528	Ofmiea32.exe
2340	Ohnemidj.exe

Loads dropped DLL 64 IoCs

Processes:

6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exeEkeiel32.exeEpbamc32.exeFimclh32.exeFiopah32.exeFpkdca32.exeFoqadnpq.exeGocnjn32.exeGnhkkjbf.exeGhmohcbl.exeGgbljogc.exeGgeiooea.exeHjfbaj32.exeHcnfjpib.exeHcqcoo32.exeHnjdpm32.exeHefibg32.exeIamjghnm.exeImdjlida.exeIjhkembk.exeIcponb32.exeIadphghe.exeImkqmh32.exeIfceemdj.exeJplinckj.exeJpnfdbig.exeJjhgdqef.exeJhlgnd32.exeJhndcd32.exeJafilj32.exeKiamql32.exeKifgllbc.exe

pid	process
2412	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
2412	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
2028	Ekeiel32.exe
2028	Ekeiel32.exe
2172	Epbamc32.exe
2172	Epbamc32.exe
2904	Fimclh32.exe
2904	Fimclh32.exe
2888	Fiopah32.exe
2888	Fiopah32.exe
2936	Fpkdca32.exe
2936	Fpkdca32.exe
2748	Foqadnpq.exe
2748	Foqadnpq.exe
2812	Gocnjn32.exe
2812	Gocnjn32.exe
2672	Gnhkkjbf.exe
2672	Gnhkkjbf.exe
3060	Ghmohcbl.exe
3060	Ghmohcbl.exe
2312	Ggbljogc.exe
2312	Ggbljogc.exe
1476	Ggeiooea.exe
1476	Ggeiooea.exe
1072	Hjfbaj32.exe
1072	Hjfbaj32.exe
2660	Hcnfjpib.exe
2660	Hcnfjpib.exe
2260	Hcqcoo32.exe
2260	Hcqcoo32.exe
2180	Hnjdpm32.exe
2180	Hnjdpm32.exe
2420	Hefibg32.exe
2420	Hefibg32.exe
2232	Iamjghnm.exe
2232	Iamjghnm.exe
2364	Imdjlida.exe
2364	Imdjlida.exe
1664	Ijhkembk.exe
1664	Ijhkembk.exe
308	Icponb32.exe
308	Icponb32.exe
1160	Iadphghe.exe
1160	Iadphghe.exe
928	Imkqmh32.exe
928	Imkqmh32.exe
2040	Ifceemdj.exe
2040	Ifceemdj.exe
1572	Jplinckj.exe
1572	Jplinckj.exe
2344	Jpnfdbig.exe
2344	Jpnfdbig.exe
1244	Jjhgdqef.exe
1244	Jjhgdqef.exe
2532	Jhlgnd32.exe
2532	Jhlgnd32.exe
2528	Jhndcd32.exe
2528	Jhndcd32.exe
2968	Jafilj32.exe
2968	Jafilj32.exe
2228	Kiamql32.exe
2228	Kiamql32.exe
2304	Kifgllbc.exe
2304	Kifgllbc.exe

Drops file in System32 directory 64 IoCs

Processes:

Epbamc32.exeFoqadnpq.exeIfceemdj.exeMliibj32.exeFimclh32.exeHcqcoo32.exeIjhkembk.exeJplinckj.exeKifgllbc.exeKihcakpa.exeHjfbaj32.exeHnjdpm32.exeHefibg32.exeImkqmh32.exeJjhgdqef.exeJhlgnd32.exeJhndcd32.exeJafilj32.exeGgbljogc.exe6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exeGhmohcbl.exeHcnfjpib.exeOfmiea32.exeFiopah32.exeGocnjn32.exeGnhkkjbf.exeGgeiooea.exeMoahdd32.exeOfklpa32.exeOpcaiggo.exeKiamql32.exeEkeiel32.exeFpkdca32.exeIcponb32.exeLghgocek.exeKlimcf32.exeJpnfdbig.exeLppkgi32.exeNnfeep32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Fimclh32.exe	Epbamc32.exe
File created	C:\Windows\SysWOW64\Gakqdpmg.dll	Epbamc32.exe
File created	C:\Windows\SysWOW64\Hpmjno32.dll	Foqadnpq.exe
File created	C:\Windows\SysWOW64\Dhkjod32.dll	Ifceemdj.exe
File opened for modification	C:\Windows\SysWOW64\Moahdd32.exe	Mliibj32.exe
File created	C:\Windows\SysWOW64\Fiopah32.exe	Fimclh32.exe
File created	C:\Windows\SysWOW64\Kjenbk32.dll	Hcqcoo32.exe
File created	C:\Windows\SysWOW64\Icponb32.exe	Ijhkembk.exe
File created	C:\Windows\SysWOW64\Jpnfdbig.exe	Jplinckj.exe
File opened for modification	C:\Windows\SysWOW64\Kihcakpa.exe	Kifgllbc.exe
File created	C:\Windows\SysWOW64\Nekofg32.dll	Kihcakpa.exe
File created	C:\Windows\SysWOW64\Moahdd32.exe	Mliibj32.exe
File created	C:\Windows\SysWOW64\Kcnhokob.dll	Fimclh32.exe
File created	C:\Windows\SysWOW64\Hcnfjpib.exe	Hjfbaj32.exe
File opened for modification	C:\Windows\SysWOW64\Hefibg32.exe	Hnjdpm32.exe
File created	C:\Windows\SysWOW64\Bbfhmqhk.dll	Hefibg32.exe
File created	C:\Windows\SysWOW64\Gojnhfhh.dll	Imkqmh32.exe
File opened for modification	C:\Windows\SysWOW64\Jhlgnd32.exe	Jjhgdqef.exe
File opened for modification	C:\Windows\SysWOW64\Jhndcd32.exe	Jhlgnd32.exe
File opened for modification	C:\Windows\SysWOW64\Jafilj32.exe	Jhndcd32.exe
File created	C:\Windows\SysWOW64\Opgmqq32.dll	Jafilj32.exe
File opened for modification	C:\Windows\SysWOW64\Ggeiooea.exe	Ggbljogc.exe
File opened for modification	C:\Windows\SysWOW64\Ekeiel32.exe	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
File opened for modification	C:\Windows\SysWOW64\Ggbljogc.exe	Ghmohcbl.exe
File created	C:\Windows\SysWOW64\Cffgqn32.dll	Ghmohcbl.exe
File created	C:\Windows\SysWOW64\Hcqcoo32.exe	Hcnfjpib.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Ofmiea32.exe
File opened for modification	C:\Windows\SysWOW64\Fpkdca32.exe	Fiopah32.exe
File opened for modification	C:\Windows\SysWOW64\Gocnjn32.exe	Foqadnpq.exe
File created	C:\Windows\SysWOW64\Noiqmcii.dll	Gocnjn32.exe
File created	C:\Windows\SysWOW64\Ghmohcbl.exe	Gnhkkjbf.exe
File created	C:\Windows\SysWOW64\Hefibg32.exe	Hnjdpm32.exe
File created	C:\Windows\SysWOW64\Kadhen32.exe	Kihcakpa.exe
File created	C:\Windows\SysWOW64\Jhlgnd32.exe	Jjhgdqef.exe
File opened for modification	C:\Windows\SysWOW64\Kadhen32.exe	Kihcakpa.exe
File created	C:\Windows\SysWOW64\Maeljf32.dll	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
File created	C:\Windows\SysWOW64\Biiqmd32.dll	Hcnfjpib.exe
File created	C:\Windows\SysWOW64\Acaoflhe.dll	Ijhkembk.exe
File created	C:\Windows\SysWOW64\Lhjcendg.dll	Kifgllbc.exe
File created	C:\Windows\SysWOW64\Ckkmkh32.dll	Ggeiooea.exe
File created	C:\Windows\SysWOW64\Nnfeep32.exe	Moahdd32.exe
File created	C:\Windows\SysWOW64\Pbbfhefe.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Hdfjnimm.dll	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Cdkklgcn.dll	Kiamql32.exe
File created	C:\Windows\SysWOW64\Epbamc32.exe	Ekeiel32.exe
File opened for modification	C:\Windows\SysWOW64\Foqadnpq.exe	Fpkdca32.exe
File created	C:\Windows\SysWOW64\Ggeiooea.exe	Ggbljogc.exe
File created	C:\Windows\SysWOW64\Hjfbaj32.exe	Ggeiooea.exe
File created	C:\Windows\SysWOW64\Hnjdpm32.exe	Hcqcoo32.exe
File created	C:\Windows\SysWOW64\Iadphghe.exe	Icponb32.exe
File opened for modification	C:\Windows\SysWOW64\Jpnfdbig.exe	Jplinckj.exe
File created	C:\Windows\SysWOW64\Lppkgi32.exe	Lghgocek.exe
File opened for modification	C:\Windows\SysWOW64\Fiopah32.exe	Fimclh32.exe
File opened for modification	C:\Windows\SysWOW64\Iamjghnm.exe	Hefibg32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Ofmiea32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmohcbl.exe	Gnhkkjbf.exe
File created	C:\Windows\SysWOW64\Ifceemdj.exe	Imkqmh32.exe
File opened for modification	C:\Windows\SysWOW64\Lojeda32.exe	Klimcf32.exe
File created	C:\Windows\SysWOW64\Bogiic32.dll	Jpnfdbig.exe
File opened for modification	C:\Windows\SysWOW64\Mglpjc32.exe	Lppkgi32.exe
File created	C:\Windows\SysWOW64\Qegpeh32.dll	Nnfeep32.exe
File created	C:\Windows\SysWOW64\Fpkdca32.exe	Fiopah32.exe
File opened for modification	C:\Windows\SysWOW64\Gnhkkjbf.exe	Gocnjn32.exe
File created	C:\Windows\SysWOW64\Jhndcd32.exe	Jhlgnd32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2612 2340 WerFault.exe Ohnemidj.exe

pid	pid_target	process	target process
2612	2340	WerFault.exe	Ohnemidj.exe

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Hcnfjpib.exeJafilj32.exeKiamql32.exeOhnemidj.exeFiopah32.exeGhmohcbl.exeIfceemdj.exeFoqadnpq.exeJjhgdqef.exeJhlgnd32.exeKadhen32.exeLppkgi32.exeMglpjc32.exe6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exeEkeiel32.exeImdjlida.exeJplinckj.exeMoahdd32.exeOfmiea32.exeHcqcoo32.exeIamjghnm.exeIadphghe.exeImkqmh32.exeJpnfdbig.exeMliibj32.exeHnjdpm32.exeKifgllbc.exeNplkhh32.exeNqkgbkdj.exeNnfeep32.exeEpbamc32.exeGnhkkjbf.exeGgeiooea.exeHjfbaj32.exeIjhkembk.exeLojeda32.exeJhndcd32.exeKihcakpa.exeFimclh32.exeFpkdca32.exeGocnjn32.exeGgbljogc.exeHefibg32.exeIcponb32.exeKlimcf32.exeLghgocek.exeOfklpa32.exeOpcaiggo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcnfjpib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafilj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiamql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fiopah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghmohcbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifceemdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foqadnpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgdqef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhlgnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadhen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lppkgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mglpjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekeiel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imdjlida.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplinckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moahdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmiea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcqcoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamjghnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iadphghe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imkqmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnfdbig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mliibj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnjdpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifgllbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplkhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqkgbkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfeep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epbamc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnhkkjbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggeiooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijhkembk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojeda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhndcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kihcakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fimclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpkdca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gocnjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggbljogc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hefibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icponb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgocek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcaiggo.exe

Modifies registry class 64 IoCs

Processes:

Ofmiea32.exeGnhkkjbf.exeGgeiooea.exeHjfbaj32.exeIadphghe.exeJjhgdqef.exeFimclh32.exeHefibg32.exeKadhen32.exeGhmohcbl.exeIjhkembk.exeJpnfdbig.exeMglpjc32.exeEpbamc32.exeGgbljogc.exeIcponb32.exeImkqmh32.exeEkeiel32.exeKifgllbc.exeLojeda32.exeJafilj32.exeOpcaiggo.exe6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exeFiopah32.exeFpkdca32.exeMliibj32.exeNqkgbkdj.exeHcnfjpib.exeKlimcf32.exeJhlgnd32.exeNnfeep32.exeHnjdpm32.exeKiamql32.exeGocnjn32.exeLppkgi32.exeJhndcd32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnhkkjbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggeiooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfbaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqpbhhnh.dll"	Iadphghe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelgce32.dll"	Jjhgdqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fimclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hefibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadhen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmohcbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acaoflhe.dll"	Ijhkembk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnfdbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bogiic32.dll"	Jpnfdbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnfdbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epbamc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggbljogc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkmkh32.dll"	Ggeiooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icponb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkqmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekeiel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffgqn32.dll"	Ghmohcbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjcendg.dll"	Kifgllbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebdmn32.dll"	Lojeda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll"	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakqdpmg.dll"	Epbamc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgmqq32.dll"	Jafilj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiopah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpkdca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icponb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll"	Mliibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll"	Nqkgbkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelpdef.dll"	Fiopah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabfkg32.dll"	Fpkdca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpkdca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnfjpib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebplg32.dll"	Gnhkkjbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbabndd.dll"	Klimcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihefej32.dll"	Icponb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iadphghe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhlgnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqkgbkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kifgllbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klimcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmiea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnjdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iadphghe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojnhfhh.dll"	Imkqmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhlgnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klimcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnfjpib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiamql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gocnjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiqmcii.dll"	Gocnjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imkqmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lppkgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnhkkjbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfhmqhk.dll"	Hefibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhbc32.dll"	Jhndcd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2412 wrote to memory of 2028	2412	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe	Ekeiel32.exe
PID 2412 wrote to memory of 2028	2412	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe	Ekeiel32.exe
PID 2412 wrote to memory of 2028	2412	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe	Ekeiel32.exe
PID 2412 wrote to memory of 2028	2412	6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe	Ekeiel32.exe
PID 2028 wrote to memory of 2172	2028	Ekeiel32.exe	Epbamc32.exe
PID 2028 wrote to memory of 2172	2028	Ekeiel32.exe	Epbamc32.exe
PID 2028 wrote to memory of 2172	2028	Ekeiel32.exe	Epbamc32.exe
PID 2028 wrote to memory of 2172	2028	Ekeiel32.exe	Epbamc32.exe
PID 2172 wrote to memory of 2904	2172	Epbamc32.exe	Fimclh32.exe
PID 2172 wrote to memory of 2904	2172	Epbamc32.exe	Fimclh32.exe
PID 2172 wrote to memory of 2904	2172	Epbamc32.exe	Fimclh32.exe
PID 2172 wrote to memory of 2904	2172	Epbamc32.exe	Fimclh32.exe
PID 2904 wrote to memory of 2888	2904	Fimclh32.exe	Fiopah32.exe
PID 2904 wrote to memory of 2888	2904	Fimclh32.exe	Fiopah32.exe
PID 2904 wrote to memory of 2888	2904	Fimclh32.exe	Fiopah32.exe
PID 2904 wrote to memory of 2888	2904	Fimclh32.exe	Fiopah32.exe
PID 2888 wrote to memory of 2936	2888	Fiopah32.exe	Fpkdca32.exe
PID 2888 wrote to memory of 2936	2888	Fiopah32.exe	Fpkdca32.exe
PID 2888 wrote to memory of 2936	2888	Fiopah32.exe	Fpkdca32.exe
PID 2888 wrote to memory of 2936	2888	Fiopah32.exe	Fpkdca32.exe
PID 2936 wrote to memory of 2748	2936	Fpkdca32.exe	Foqadnpq.exe
PID 2936 wrote to memory of 2748	2936	Fpkdca32.exe	Foqadnpq.exe
PID 2936 wrote to memory of 2748	2936	Fpkdca32.exe	Foqadnpq.exe
PID 2936 wrote to memory of 2748	2936	Fpkdca32.exe	Foqadnpq.exe
PID 2748 wrote to memory of 2812	2748	Foqadnpq.exe	Gocnjn32.exe
PID 2748 wrote to memory of 2812	2748	Foqadnpq.exe	Gocnjn32.exe
PID 2748 wrote to memory of 2812	2748	Foqadnpq.exe	Gocnjn32.exe
PID 2748 wrote to memory of 2812	2748	Foqadnpq.exe	Gocnjn32.exe
PID 2812 wrote to memory of 2672	2812	Gocnjn32.exe	Gnhkkjbf.exe
PID 2812 wrote to memory of 2672	2812	Gocnjn32.exe	Gnhkkjbf.exe
PID 2812 wrote to memory of 2672	2812	Gocnjn32.exe	Gnhkkjbf.exe
PID 2812 wrote to memory of 2672	2812	Gocnjn32.exe	Gnhkkjbf.exe
PID 2672 wrote to memory of 3060	2672	Gnhkkjbf.exe	Ghmohcbl.exe
PID 2672 wrote to memory of 3060	2672	Gnhkkjbf.exe	Ghmohcbl.exe
PID 2672 wrote to memory of 3060	2672	Gnhkkjbf.exe	Ghmohcbl.exe
PID 2672 wrote to memory of 3060	2672	Gnhkkjbf.exe	Ghmohcbl.exe
PID 3060 wrote to memory of 2312	3060	Ghmohcbl.exe	Ggbljogc.exe
PID 3060 wrote to memory of 2312	3060	Ghmohcbl.exe	Ggbljogc.exe
PID 3060 wrote to memory of 2312	3060	Ghmohcbl.exe	Ggbljogc.exe
PID 3060 wrote to memory of 2312	3060	Ghmohcbl.exe	Ggbljogc.exe
PID 2312 wrote to memory of 1476	2312	Ggbljogc.exe	Ggeiooea.exe
PID 2312 wrote to memory of 1476	2312	Ggbljogc.exe	Ggeiooea.exe
PID 2312 wrote to memory of 1476	2312	Ggbljogc.exe	Ggeiooea.exe
PID 2312 wrote to memory of 1476	2312	Ggbljogc.exe	Ggeiooea.exe
PID 1476 wrote to memory of 1072	1476	Ggeiooea.exe	Hjfbaj32.exe
PID 1476 wrote to memory of 1072	1476	Ggeiooea.exe	Hjfbaj32.exe
PID 1476 wrote to memory of 1072	1476	Ggeiooea.exe	Hjfbaj32.exe
PID 1476 wrote to memory of 1072	1476	Ggeiooea.exe	Hjfbaj32.exe
PID 1072 wrote to memory of 2660	1072	Hjfbaj32.exe	Hcnfjpib.exe
PID 1072 wrote to memory of 2660	1072	Hjfbaj32.exe	Hcnfjpib.exe
PID 1072 wrote to memory of 2660	1072	Hjfbaj32.exe	Hcnfjpib.exe
PID 1072 wrote to memory of 2660	1072	Hjfbaj32.exe	Hcnfjpib.exe
PID 2660 wrote to memory of 2260	2660	Hcnfjpib.exe	Hcqcoo32.exe
PID 2660 wrote to memory of 2260	2660	Hcnfjpib.exe	Hcqcoo32.exe
PID 2660 wrote to memory of 2260	2660	Hcnfjpib.exe	Hcqcoo32.exe
PID 2660 wrote to memory of 2260	2660	Hcnfjpib.exe	Hcqcoo32.exe
PID 2260 wrote to memory of 2180	2260	Hcqcoo32.exe	Hnjdpm32.exe
PID 2260 wrote to memory of 2180	2260	Hcqcoo32.exe	Hnjdpm32.exe
PID 2260 wrote to memory of 2180	2260	Hcqcoo32.exe	Hnjdpm32.exe
PID 2260 wrote to memory of 2180	2260	Hcqcoo32.exe	Hnjdpm32.exe
PID 2180 wrote to memory of 2420	2180	Hnjdpm32.exe	Hefibg32.exe
PID 2180 wrote to memory of 2420	2180	Hnjdpm32.exe	Hefibg32.exe
PID 2180 wrote to memory of 2420	2180	Hnjdpm32.exe	Hefibg32.exe
PID 2180 wrote to memory of 2420	2180	Hnjdpm32.exe	Hefibg32.exe

C:\Users\Admin\AppData\Local\Temp\6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe
"C:\Users\Admin\AppData\Local\Temp\6c19199dd28c894d5a8f0990486f7a22543a4b13b86c58755d744cff51d501e2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Ekeiel32.exe
  C:\Windows\system32\Ekeiel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\Epbamc32.exe
    C:\Windows\system32\Epbamc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Fimclh32.exe
      C:\Windows\system32\Fimclh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Fiopah32.exe
        
        C:\Windows\system32\Fiopah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Fpkdca32.exe
        
        C:\Windows\system32\Fpkdca32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Foqadnpq.exe
        
        C:\Windows\system32\Foqadnpq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Gocnjn32.exe
        
        C:\Windows\system32\Gocnjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Gnhkkjbf.exe
        
        C:\Windows\system32\Gnhkkjbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Ghmohcbl.exe
        
        C:\Windows\system32\Ghmohcbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ggbljogc.exe
        
        C:\Windows\system32\Ggbljogc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ggeiooea.exe
        
        C:\Windows\system32\Ggeiooea.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Hjfbaj32.exe
        
        C:\Windows\system32\Hjfbaj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Hcnfjpib.exe
        
        C:\Windows\system32\Hcnfjpib.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Hcqcoo32.exe
        
        C:\Windows\system32\Hcqcoo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Hnjdpm32.exe
        
        C:\Windows\system32\Hnjdpm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Hefibg32.exe
        
        C:\Windows\system32\Hefibg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Iamjghnm.exe
        
        C:\Windows\system32\Iamjghnm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Imdjlida.exe
        
        C:\Windows\system32\Imdjlida.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Ijhkembk.exe
        
        C:\Windows\system32\Ijhkembk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Icponb32.exe
        
        C:\Windows\system32\Icponb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Iadphghe.exe
        
        C:\Windows\system32\Iadphghe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Imkqmh32.exe
        
        C:\Windows\system32\Imkqmh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Ifceemdj.exe
        
        C:\Windows\system32\Ifceemdj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Jplinckj.exe
        
        C:\Windows\system32\Jplinckj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Jpnfdbig.exe
        
        C:\Windows\system32\Jpnfdbig.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Jjhgdqef.exe
        
        C:\Windows\system32\Jjhgdqef.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Jhlgnd32.exe
        
        C:\Windows\system32\Jhlgnd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Jhndcd32.exe
        
        C:\Windows\system32\Jhndcd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Jafilj32.exe
        
        C:\Windows\system32\Jafilj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Kiamql32.exe
        
        C:\Windows\system32\Kiamql32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Kifgllbc.exe
        
        C:\Windows\system32\Kifgllbc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Kihcakpa.exe
        
        C:\Windows\system32\Kihcakpa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Kadhen32.exe
        
        C:\Windows\system32\Kadhen32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Klimcf32.exe
        
        C:\Windows\system32\Klimcf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Lojeda32.exe
        
        C:\Windows\system32\Lojeda32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lghgocek.exe
        
        C:\Windows\system32\Lghgocek.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Lppkgi32.exe
        
        C:\Windows\system32\Lppkgi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Mglpjc32.exe
        
        C:\Windows\system32\Mglpjc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Mliibj32.exe
        
        C:\Windows\system32\Mliibj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Moahdd32.exe
        
        C:\Windows\system32\Moahdd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Nnfeep32.exe
        
        C:\Windows\system32\Nnfeep32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Nplkhh32.exe
        
        C:\Windows\system32\Nplkhh32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Nqkgbkdj.exe
        
        C:\Windows\system32\Nqkgbkdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ofklpa32.exe
        
        C:\Windows\system32\Ofklpa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Opcaiggo.exe
        
        C:\Windows\system32\Opcaiggo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Ofmiea32.exe
        
        C:\Windows\system32\Ofmiea32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 140
        49⤵
        Program crash
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ekeiel32.exe

Filesize
90KB

MD5
ef706eec332e7d49413bf72c694e73f9

SHA1
82484d9cb28f222c38229d365a3d5a5022130d3d

SHA256
e81f6b1a2b31fc2c6e7759e8ca3acc5732101e9e9a85a2dc752aebd804e7e31c

SHA512
a4e37ea7746fe00cc1575c5dcf0a224b5836f215337f3d4f63558ba4d126421788690bedd6cff300201cfd8d965cde0171c74eaf325083348285e51251234467

Download Submit
C:\Windows\SysWOW64\Iadphghe.exe

Filesize
90KB

MD5
91e64a10d3fa1871b1133c7cffe11480

SHA1
3e7a7796ae1305a4d72c2fe127b2815c212d4469

SHA256
a2df7af25fc6271595423ed09600103ed39cc19e1088780a8df922c30d1895d9

SHA512
c3d919f9599288c3897f54348b4247773c1b2f8258d5d5ebbc7d04b33ed52b932aed115625d0172f36d664567fd5739e1eb1e0999c19108e900530049df5d73a

Download Submit
C:\Windows\SysWOW64\Iamjghnm.exe

Filesize
90KB

MD5
4edeb60783bcd3389982b3def00dd0ae

SHA1
b2ca6a608ddf2ed7922e3b2e3cb2b784af49816e

SHA256
6536f4ed947b569ea9b27736ea04bc50bfbda4cc82f9c37b6771e9a221701282

SHA512
cdca617a9f5ba46aa1767ffb94c1a16593c0efbffeea39bcc6609bd030252e5e9d3c7953c7b66295e2aaa0e17361ba4a13f15ea5b9370ab5f59030b463d558d5

Download Submit
C:\Windows\SysWOW64\Icponb32.exe

Filesize
90KB

MD5
25f5fac168a2a2e80b4a4aa941904138

SHA1
6ebcfb6f4196f0700d2c75a2c7925f0f8084b8db

SHA256
8b4cabc89780200d194dbafe1d7a6d0727edee09fdfc5c292acdc8e8c4824923

SHA512
530ce14255b6b7451341894a39dc11350dd038fc8e168c910bd007f0ef52da15e86c49b0b4907828923754dbda93152d31a3659ecac02f5b7bdb056b8895fe77

Download Submit
C:\Windows\SysWOW64\Ifceemdj.exe

Filesize
90KB

MD5
aff052e1b26c7d3c14a1cfbada73cce6

SHA1
70bf4ecbff4ec5a2122e5401d85701aa249d6d50

SHA256
2a401a0f91afb8587c49506b247107ebbb5ee883ca052eb254aa82f9113e06bf

SHA512
eca58ae0343798c272ab2148f9730db99af8e346d186d81cda7ff8704246424d5c2ed4afc00120386fbaa5f6f9f25dfb3e61a33e97af12512cfcb954cbf81234

Download Submit
C:\Windows\SysWOW64\Ijhkembk.exe

Filesize
90KB

MD5
0a64bf576849e119831a702cf331bcae

SHA1
ff1e4e883b803effa7016cf4e6534a94a8337766

SHA256
6a11f06412b97e80a6118c7d5496ef04ab27a9ba6962ca993db872177bb02b60

SHA512
0a70df14a4b08926b898ad889b6efd0a52a368cdfa46d70b262c582c4098fba583cb71743f3862172569f487418b549a533b45d4f4e58d0c35003196c6036617

Download Submit
C:\Windows\SysWOW64\Imdjlida.exe

Filesize
90KB

MD5
4c23385b018af140e2aecf860f752e0e

SHA1
4831b2f043175f500380720eb976850f724dfd94

SHA256
caca324cd90cd7717f566d312d1b5111efc8235c0c93e5db687f99546d17132a

SHA512
d149b886b4c1bf3bbce11f00299823981bb6c21268933d030126073dfca20041653fb0ffc88a4425dfe80721ae5b0ff93fe358a4f2675db6a09457968c70cfc9

Download Submit
C:\Windows\SysWOW64\Imkqmh32.exe

Filesize
90KB

MD5
e489b48d8f42b8987f1802002dd6e24e

SHA1
8b65102c7cda450a41b2f663063ae6b5d3164505

SHA256
6c0adde3922f958e24487205e22d3356d326acf0b03be07dc7d6b5a194bf413a

SHA512
f7cb57c6359d586e0a17032260694926b678596d8458b6c7ecb0568897e3082f85d8973e7dd346c6535961e2dbb794c8a49a6280dbf31d75e481c41efc4d4c16

Download Submit
C:\Windows\SysWOW64\Jafilj32.exe

Filesize
90KB

MD5
f533a76a713d5c7f74c8ff62ad3aa052

SHA1
2937c45431c5ef9b9f16e21d3e00251d989c3351

SHA256
c8183804586a18a929daef6e84a3513889fc0eafcfb48f8b11af3a6cf93ea5ed

SHA512
3724502c63fcc98695e8bd79ce56ec21203f99ab8592dc521c5f228722043bd9f51504f5da902421d50d6aa82955674c6c6c6c157385350379af48807f7332d7

Download Submit
C:\Windows\SysWOW64\Jhlgnd32.exe

Filesize
90KB

MD5
34a3e3bd7010716d3424ade90a71b7e6

SHA1
96636ce872f032ff01ca4c2f3f1fbb89dd3aacf4

SHA256
66826f9deddfcfe14460b9d11b8916d97ba9ddc984cd260502b24562a9f7363a

SHA512
79f363e77f8c3431d94d695be4a8b504bf597c135b09da67c79418a8cf3d51ec134ecf5fe9bdc7c0bc0915d2bf06ee469bf5b92792e23628187095991f4f82e3

Download Submit
C:\Windows\SysWOW64\Jhndcd32.exe

Filesize
90KB

MD5
5c88adec8b746a550c54954a5175406e

SHA1
d67fb9b3f94269f795bf83b2c2d2b20455dbbf74

SHA256
113f9fea32bf6f3c9dc08459c55fd0cd1f4d41adb0b549b8139081132674b930

SHA512
2f71605577aec92025950434d63ea352923bca9d2eedd5c0aa3f12a38bf6fa4183696e0710185a56deeaf8b4b6d5d523ebc60517f077159370c311eceda4c54a

Download Submit
C:\Windows\SysWOW64\Jjhgdqef.exe

Filesize
90KB

MD5
c28650c9910f32603c9d40642babf709

SHA1
579c84ee14e00decfe80cf81353f4512bb68ce53

SHA256
cc9426f7da75510b7b1b27e5cd82167a3d8274040b8d93098e3c5af415b23023

SHA512
b3e47c41142fbdda4447e5cd7884314471510eb690f7e8a750dd2e08edbb24643b86de410b877bb22bcd68fa248858604029a0affea642a163787703d7d59480

Download Submit
C:\Windows\SysWOW64\Jplinckj.exe

Filesize
90KB

MD5
7529b9f0a3a4e99b026189c4c1ec1196

SHA1
a3362bc40b4b8e44db9df1c0695409ed430f419a

SHA256
f0814277541b3b84bfd61552873ab29ffb57e1656956b5d897e124d38d29fef9

SHA512
218e393dca347bb22562da10b5d2726485a7040d8449d0c18bddacb9847c0e00479ff7b3f819a4645e339ccf4e7b8f21c711a64c5b3f30ee711e2f1b874200f6

Download Submit
C:\Windows\SysWOW64\Jpnfdbig.exe

Filesize
90KB

MD5
0be3897f1bef7e31effe287b1488d854

SHA1
5e4685b2ffd31a5dad1a86447794dfe93eace639

SHA256
11c79d4525eb4943f796fae909b8e2d82566f216fbf9bbfc218ad38f6fe285da

SHA512
0ee9ff3a9e72df929c6d5f51803612258bf436f7a75f592adbb1d5ae2de967ee6b3ee9bf87f9f5e2ca4357a2673d6aed9fb30d4737425819242feba565173985

Download Submit
C:\Windows\SysWOW64\Kadhen32.exe

Filesize
90KB

MD5
2706962fdcf1b40a3b4bc0c11a5ee617

SHA1
75632e89af67ecd33afd67fbd81c6aa2dbc88b24

SHA256
b9c93f85582b17d963230876b4c2d629ffd238b991dbb7c06fc7bdfd06a5dc9b

SHA512
eaf5bd204d8cbc11a95354c1bec7d6c09a79c6bdc7a5288c1efdaa4e5f9d32531c5142f6fd77e4faa9f3438b5b4bfff13f5a48028396d1f0d3b1c867ce84d493

Download Submit
C:\Windows\SysWOW64\Kiamql32.exe

Filesize
90KB

MD5
28cff28bb28dc7615326db13a9615ab8

SHA1
c9c355a0446f481df9648c2f277b2ad9e425cd77

SHA256
77f9b7c1f11b1e7541d400b2885bb896cceaa6baab9cbd828b75133a2d56420f

SHA512
9d18e1bd7a91110861d48885b23f3bf50ca880f30c6226b8dca1cb1879829052197935c6c6d7c54f213dbb9e252ad0b9fb57f408697fd1d679b008e06547e002

Download Submit
C:\Windows\SysWOW64\Kifgllbc.exe

Filesize
90KB

MD5
c301b31780323e4bd3c4fcf715497d10

SHA1
4f7f9c69d20f766be8a7e5743e6c2f2bb81ae917

SHA256
648a88bee0a435e8ba4ff5d7daf2cd919724c04e3c662ef7b0ef4c9ed747c70b

SHA512
4633383e20863cd114f37d1d098428a45d9daa24dd1fe34dba5d561248f8648a410aa57a4df787df219b0d8bb4268d0dbfb34bb1e3698306e6ad7baab06ba1f9

Download Submit
C:\Windows\SysWOW64\Kihcakpa.exe

Filesize
90KB

MD5
4472aec84cb380740150e399a3d7d4f3

SHA1
2382384996b6f4c70942b3a267a0d25a2bd8286f

SHA256
2cc28d07a0dc5cef88e8694b423285f50a130baab34b6379d4a529a9b619a26e

SHA512
76721b7c75260c6c4b27b1b0dc089ee8e2c84a9d6901d1d3cff4b6977de93f1c10d653be76e4378ef2696e7bfd997311aa9982cda01331057fe492467d23d959

Download Submit
C:\Windows\SysWOW64\Klimcf32.exe

Filesize
90KB

MD5
3fa2cf154f4c46cd73dfe071d2a304c8

SHA1
106fc50f8a47659b90fb448ddb7c2a55975f1778

SHA256
9f65bf1af765f5d6f63d6d1dcc7bbd4b46bc5e0603a847ec01ad14751507325a

SHA512
93a3822c287013c13b89a3e380acb9e7867bc4348fca77ba88947adfd7bcde68694bb06319488d28a319b8aadaeee1311d0b932b16cee798781789758021bf0a

Download Submit
C:\Windows\SysWOW64\Lghgocek.exe

Filesize
90KB

MD5
1833c90f71ccc3c71b29e6de26049521

SHA1
68c55bdae104d97e616a138b9518c8e878d32723

SHA256
7b3217d58802aa5ae74e3871f14960bc67d449acfc4f565811b04a448503e643

SHA512
2803e2d5cf698c9492376261f33ff8fd87021cd03636e99a7a30580c1fe2b161dc492aa56e963d71d922b75281638437850af1f0290cd1d03c418edb31cb5fa5

Download Submit
C:\Windows\SysWOW64\Lojeda32.exe

Filesize
90KB

MD5
b80f4270666722c753ce8d516578c53a

SHA1
599e050f215997d9eb265fe6405ad16832aa235d

SHA256
0937cf7289d5bb48341777a5c69bf8c399e706a9a1fa24b4f538e16ffe8c4869

SHA512
539a46d6ea7a1a920b8ce2c22b9c78f04b0824d187d246e09412b269120704ef9518fffb9936a62899ca4dfa25dadebd8f2858b42a6c893c5a2695939f5b3156

Download Submit
C:\Windows\SysWOW64\Lppkgi32.exe

Filesize
90KB

MD5
c51bd44600d5a00a7a2258c40cee6415

SHA1
d4138eb42da628cc4f765d3f8087310c950ee62d

SHA256
cda2ea0b3039b43db5ab6efcca28fa1ca1b75af78646eec375d2c5c7752e65d0

SHA512
9c61f60bf52dae5db8ef3ca0dd0f4c51a922ac9ae438e1e5c8ff87eedf3bfe36bc20ac8d14692ce15260cb00c428c2883646a6082937bbc744c28ccf84ac9096

Download Submit
C:\Windows\SysWOW64\Mglpjc32.exe

Filesize
90KB

MD5
e3bc8cb60560d5832033dde4069b1756

SHA1
50b149669a0dfd9f61f8753eba6f0a02e8ef9bd7

SHA256
4bf9706ab6a2d7785a6d62cad0837fb8da1622f5bbcdadf32b87abca270975d0

SHA512
e27663a00587597cb97f88fa6aea8e34e0b7cd8ee65db3132e7094f29e56f85e4a720c0aff6a9af99260a7de7ab90d2f9e1cede5fc0f0203ccc723cdccd2464e

Download Submit
C:\Windows\SysWOW64\Mliibj32.exe

Filesize
90KB

MD5
fab557ceeec125cd29613544c0483940

SHA1
46624fe3c69ef5f7f243943c55cebb1663c9d392

SHA256
64b137ff3d38a9917fe1fe1c4d7ea0ab61890375845b5d8c00ab2676e2b91637

SHA512
3fb1b26bf0a75d2d3cf939c8b1388c1118b50b272c1fbdd467518c927c25e623eb71cb14c29169154cb9c306b15f80d0c6171b9177dbacea166a8402acf9aac7

Download Submit
C:\Windows\SysWOW64\Moahdd32.exe

Filesize
90KB

MD5
c877e200e83ad7312d8991c65b91bf6d

SHA1
93b3819d46fda8e5dd2475aced1ad716185f9ecb

SHA256
77378641b7efdd9c89a17cce8f6544d6d58511f05ee68676fa3ede2794d28a06

SHA512
46aeadd76f6fc5645680665127aa9b94fad40f8d0621dbf0ff8a33f0a4099fdb71aa45be0981c889e0037ca119b0f08a41d24cde1ccfc09f3a25cc087b016fa5

Download Submit
C:\Windows\SysWOW64\Nnfeep32.exe

Filesize
90KB

MD5
58fb420fa4a63e2ff12967b7e3f686a9

SHA1
aee925ab9110129066b9c6122266975ec9c701b8

SHA256
3bc2952e5ee8a1b6b57aa491779b67f5b66e0e02d9a3ed54ec7c5724d8eb2582

SHA512
9832b4526f690f85e8e56f7ea3cb04539f0f9459c328ee0f91e36ebe30a82d426d4acd982df8866e36791b7a8ca775f4cc7f665c940e8de87c3772ba5d76089e

Download Submit
C:\Windows\SysWOW64\Nplkhh32.exe

Filesize
90KB

MD5
4de6d0bf4fde49323448d1ae03c9fcfb

SHA1
f0acd1dade2bc47998019bb4575df990ae5d1493

SHA256
57db1955d2a497e2774ae38ddf59606873b0239051e541b6ae922a79074726e5

SHA512
7e4619f05d6d9929690f131c7e2b42eb0d88509d934ff9bb69a4246c171dffe66201a3e454cbcbfd0968bd53a8d6b540268d4a696312f0d1c09de8f93c2dbdbe

Download Submit
C:\Windows\SysWOW64\Nqkgbkdj.exe

Filesize
90KB

MD5
969df65fb901437114dd1c22d638ccb5

SHA1
e58ead7e001795f18a2bb3f5d02de33fd6ab4b54

SHA256
9ca66adba9174aa487cd25ef848536a009dad45f8674bb970c076abb264e6885

SHA512
1ca353bdbeead9d957122cbbb886272bb15e2d379169e72146a5ef1c45f636e8597d16da54cd1369303f5cd883c4a17b48f5bbb4d377c9060e871cf83ebd0d28

Download Submit
C:\Windows\SysWOW64\Ofklpa32.exe

Filesize
90KB

MD5
f71ace50b35d2a5dc6ba3feaf5715597

SHA1
02b44bb7853803428586d9fb45b74be29c1aba75

SHA256
6eee7693f6441f230ccce1ab64aeace2daf9821d871a506ea76d55fafb1faac3

SHA512
b4059d1d0d141768e18e7c93a45d756ce2e6bf3bb7cdd047d6f9868d8f1162845300d6a3126344337b758a1f8cf4b90066956ff49925367dc870997835aae83c

Download Submit
C:\Windows\SysWOW64\Ofmiea32.exe

Filesize
90KB

MD5
171230806e0e31a040bdf81e277a2fd8

SHA1
306eb21e3fdf4599c8c39c895eb0edc54de4323b

SHA256
fe533830db1cf4420ad1d7e004264144ea9e4cebcc0d1e83f3a6f9a601516e26

SHA512
7bbc068de87de079b69a67eb2b5d319054d525cb2fa14915ac299f9f0a65508eadf9fd1cf4b63e7a303daa6bddf06c4a9554febddea11fd3c69ef66fb5b50392

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
90KB

MD5
f4ea624f82b4ae1cef62a4876585728d

SHA1
2950d75ab04dd366c55d09378e77f959dff96aa7

SHA256
ea663456f6d73862a982fcfe019aef870eed03819f3a21b62e4c6fd40c6c44a7

SHA512
abeca27465cae45233e4457e21950b97f825ec7f125fdf7fe512fa7193493a63321a1f953932643eac4a469f4af3e04729b68b5e902d34bedd8b959dc2c32cc0

Download Submit
C:\Windows\SysWOW64\Opcaiggo.exe

Filesize
90KB

MD5
5e85691f7a22c44afbf13c8a70155f92

SHA1
2b0943e508386f63e068de288a8e90d35f676710

SHA256
7345e70abc657a93f5d443fa78b5e72e89db044147b1bacefa0642c960731470

SHA512
4afc6a8c69a39c31c2a521adcb725f3cf268c5c4e3ede9ba88da46464939caffe3d478c37e74a7c7f7f06be669f40e9b7ebd34e307c0fec2d2d64d07dc4def14

Download Submit
\Windows\SysWOW64\Epbamc32.exe

Filesize
90KB

MD5
b81e9469bf129c6473bbeb3c30ecf3b1

SHA1
e90770d02ab21ceba84714e3e5b5a67426e5a60a

SHA256
2ba4a1aefa0d77724df3e4d92b46550fa0b0ceb58268af8e3a9c33c03f2e02fa

SHA512
83999e89030b51410ae659c373fcc5129987deada82a14a9fece75e45ad07b60dba2ab95b3b3a4ff866318ce3ec4ef8520559333e7a223442c90efe48696dca3

Download Submit
\Windows\SysWOW64\Fimclh32.exe

Filesize
90KB

MD5
82d54dcf6b431273544139bacd02bdf2

SHA1
97684c5e6590bd463eb0aa390b4fc5f8f0403ea0

SHA256
40ea015825cd7b3df984b073b99cbb7ec495782cce4547b29af6dc97c7c5ce1d

SHA512
3130d7907c29de61ca8005b251c610986f32cc453d19958d41c2e5ba81649aeaca7db706ee47ef4df8fe386bb2d3345685841c9931fc65b8196dbb6a6d9cc357

Download Submit
\Windows\SysWOW64\Fiopah32.exe

Filesize
90KB

MD5
e9dd3aecb2f16f153b66e95f1e434284

SHA1
95948f6b7729226ccbd8af40c1e66f44cd6b675d

SHA256
1d4283ad58c653dd124826a3b845d9ac4f9ed75e31b6eff60c67a0d63c028064

SHA512
ed5c0e8f73123258f1ce9d11aa2bc1418ee4868a0feca02fc48e77b95fa8e3715ed9893d7292189054244fe750f96ce1e0b53f663db9f0c8942b818c2929b890

Download Submit
\Windows\SysWOW64\Foqadnpq.exe

Filesize
90KB

MD5
82e28dddcf6039dc3336af3132d2fa2c

SHA1
0b3dcd7a28b2d077419582adfb01ef7a1422dba8

SHA256
b3fcb17e596eee99f05c66f0d5aa6e6a6dcb2e688071c297891898960de1695c

SHA512
597a0eae0afc92d658cbf5ab245cbc6dd7cadcef1344e51a701721dc18f283b4729f670d3891b891834aaa7064f27fbd169af5d5618d4f9eac0e62a83566a652

Download Submit
\Windows\SysWOW64\Fpkdca32.exe

Filesize
90KB

MD5
56e6177589cedf4198f4653b1b549bf6

SHA1
e1c11e7e1268d500fcb41eece438bd9f7c2dc6c9

SHA256
4a7eb544371ca9abe69990a89e22c548f9471aea5d1c715a4c748a873052f8f3

SHA512
6ebec94620e248752ab08cbe1521d4557995adfbcc9d81b3de0e252a973e650593cc481dad02a40e4e7ad5b5cb39ff308d0cbaedc68c337fb6b1d57994c076ee

Download Submit
\Windows\SysWOW64\Ggbljogc.exe

Filesize
90KB

MD5
72c9c4f31512400ffc2d31021e319f75

SHA1
e5259625d45d2e782fe3e200364e42e763af6e2c

SHA256
bf042780db6d592025538bed2e2072d0a9b24e07e3f060c7c0049d8c32c39c3b

SHA512
255ed3d9b8f15cf92fdbb89ad05bfe2f61505b4c12c2bb37faa79e4ba332f12ed741d7b6377140fdb32c08844bb0340f791ac17595e24a82ed8ce47457c64e2e

Download Submit
\Windows\SysWOW64\Ggeiooea.exe

Filesize
90KB

MD5
b27b1a44a190b52364bcd0bd71dd287d

SHA1
1e6f6c5bd87db1d387374a44bbaf929e2918080f

SHA256
8e69ba6f2c64d5b7a3798aa9f5256480cfc237682f1bd4aaa489dac7d4d4c319

SHA512
435ae97d3e32fc6ec393e1bbfe1e12692b96f230013be266940b517474d82c8c66014d22d784574376424cefa32e4a3230d465134dc1e2b99374cb773204d9fd

Download Submit
\Windows\SysWOW64\Ghmohcbl.exe

Filesize
90KB

MD5
a53dfc90d3affea6ff0de42bf6a84114

SHA1
6f80f1a05b6921e5fab5fb522086b6228cb0fa89

SHA256
6fbf627b2154594c825c931352cf0540d36cd234b016c953662654683d4e0d7b

SHA512
d380afef94a10cf3c0722047aa0a95d4f90e4d472cad98c04345bcc01747e063d39ab38ef48042729380db309c8271d14df931e6e61d537f0a71996e46b1eb4e

Download Submit
\Windows\SysWOW64\Gnhkkjbf.exe

Filesize
90KB

MD5
438497fbbb6bf422b9f8be81e23e720e

SHA1
6b23e6342276a4d7fd1092a0b2458d59169e1223

SHA256
eb9c8909af6545c6eaccc6af0d4f2404cc9a6029d7ae2cc1b5910f647daf5368

SHA512
9235e19a35a2281b91ad3d4766d16a5978b43f591f72659bc783dd58526b9c29a87728b70a1da22edf9f771480f1d28d126946ed1b2eb50cbdbfdff104eded56

Download Submit
\Windows\SysWOW64\Gocnjn32.exe

Filesize
90KB

MD5
21fb3e725f10e51eee0f73f139795112

SHA1
8fda7eccab42b1247406c78974043787e0a2d392

SHA256
99cd5536942da8bef2abfcd59f9330ccf94c5e0780251328a27b5f6564b3a0b9

SHA512
934553e59aed67557dd7e8b93348019a55e8be2fedf2e928b7454bd06269a2f7322f5e0c53818765292cacda5d2142396b810c9939d3bdb722c19bbccfb6493f

Download Submit
\Windows\SysWOW64\Hcnfjpib.exe

Filesize
90KB

MD5
7147bcd7d7f093d68c3079274e6d3724

SHA1
40f3f4dcfa0c852fb38d5916c9ecbbe7f12784ce

SHA256
35491acb9a0673c6511317eeb758ffae27e4f5f9098ea70c29138d41cd8da2ae

SHA512
840a93e0c473ea7e474f6504f71a95c44e82000d05665b6615c5c3b244d5550dbfe13b7510489cd56e439d9e8155ad487f1318e766f9c93fec1ca732dbc833ef

Download Submit
\Windows\SysWOW64\Hcqcoo32.exe

Filesize
90KB

MD5
46a38301cd1c86be216b6d186f0a6923

SHA1
4c42b2e1bafc72e90562306d2a562f943713db4a

SHA256
3975dec3a7e39386dc4633e610090402456de9e0f3f6398d9f5239fe08987b9f

SHA512
3ed387a50ffaabe3f4be35c115f5527fe577906a37cc2e66e80a7fbaa92d900df763a1a84156cd055d97a5fd77fa75a7ecee2f80997902a5686e7ac75e4a8c43

Download Submit
\Windows\SysWOW64\Hefibg32.exe

Filesize
90KB

MD5
fdd14585b8d20fac57eb3f8375528f0b

SHA1
57a4d00e8c3aa95f04c4cb29f2c4ebb25334f34e

SHA256
5da82855e09c22b718c194ca89bd0e126c1080d4608933f2c7e32cd4f7814c27

SHA512
50ab2000638cec9f19f108bbfd67137a296be0127fedce20d215e567862b211d5e3bfe150621fe49f326df26a021e3cc9a34ca20916538d4b950a7f7fc6648ae

Download Submit
\Windows\SysWOW64\Hjfbaj32.exe

Filesize
90KB

MD5
2de6268c4a5e0140cfdde3919d150a35

SHA1
88815f3b7b827a8db92e9c00d61625f9cb31e8f0

SHA256
f1b606b832a495143532b8c9f65c327e41895e4ddb867dcfccdd723dbef88929

SHA512
b0a8bef3a1f435de115a5713b0146992205c9705afc6e5f68529969a77dad1f05e58ba1223a9a9c6178c84eeb8fd64fcc97811f7abf362187171ad8eb91b5e6f

Download Submit
\Windows\SysWOW64\Hnjdpm32.exe

Filesize
90KB

MD5
1aeedb3d11dcdff7b906343608ff6417

SHA1
a2b5debd219b748d6bff827293b6ca332663f7e7

SHA256
3ec615e0cf6576fd6300473924a8a2e8543bb7775cf5d3696d8cd48ad5dc5d3e

SHA512
ab5978f267e37cbb0c2fc82107cfd3e0a9217f4018590fec52e8f00a80ac0d8624429e3349b3a2c3c5b4c6ac495f86cbd3e807632005d08ccac3d0223ca4d953

Download Submit
memory/308-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-413-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/908-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-412-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/928-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-280-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1072-178-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1072-172-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1072-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-273-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1160-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-457-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1208-456-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1244-323-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1244-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-322-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1476-163-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1476-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-162-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1476-500-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1476-499-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1572-300-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/1572-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-433-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/2028-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-293-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2172-40-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2172-390-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2172-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-363-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2232-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-374-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2304-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-147-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2340-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-312-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2364-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-12-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2412-367-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2412-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-11-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2420-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-465-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2448-469-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2448-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-345-0x0000000001B70000-0x0000000001B9F000-memory.dmp

Filesize
188KB

Download
memory/2528-343-0x0000000001B70000-0x0000000001B9F000-memory.dmp

Filesize
188KB

Download
memory/2528-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-329-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2532-333-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2540-470-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-480-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2660-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-187-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2672-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-389-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2748-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-94-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2752-399-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2812-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-490-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2872-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-491-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2888-66-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2888-411-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2888-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-53-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2904-400-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2904-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-425-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2936-77-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2936-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-354-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2968-355-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2968-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-423-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3060-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-130-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3060-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download