berbew | ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
Size

280KB
MD5

aa9a731f75a840cabc25d6911747b46b
SHA1

6092c5ebbb6823155f294dc6f964720ec57dc673
SHA256

ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a
SHA512

94ac461e99da0b65923b7412d91c18d018df55070a138fd2cd99590a10fc84ef9659f0e550e4c01b33231e90ee08171afadc9f4e43e3371b3835a19b64009bf4
SSDEEP

6144:PwzVPi/GOORjMmRUoooooooooooooooooooooooooy/G3:PwzNi//OVLCooooooooooooooooooooa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icmegf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmdadnkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmcbbki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapebchh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccbqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faigdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipkdnmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilqpdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjhagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpcbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fagjnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fenmdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fepiimfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdklf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fepiimfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igchlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igchlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamimc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icmegf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Illgimph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joaeeklp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmdadnkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gljnej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgemplap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjdilgpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gffoldhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iamimc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgcdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfhbeek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjdilgpc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2696	Egafleqm.exe
2708	Echfaf32.exe
2712	Fbmcbbki.exe
2688	Fenmdm32.exe
2624	Fepiimfg.exe
1692	Fagjnn32.exe
1324	Faigdn32.exe
2536	Gffoldhp.exe
1788	Gmbdnn32.exe
1520	Gmdadnkh.exe
2204	Gljnej32.exe
2396	Gohjaf32.exe
1996	Hipkdnmf.exe
3060	Hbhomd32.exe
316	Hgjefg32.exe
2272	Hgmalg32.exe
3012	Iccbqh32.exe
2508	Illgimph.exe
1152	Icfofg32.exe
2288	Inkccpgk.exe
1060	Igchlf32.exe
2116	Ilqpdm32.exe
2352	Icjhagdp.exe
2908	Iamimc32.exe
884	Icmegf32.exe
1572	Iapebchh.exe
2772	Jabbhcfe.exe
2804	Jhljdm32.exe
2404	Jhngjmlo.exe
3024	Jjpcbe32.exe
2616	Jgcdki32.exe
1160	Jmplcp32.exe
2588	Jmbiipml.exe
2452	Joaeeklp.exe
1728	Kbbngf32.exe
1816	Kofopj32.exe
2308	Kbdklf32.exe
1656	Kklpekno.exe
2744	Kbfhbeek.exe
2912	Kpjhkjde.exe
2236	Kgemplap.exe
604	Kjdilgpc.exe
2968	Lanaiahq.exe
856	Lghjel32.exe
796	Lapnnafn.exe
916	Lcojjmea.exe
3020	Lfmffhde.exe
1760	Ljibgg32.exe
2924	Lpekon32.exe
2476	Lgmcqkkh.exe
2904	Ljkomfjl.exe
2780	Laegiq32.exe
2544	Lfbpag32.exe
3028	Lmlhnagm.exe
876	Lbiqfied.exe
1948	Legmbd32.exe
2032	Mlaeonld.exe
2456	Mbkmlh32.exe
1856	Mbmjah32.exe
2500	Melfncqb.exe
2168	Mkhofjoj.exe
672	Mbpgggol.exe
1016	Mencccop.exe
1128	Mmihhelk.exe

Loads dropped DLL 64 IoCs

pid	Process
2432	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
2432	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
2696	Egafleqm.exe
2696	Egafleqm.exe
2708	Echfaf32.exe
2708	Echfaf32.exe
2712	Fbmcbbki.exe
2712	Fbmcbbki.exe
2688	Fenmdm32.exe
2688	Fenmdm32.exe
2624	Fepiimfg.exe
2624	Fepiimfg.exe
1692	Fagjnn32.exe
1692	Fagjnn32.exe
1324	Faigdn32.exe
1324	Faigdn32.exe
2536	Gffoldhp.exe
2536	Gffoldhp.exe
1788	Gmbdnn32.exe
1788	Gmbdnn32.exe
1520	Gmdadnkh.exe
1520	Gmdadnkh.exe
2204	Gljnej32.exe
2204	Gljnej32.exe
2396	Gohjaf32.exe
2396	Gohjaf32.exe
1996	Hipkdnmf.exe
1996	Hipkdnmf.exe
3060	Hbhomd32.exe
3060	Hbhomd32.exe
316	Hgjefg32.exe
316	Hgjefg32.exe
2272	Hgmalg32.exe
2272	Hgmalg32.exe
3012	Iccbqh32.exe
3012	Iccbqh32.exe
2508	Illgimph.exe
2508	Illgimph.exe
1152	Icfofg32.exe
1152	Icfofg32.exe
2288	Inkccpgk.exe
2288	Inkccpgk.exe
1060	Igchlf32.exe
1060	Igchlf32.exe
2116	Ilqpdm32.exe
2116	Ilqpdm32.exe
2352	Icjhagdp.exe
2352	Icjhagdp.exe
2908	Iamimc32.exe
2908	Iamimc32.exe
884	Icmegf32.exe
884	Icmegf32.exe
1572	Iapebchh.exe
1572	Iapebchh.exe
2772	Jabbhcfe.exe
2772	Jabbhcfe.exe
2804	Jhljdm32.exe
2804	Jhljdm32.exe
2404	Jhngjmlo.exe
2404	Jhngjmlo.exe
3024	Jjpcbe32.exe
3024	Jjpcbe32.exe
2616	Jgcdki32.exe
2616	Jgcdki32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olhfdohg.dll	Echfaf32.exe
File created	C:\Windows\SysWOW64\Jnbfqn32.dll	Iamimc32.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nhllob32.exe
File created	C:\Windows\SysWOW64\Mjbkcgmo.dll	Jhngjmlo.exe
File created	C:\Windows\SysWOW64\Malllmgi.dll	Kjdilgpc.exe
File opened for modification	C:\Windows\SysWOW64\Fagjnn32.exe	Fepiimfg.exe
File opened for modification	C:\Windows\SysWOW64\Igchlf32.exe	Inkccpgk.exe
File created	C:\Windows\SysWOW64\Cpdcnhnl.dll	Jgcdki32.exe
File created	C:\Windows\SysWOW64\Jjnbaf32.dll	Kbdklf32.exe
File created	C:\Windows\SysWOW64\Bjjppa32.dll	Fbmcbbki.exe
File created	C:\Windows\SysWOW64\Aedeic32.dll	Icmegf32.exe
File created	C:\Windows\SysWOW64\Jhngjmlo.exe	Jhljdm32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Naimccpo.exe
File created	C:\Windows\SysWOW64\Lpekon32.exe	Ljibgg32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File opened for modification	C:\Windows\SysWOW64\Fenmdm32.exe	Fbmcbbki.exe
File opened for modification	C:\Windows\SysWOW64\Hbhomd32.exe	Hipkdnmf.exe
File created	C:\Windows\SysWOW64\Joaeeklp.exe	Jmbiipml.exe
File opened for modification	C:\Windows\SysWOW64\Joaeeklp.exe	Jmbiipml.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Icfofg32.exe	Illgimph.exe
File created	C:\Windows\SysWOW64\Pikhak32.dll	Lghjel32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Ljibgg32.exe	Lfmffhde.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Legmbd32.exe
File created	C:\Windows\SysWOW64\Almjnp32.dll	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Hgjefg32.exe	Hbhomd32.exe
File created	C:\Windows\SysWOW64\Bmeelpbm.dll	Jhljdm32.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Lbiqfied.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File opened for modification	C:\Windows\SysWOW64\Icjhagdp.exe	Ilqpdm32.exe
File created	C:\Windows\SysWOW64\Kofopj32.exe	Kbbngf32.exe
File opened for modification	C:\Windows\SysWOW64\Lapnnafn.exe	Lghjel32.exe
File opened for modification	C:\Windows\SysWOW64\Mbkmlh32.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Ilqpdm32.exe	Igchlf32.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Kbdklf32.exe	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kbdklf32.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Echfaf32.exe	Egafleqm.exe
File created	C:\Windows\SysWOW64\Jmbiipml.exe	Jmplcp32.exe
File created	C:\Windows\SysWOW64\Kbdklf32.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Ljkomfjl.exe	Lgmcqkkh.exe
File created	C:\Windows\SysWOW64\Qbpbjelg.dll	Gljnej32.exe
File created	C:\Windows\SysWOW64\Hgjefg32.exe	Hbhomd32.exe
File created	C:\Windows\SysWOW64\Mbkmlh32.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mencccop.exe
File created	C:\Windows\SysWOW64\Mbpgggol.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Nhllob32.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Hipkdnmf.exe	Gohjaf32.exe
File created	C:\Windows\SysWOW64\Jabbhcfe.exe	Iapebchh.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	Lapnnafn.exe
File opened for modification	C:\Windows\SysWOW64\Lbiqfied.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Hbhomd32.exe	Hipkdnmf.exe
File created	C:\Windows\SysWOW64\Allepo32.dll	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Mpcnkg32.dll	Lanaiahq.exe
File created	C:\Windows\SysWOW64\Ljibgg32.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Jbhnql32.dll	Hgmalg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2216	1868	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgjefg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfhbeek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljibgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmcqkkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Illgimph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapebchh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhljdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmplcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbiipml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanaiahq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hipkdnmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iccbqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqpdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhngjmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpekon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagjnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faigdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgemplap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fenmdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmbdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbhomd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfofg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gljnej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhofjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbmcbbki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joaeeklp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgmalg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icjhagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabbhcfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgcdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbbngf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fepiimfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkccpgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjpcbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjdilgpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igchlf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll"	Hgjefg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnbi32.dll"	Joaeeklp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icmegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnag32.dll"	Gohjaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Echfaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faigdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbmcbbki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddaaf32.dll"	Illgimph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iamimc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iamimc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fenmdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpopmpp.dll"	Fagjnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egafleqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fagjnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iccbqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jabbhcfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iianmb32.dll"	Igchlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjhjhkh.dll"	Gffoldhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gffoldhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll"	Hgmalg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnbaf32.dll"	Kbdklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfhbeek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gljnej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgcdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lghjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbhomd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iccbqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddljof.dll"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnpcnhmk.dll"	Gmdadnkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gljnej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhljdm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2696	2432	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe	30
PID 2432 wrote to memory of 2696	2432	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe	30
PID 2432 wrote to memory of 2696	2432	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe	30
PID 2432 wrote to memory of 2696	2432	ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe	30
PID 2696 wrote to memory of 2708	2696	Egafleqm.exe	31
PID 2696 wrote to memory of 2708	2696	Egafleqm.exe	31
PID 2696 wrote to memory of 2708	2696	Egafleqm.exe	31
PID 2696 wrote to memory of 2708	2696	Egafleqm.exe	31
PID 2708 wrote to memory of 2712	2708	Echfaf32.exe	32
PID 2708 wrote to memory of 2712	2708	Echfaf32.exe	32
PID 2708 wrote to memory of 2712	2708	Echfaf32.exe	32
PID 2708 wrote to memory of 2712	2708	Echfaf32.exe	32
PID 2712 wrote to memory of 2688	2712	Fbmcbbki.exe	33
PID 2712 wrote to memory of 2688	2712	Fbmcbbki.exe	33
PID 2712 wrote to memory of 2688	2712	Fbmcbbki.exe	33
PID 2712 wrote to memory of 2688	2712	Fbmcbbki.exe	33
PID 2688 wrote to memory of 2624	2688	Fenmdm32.exe	34
PID 2688 wrote to memory of 2624	2688	Fenmdm32.exe	34
PID 2688 wrote to memory of 2624	2688	Fenmdm32.exe	34
PID 2688 wrote to memory of 2624	2688	Fenmdm32.exe	34
PID 2624 wrote to memory of 1692	2624	Fepiimfg.exe	35
PID 2624 wrote to memory of 1692	2624	Fepiimfg.exe	35
PID 2624 wrote to memory of 1692	2624	Fepiimfg.exe	35
PID 2624 wrote to memory of 1692	2624	Fepiimfg.exe	35
PID 1692 wrote to memory of 1324	1692	Fagjnn32.exe	36
PID 1692 wrote to memory of 1324	1692	Fagjnn32.exe	36
PID 1692 wrote to memory of 1324	1692	Fagjnn32.exe	36
PID 1692 wrote to memory of 1324	1692	Fagjnn32.exe	36
PID 1324 wrote to memory of 2536	1324	Faigdn32.exe	37
PID 1324 wrote to memory of 2536	1324	Faigdn32.exe	37
PID 1324 wrote to memory of 2536	1324	Faigdn32.exe	37
PID 1324 wrote to memory of 2536	1324	Faigdn32.exe	37
PID 2536 wrote to memory of 1788	2536	Gffoldhp.exe	38
PID 2536 wrote to memory of 1788	2536	Gffoldhp.exe	38
PID 2536 wrote to memory of 1788	2536	Gffoldhp.exe	38
PID 2536 wrote to memory of 1788	2536	Gffoldhp.exe	38
PID 1788 wrote to memory of 1520	1788	Gmbdnn32.exe	39
PID 1788 wrote to memory of 1520	1788	Gmbdnn32.exe	39
PID 1788 wrote to memory of 1520	1788	Gmbdnn32.exe	39
PID 1788 wrote to memory of 1520	1788	Gmbdnn32.exe	39
PID 1520 wrote to memory of 2204	1520	Gmdadnkh.exe	40
PID 1520 wrote to memory of 2204	1520	Gmdadnkh.exe	40
PID 1520 wrote to memory of 2204	1520	Gmdadnkh.exe	40
PID 1520 wrote to memory of 2204	1520	Gmdadnkh.exe	40
PID 2204 wrote to memory of 2396	2204	Gljnej32.exe	41
PID 2204 wrote to memory of 2396	2204	Gljnej32.exe	41
PID 2204 wrote to memory of 2396	2204	Gljnej32.exe	41
PID 2204 wrote to memory of 2396	2204	Gljnej32.exe	41
PID 2396 wrote to memory of 1996	2396	Gohjaf32.exe	42
PID 2396 wrote to memory of 1996	2396	Gohjaf32.exe	42
PID 2396 wrote to memory of 1996	2396	Gohjaf32.exe	42
PID 2396 wrote to memory of 1996	2396	Gohjaf32.exe	42
PID 1996 wrote to memory of 3060	1996	Hipkdnmf.exe	43
PID 1996 wrote to memory of 3060	1996	Hipkdnmf.exe	43
PID 1996 wrote to memory of 3060	1996	Hipkdnmf.exe	43
PID 1996 wrote to memory of 3060	1996	Hipkdnmf.exe	43
PID 3060 wrote to memory of 316	3060	Hbhomd32.exe	44
PID 3060 wrote to memory of 316	3060	Hbhomd32.exe	44
PID 3060 wrote to memory of 316	3060	Hbhomd32.exe	44
PID 3060 wrote to memory of 316	3060	Hbhomd32.exe	44
PID 316 wrote to memory of 2272	316	Hgjefg32.exe	45
PID 316 wrote to memory of 2272	316	Hgjefg32.exe	45
PID 316 wrote to memory of 2272	316	Hgjefg32.exe	45
PID 316 wrote to memory of 2272	316	Hgjefg32.exe	45

C:\Users\Admin\AppData\Local\Temp\ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe
"C:\Users\Admin\AppData\Local\Temp\ebbe132051c95d47b5785f499633fcfa3b05c4912a834d059192489e31fe6e8a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\Egafleqm.exe
  C:\Windows\system32\Egafleqm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Echfaf32.exe
    C:\Windows\system32\Echfaf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Fbmcbbki.exe
      C:\Windows\system32\Fbmcbbki.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Fenmdm32.exe
        
        C:\Windows\system32\Fenmdm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Fepiimfg.exe
        
        C:\Windows\system32\Fepiimfg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Fagjnn32.exe
        
        C:\Windows\system32\Fagjnn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Faigdn32.exe
        
        C:\Windows\system32\Faigdn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Gffoldhp.exe
        
        C:\Windows\system32\Gffoldhp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Gmbdnn32.exe
        
        C:\Windows\system32\Gmbdnn32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gmdadnkh.exe
        
        C:\Windows\system32\Gmdadnkh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Gljnej32.exe
        
        C:\Windows\system32\Gljnej32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Gohjaf32.exe
        
        C:\Windows\system32\Gohjaf32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Hipkdnmf.exe
        
        C:\Windows\system32\Hipkdnmf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Hbhomd32.exe
        
        C:\Windows\system32\Hbhomd32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Hgjefg32.exe
        
        C:\Windows\system32\Hgjefg32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Hgmalg32.exe
        
        C:\Windows\system32\Hgmalg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Iccbqh32.exe
        
        C:\Windows\system32\Iccbqh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Illgimph.exe
        
        C:\Windows\system32\Illgimph.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Icfofg32.exe
        
        C:\Windows\system32\Icfofg32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Inkccpgk.exe
        
        C:\Windows\system32\Inkccpgk.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Igchlf32.exe
        
        C:\Windows\system32\Igchlf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ilqpdm32.exe
        
        C:\Windows\system32\Ilqpdm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Icjhagdp.exe
        
        C:\Windows\system32\Icjhagdp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Iamimc32.exe
        
        C:\Windows\system32\Iamimc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Icmegf32.exe
        
        C:\Windows\system32\Icmegf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Iapebchh.exe
        
        C:\Windows\system32\Iapebchh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Jabbhcfe.exe
        
        C:\Windows\system32\Jabbhcfe.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Jhljdm32.exe
        
        C:\Windows\system32\Jhljdm32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jhngjmlo.exe
        
        C:\Windows\system32\Jhngjmlo.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Jjpcbe32.exe
        
        C:\Windows\system32\Jjpcbe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Jgcdki32.exe
        
        C:\Windows\system32\Jgcdki32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Jmplcp32.exe
        
        C:\Windows\system32\Jmplcp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Jmbiipml.exe
        
        C:\Windows\system32\Jmbiipml.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Joaeeklp.exe
        
        C:\Windows\system32\Joaeeklp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Kbbngf32.exe
        
        C:\Windows\system32\Kbbngf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Kbdklf32.exe
        
        C:\Windows\system32\Kbdklf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Kbfhbeek.exe
        
        C:\Windows\system32\Kbfhbeek.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Kjdilgpc.exe
        
        C:\Windows\system32\Kjdilgpc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\Lanaiahq.exe
        
        C:\Windows\system32\Lanaiahq.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Ljibgg32.exe
        
        C:\Windows\system32\Ljibgg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Lgmcqkkh.exe
        
        C:\Windows\system32\Lgmcqkkh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Lmlhnagm.exe
        
        C:\Windows\system32\Lmlhnagm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Mbkmlh32.exe
        
        C:\Windows\system32\Mbkmlh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 140
        79⤵
        Program crash
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fenmdm32.exe

Filesize
280KB

MD5
ec54ddac0e424b781807ba134b4413c5

SHA1
638c5c470be4b7657dc39dc135bca520e8a3be5b

SHA256
8f971f5546311be9e4b485ceab4c45550e60939be84d9c17a6a07471bdbee70e

SHA512
2bc0e121536d20896ea03e780318f7712e448679c1d30edf3414ddbe7215add89b150f05374018c9936439eed63fa6a9c1d52a54ff4bdf676ba7dd30cfef5ebf

Download Submit
C:\Windows\SysWOW64\Hbhomd32.exe

Filesize
280KB

MD5
b190bf60e9a827cb059d9fac8050c531

SHA1
dc4ab8df5af703bb87f2fe1a548b1196bc36d0f6

SHA256
71decd8718e5f083b4d2b85ffb0d9b85eeea98977d351ecd94f97e192c0ed8ba

SHA512
c5ee55eef9c4aea59aa92e1af02f9962e8d4944ba10bbbd4b5038aac42ade6c15f044e63200f720d1531eb8f9c77c6bca2dbcaeb1b6dfaee32ee62683d86ba47

Download Submit
C:\Windows\SysWOW64\Iamimc32.exe

Filesize
280KB

MD5
4d5f4df60a4ad07880f09e99b9e77a6c

SHA1
803680f50202e803e77febdbd53eb97a469d429f

SHA256
3f329b16f74a8d3b56d6679bf33557c1c0ddd12e478d180dfa834ddd189919b5

SHA512
e80669a4a3044b4bd918fb0a3d644995cc310618bc6fa60e49571795e106bda106f49da84f47a385f8a7f77d146b521f6c5783f803a174af477b428182348462

Download Submit
C:\Windows\SysWOW64\Iapebchh.exe

Filesize
280KB

MD5
36dab967ac0207d75b1593d64287d41a

SHA1
75bc8d80419a8e7bdef1de80deb5beae92a8e39a

SHA256
ae7e059c837dd56d5c3e20f29cb9af2b66065c582c51aa52dd057a86059d5e73

SHA512
cb2a50a284f97eaddf3560589972a1baf8e6b0f130069a6b044a690fdda7a47aec3967251499937ab3d7bc98978e72774e363e63f4c7750c658865c646c0d762

Download Submit
C:\Windows\SysWOW64\Iccbqh32.exe

Filesize
280KB

MD5
ddd2ac3e3402d1d06ee66ff315d60ed2

SHA1
de917ada19f452ff86da3419770ee0e01cc50e70

SHA256
a4e939e69c82f12599a42f94c9f310c20ab36e7bd9be9bb9000cbae3526fd429

SHA512
9815f012ab309bd68fe82cbee57072c9618230a9d28e7960d764264deee6c3db90a594cc40c5e9f7a6e1606ac9b642becaed96e4830fd6c4964aacf3c63e07d2

Download Submit
C:\Windows\SysWOW64\Icfofg32.exe

Filesize
280KB

MD5
8167549a50522ebea3b8006c5ce8617a

SHA1
bf3b83e5fc14a4c117664af01092f44406004650

SHA256
b1bdc8a213423ef488ccb08b3eb4c60936f2728f197ab495ee752faa3aee83c0

SHA512
2e7d6a84a226c3efd94c693ef5fd5e4da15fb492f9513db323b565ab922bca2065f637070015c69235adfe749332e83f5c9df4deb33a3ce019df56099d51c540

Download Submit
C:\Windows\SysWOW64\Icjhagdp.exe

Filesize
280KB

MD5
8c7f99b56ac2e8896c51458e1bc303a6

SHA1
9adfcbf00eec8249538451baf24648d621fa6994

SHA256
5e5b54e04a873062867f8d1176cbb0536267c3bf960c79354e0818c40cff17f1

SHA512
307baf153e5f1d1569703f02f309e7c775d57ef781035b9fe9348d217f678acb75a9b6b32667d98f75e2da845cd7a3d2da62b5b336e7567aa0e14529f8084797

Download Submit
C:\Windows\SysWOW64\Icmegf32.exe

Filesize
280KB

MD5
eb89041725d78aa9706661055989d301

SHA1
da33b95d9503639b14220cd934830ceb7cfe3581

SHA256
6e580d2cd20239bfe7744368051e014d49bd55b07f94a81750698e926207e30c

SHA512
e5cccfd0666458c2b52465189eef81b348d3bf5250fc13cdec6030e8c2d1eeb522cfb4126a9a4f3c182c82b4f79657972927a8882649dd06c68b2d3caeb022fa

Download Submit
C:\Windows\SysWOW64\Igchlf32.exe

Filesize
280KB

MD5
ce9d1cb8355f8a6b14ff6500138d10e9

SHA1
7acb297f2708b6d6983aef95ebab75698f7ef858

SHA256
002b20aa8e0700a986f859fadf62e7484b326de0a7f4f43cbe0d522cd8f984bc

SHA512
32f831f16db7c2ae21fd18cd8fd71f7503a60b91752bf0927b9089ee758d5f0f3aada7114a32eb0cc111ba18f2e6d8e2dac56c2b8d20b959c00bf721600195cc

Download Submit
C:\Windows\SysWOW64\Illgimph.exe

Filesize
280KB

MD5
60f44a3f40d0fbda7ccbe42cb2990c3a

SHA1
ec8abe1a53c2f7afc0dbdc3be2374a7b0e0f5e6f

SHA256
6bc680f594f9bb58bf71a659222919694ddc34a478d7cdad983487e3a799ffe8

SHA512
ca563923ec55194fed2d647a46cc2872d433565b2d6e742f2fc2294e056d77e785d6ea2f1a1cf430f54f0bf4b86c456bad49e204f43d59634f6abf50665d4788

Download Submit
C:\Windows\SysWOW64\Ilqpdm32.exe

Filesize
280KB

MD5
d80456917b2af1a4ebbc4d71863d8718

SHA1
c920b02d6e87c94139a7833547d3401406981651

SHA256
873e3a2c4e9fb30969ec614b0b55bbece1adb09c3cb3b33e3f924a0217de59fe

SHA512
7e3de3052557fa39ea25e1505ea0d74b27805cad4261c6b12a75aac1ee1d4aab83fe250509099579cbc00126cda620eb54bb3a22a0fed480f33bcecc4aab583c

Download Submit
C:\Windows\SysWOW64\Inkccpgk.exe

Filesize
280KB

MD5
fc6960f8318a70e70503417bf311690e

SHA1
f638b55942d5222444b9119c7bcd678038a0e8ba

SHA256
71363a97f88960e328291a93b4ac4f9f4a86dcbd4dced78641eb620304debf7a

SHA512
e045f5367d5141111fa94c74233e281b1f0c255075dfa71dc30139fd851bf17a5449af79287566ba62c8c3cef4102ad1feeeb916f42a8e845d93239ecf84a4c3

Download Submit
C:\Windows\SysWOW64\Jabbhcfe.exe

Filesize
280KB

MD5
5f7abba41d09ad0fc27da3f3283209de

SHA1
13c99c092c27b8bfcfe4ac780df924b592001172

SHA256
4800f48e2e9d7895b06a61dfbbd4abf525ffbdd921718d6057bee5e34e0e0095

SHA512
9b12de38728c871578ae28b2332b68ea822ec7218d126d96808de19f039e8580d8df74b057c68bb255eb4026962fb06548dfc5952a974cdfe1dda23652df1aba

Download Submit
C:\Windows\SysWOW64\Jgcdki32.exe

Filesize
280KB

MD5
d6e109959b94e2646a70980525b0e861

SHA1
8d36966c5f41d5f5e3f617db27bf0ccb27378b86

SHA256
6eea76633269b9e53acbe524f39a2ec5bdd398723402d37e3497e0eef45db66a

SHA512
8a2e3e1103a96d25252018488ed720556a0d62cac85654d3afb1b95f3660cb6ba3c94585674adf3dcedf808a0a3ef572832c66afb2b43e063d42c795121d6818

Download Submit
C:\Windows\SysWOW64\Jhljdm32.exe

Filesize
280KB

MD5
8021bfab00646cc9c41db8bfe1f63467

SHA1
4de8ef780b4f78ce6707abf2f7f20f536bd1cfca

SHA256
f6a12fd6e5b6a262d0ff65e98c7aa3960378b066a6dbe8f8686e8b122fbaa1c5

SHA512
daa2be5b02701c9fd55346e555669f1e78472964ea4ff245ccbcca867588816e2f300c778fde8daeac5be96ab13e47a74a00687664ed084802f017c22aa8b463

Download Submit
C:\Windows\SysWOW64\Jhngjmlo.exe

Filesize
280KB

MD5
2ab08d2320a8126dab0f5c549717764e

SHA1
7c403c54a1c6266847c9dc7b99cc0280d59fe3db

SHA256
ae4afadc222f893b648ae527ae485c9fbb6278febeb3e1c275aefcf22db60e66

SHA512
e7f250eb7d3a91668f90cf5ed8c9d97cb73971c5fc0fa5909116f08128918dab073a09737d8944861f82f6b03855e404d86442ebbc9cfb9c4842f0d3089b647c

Download Submit
C:\Windows\SysWOW64\Jjpcbe32.exe

Filesize
280KB

MD5
2aec788886efd465c106baa66e541324

SHA1
43b4289f2cbc4d44760ed593f6a3f4591d6f9f5e

SHA256
ad45cb9c688f247a6ba6a96682530b4f5d722338099dfc2f6b0382a831640929

SHA512
93b337a773a737216101434f77b003a1d7f7bbaaac0647545dd2544c4c3ee026096713935fbf3362f8d863cc7f84b01e12703801a3d31964d8c97ea884fa9d93

Download Submit
C:\Windows\SysWOW64\Jmbiipml.exe

Filesize
280KB

MD5
9ad9bb9f7a0af3fbf90bca74b923c37a

SHA1
958163b97cc0567815e3701a44740b5afbbd0e2c

SHA256
b529a4060d634bdfaa02ca7a47210de574e0ddeed5f75dfe2d50b0fbc5785f76

SHA512
03de29466e9ada2f8601a312ab057ff408a7340e96c55eaf51678de5b910e7360ce46021ae00b3c5470f451e0c873cdc4b540c219dacb02a424f332d3ffa544d

Download Submit
C:\Windows\SysWOW64\Jmplcp32.exe

Filesize
280KB

MD5
a51074a830d84c42b460bcd80bd1facc

SHA1
9d7b7897797a2cd4b82968c5c953afc7306b00e0

SHA256
73ca68806deba18c526384abf44e2871a09ea1f65fcdbc6ccb108dde6b1f8434

SHA512
9ed2ec826c861e04b4357ed0664b11b5fa5d5d88be98781d493818a37b7fe96daf6f3c5384ec7936fb49ca981a6dba092cb2a2681416043ff73b965242c8e7f7

Download Submit
C:\Windows\SysWOW64\Joaeeklp.exe

Filesize
280KB

MD5
65779b74dbf64349a84b6f3b48ab7c04

SHA1
0f5a070dbe7a93d97f51f879cacb8e08293c7c58

SHA256
6ababc149ab392c0e61335fa97779be32c01ca0792d2a21d912f8072d90f4eb8

SHA512
60223486a25f377d00943675d98401854c40559c18ea9df63e3f2abbb8c388975c82ce817bdd7e1d4c36bbab37c5b209929279a3483c78cdcc0495c6a268c61d

Download Submit
C:\Windows\SysWOW64\Kbbngf32.exe

Filesize
280KB

MD5
71d9d1acc1e01359b5b30e3e4f487776

SHA1
911c4fd99b486f679eae06a87856fdefdef97a68

SHA256
b5ebef2b1a8914cd4a5b2b027aa63338db93c2b0a81dcada3f7fdf2243961df3

SHA512
8d1aef5ddca78a6c74ba5b477e5709c29f07af13ef1c7af035faeb23b00f96e8ac08444208466eab25c99b81922ee64d914d2c07880ae5d5ea7afaa554824702

Download Submit
C:\Windows\SysWOW64\Kbdklf32.exe

Filesize
280KB

MD5
80457299209a43dd4ae039e44c5bfc24

SHA1
8c018c421a4508a7b5c058d67cb6675f9409a33e

SHA256
9958f39ce9a15a9b3db4f04e17f08433b721b5c096604009f9fff10c4084addf

SHA512
2fed9bf232464dfbcd45c09789ceffada617c74babd118bbf45f8e5614406a3612ac2a2e69bdebfbcfe510da8fee27000444c55ed6054d1a9498ca6834748229

Download Submit
C:\Windows\SysWOW64\Kbfhbeek.exe

Filesize
280KB

MD5
acac7609dd3a83fd0e16f17a8c1d25d0

SHA1
09d53ea0a904d3addb18a008d2af776c64cfec60

SHA256
7fbca7f8f4f66a57be50f99ba5b27719307be7c5a6dc34a79f8b0443e79ec703

SHA512
c4bf5686eb0a190f76615f33e975fef10dc6b25a3e5bfcbc21f6be13c26a3e3dadc7451f20da6a4b2a7dc9721710c589bf643c4a68d4b6c18dca7ca5716a2798

Download Submit
C:\Windows\SysWOW64\Kgemplap.exe

Filesize
280KB

MD5
14084f2107f783ca85b93bcc0dbd1168

SHA1
c8429b6bcb86deb3a866d143cecc56a9e6120947

SHA256
735966fdda1cd8d86d1148c6c9f81b2326f01b6e5602bb0fb84969f40705cdf9

SHA512
9f5e8ce366ca0886999ffa7425f4db50f8c680f3ce1217fda2e3bd5c2c9e64de11006def9ac7ec5a1fbba480f743c5960bc95f85bd13d444cfbfd99fdb31937e

Download Submit
C:\Windows\SysWOW64\Kjdilgpc.exe

Filesize
280KB

MD5
14ff34e15e1ecd073cf7bd88a4cb67ee

SHA1
aecec045204a61da06d45df895a287d6d25292ed

SHA256
cee315d14550bb181fd9fc8d0f29e3f70c13eb12d52ff5a70b1ed41e46c1eb02

SHA512
944ebf20761dff93bc8c8b5d2185f186cd7005c223eb4592d33ebc3ba25bf47a610c931ea0732a6b6c0c52d03720ddf0b5d4879520e79c7eb91002e0b7737dd4

Download Submit
C:\Windows\SysWOW64\Kklpekno.exe

Filesize
280KB

MD5
7c871e6781355dc8169c8a0c3eefa46a

SHA1
dff8148863cefd682529025f1a32113b2d91621b

SHA256
6edb536901e3d217546aa15ee610d15504c58d03b0928bf79c2c7fbd5ef38df0

SHA512
562f15d5329a7245adf148d9fe16c775856d5159d72a130c57d3a9383d1160a06de22305c3ea6f52e70764291c3bf9841779c856de3c26e2a120283ef2565cff

Download Submit
C:\Windows\SysWOW64\Kofopj32.exe

Filesize
280KB

MD5
ff8ec9c02640b64366bbd53f9443050f

SHA1
38337f3b7068697b0e114230c1b614d8d0785936

SHA256
b32d5d003f540a1a74d359c4067b486110900b5f8896ce58a4680a8873f9609b

SHA512
4c449e38c6e4cf14173dda905689986c8a96b8d54df0c1eae58963232c9e67e794f96df68836fc24637c55d100e04ab22982fed32e5e81c74eb8bd458473a602

Download Submit
C:\Windows\SysWOW64\Kpjhkjde.exe

Filesize
280KB

MD5
5472025e2f5fd4ce59092d509c09946d

SHA1
55ece84a47001e89f2cd87f310cf89fc025dee9f

SHA256
c8cfcb5c37a9bfff151f27c2b855af08400f086770066c95abb6f505fb2e4821

SHA512
2e3c8038f443bd7b51e318076cc85d0bca7c403a11da96a87bc82de9e3df33489c16c8a8290ab9d68825da0e3f6d6224308c42ae9ca26e99cea80b7270b1c35e

Download Submit
C:\Windows\SysWOW64\Laegiq32.exe

Filesize
280KB

MD5
fa1a54d2664c35c7e5f43399913b4c2f

SHA1
6a990dd36ec327cad8c212fe613bc9016b90defa

SHA256
aaa2816c2e5c8d98aa2746818b34db2ee487d609eb8e3ea99efabea04ac4a89a

SHA512
8693028b746dfebca20c3fd3ff908ad9633dc9c4afca797e242eb7a7356b85682dff1ab76e0ee2a4a47bbe2a0113ee11e97e8d40235d622ec94ce5d76f628984

Download Submit
C:\Windows\SysWOW64\Lanaiahq.exe

Filesize
280KB

MD5
ad4ec3f3888544171f80e1c9d3cf07c2

SHA1
6b1588fa00237c60111276619f845c70998ec689

SHA256
d46c1c64eb75c7637ab5512a0de5ffdf202747b98a4321839eb3adae5aa0e23f

SHA512
55de3f04d386e7c0556a2789801ab91a6dc31a4a1a320d0c5724b7bad34b1b2622f7c6a4c0fb9ce526e6b50472c601d19b4e8d416e5fe95baef7465f4ae16702

Download Submit
C:\Windows\SysWOW64\Lapnnafn.exe

Filesize
280KB

MD5
f8166ab9749b460c11ce9c67f5b757e9

SHA1
727e6faf1a60ff2f2f0ee15222dc3b3096fae86a

SHA256
dbffc0c94e33684932f5d57510518c3fc0d0b1fb835a18cb8833c7d753e0c212

SHA512
6147ae69ecfe5b6742f809b1f44dd456379b9f5fbf66ef4a544721f67bebc751a52d00a2afc3289eb35e18ca251dd22d44c9fefb7e47cbac9f4fcf3d789ea96c

Download Submit
C:\Windows\SysWOW64\Lbiqfied.exe

Filesize
280KB

MD5
d67a73c196576d5b8fa2290e452066f4

SHA1
021c2d56371f04c3563b439609fdda162151e8f5

SHA256
42680bc44b94d3563263c5225c7a0267b10c0c92ab3fba2eac41ad20dcc708dc

SHA512
c8716d30f4fb2ee3d3c2ca5653b1f9da586ea6c17f7f29cf7434be29e0e857c5b6d4dd2b93e1745f1d54e40a01d0668b7f723acb7c2de0d7db01fd8a1d2cb6df

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
280KB

MD5
6d9c208f1d49a5fa7d4eece60cb6a0ed

SHA1
53dfd6889c7bc5b3db8dfc0d4888cb01b1809710

SHA256
49e038798b7c59bac9296bb2b53226287722181eea6c4a4f5678b0221dc3d579

SHA512
209a8168f6cfcb7f96bc3cb348427f08d9a6e7ca9b9ce0644f3a1e96c3edd5fcea285ff1b498e0763ae8e71f44d51fa9e5c2a1ca4f69263ebf630de00dbfd322

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
280KB

MD5
34734df5fe59d7de872e86ff5349c03e

SHA1
bd582532d0189b9128a1e05f0a7d2373f8555fae

SHA256
b1bd83cad596a9b098dff1f635bca7a95e50c16cca7c28ec73b4dc28b8f9d5b9

SHA512
72bd0c6d37306b87d125f541edc9c75bfdba452d002cee814c656fbf178104fbaa20b25cadae005c66fe80a3c491e567a5ee2f93af2306701302f01ea2d9abce

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
280KB

MD5
5e8a556509c5e30228fd541ab2fde87f

SHA1
a860b19bffe1c526a999268c9b7059a65e7597f0

SHA256
cd116b5cf5b6642bf4761b03853877bcf0765d593054b3b8e7c4f1bfac042675

SHA512
c93ac6e2730e0eba47b9974b731ec687f7ade70f1992116fd5e9fae5958325de7803247a8a774dbbb28c9989852631b99171a721f75d60038ee828c6efec73e9

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
280KB

MD5
04f1a2e5297c03e44f6b7680ad8d67fd

SHA1
2ede8889ea5b9f408eba6d0d45b993848906e352

SHA256
2a0269e1c20d8ef36e3b81d25aec09d2bbc1f3b490b5b570e5673ef1344f9c57

SHA512
450757fa49fcc4681b032f779cac2c08c2ecae4312df89ab83f6d81d0cf0fa7f80aec30bc5e43e5269b3ec352de73e18a3cc61b1fcc54a11e9702c721ad5c895

Download Submit
C:\Windows\SysWOW64\Lghjel32.exe

Filesize
280KB

MD5
3d223400c0f597f4e2ade1f672c887e1

SHA1
2ccc7fc469cf7334e920e8d599d9d0b00c84d5d1

SHA256
a8f09e4473a249057a2ddf2038b5302a00b0e71968c35238c9bc045c4d3fd4af

SHA512
e45143b3c6afc4161791dec9672adf34fae93ee47da5697e8753acdb65ca5d357ef883d0e1185b1423ead9edb843cc2541baf521d7f159cc7b3e14322c1736bb

Download Submit
C:\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
280KB

MD5
7ae244deaa8278f17d277d099c069a2f

SHA1
9c98d241418348fc4884de16ce0d5c91e3267cdd

SHA256
7870a69dac49d3fbcde0d741b96bfba665b29231e042c94c9de03b74e48e36ed

SHA512
76626dfdd08408c46df776f83ae625f4ae3cdad565a3305249aac1c03c9b61620f3a66f40b05a9095d151278b3374bf3969574cdac8a1c742d3df791efc835f6

Download Submit
C:\Windows\SysWOW64\Ljibgg32.exe

Filesize
280KB

MD5
d1e398fe6c48a3f699c5fc64e8e6da7f

SHA1
c3eea78faa9b634b8270211341cc7556b2c9f15c

SHA256
4614741cd446281b64f60cc9cc992fe620701d192a1e9ae65f701670d07aafd1

SHA512
a802705966e8d3f35b2c65b30008330449a20cd5a7d4c956cb391d4a9a36bd5d3b5b1abba0d491d2c704fce45e0722b77b3b8e90b504f0e7c5ee4446e74ea350

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
280KB

MD5
4df71487f4dd6084ea8222ea4f38b672

SHA1
8cd92232f6fac8fa45998114c73e3aad2c790680

SHA256
913bdb2a6da37515efab6690f6971568f5c0ea07a7235c1d2dfc9aa4e485bc50

SHA512
1ab6facade7b6f6deffc9741b5b8b5544d051fa0873fd18aeb6c572fd9e3b3ece82175db9bda4533ef0edfc728ea850abf86ccc42c365ccffd92b8730156d7a0

Download Submit
C:\Windows\SysWOW64\Lmlhnagm.exe

Filesize
280KB

MD5
f59bcabaf57979624937d703725ddc54

SHA1
44fc9e61fde8b61eb95fab47007a806026cc41c4

SHA256
84dd2032132d5dfe24e31b6c454aa513fcbafcfee449efc199b0b88ded601382

SHA512
74d5f2a886cf4f2a27cc38c30a9ecb6b004eadc2d624bb54eca5f1d70e35b7ff60b64daa2989671c94bb2b8b50100b1a67c1402eb2fe7063d1e637654d66df74

Download Submit
C:\Windows\SysWOW64\Lpekon32.exe

Filesize
280KB

MD5
3f699f7b567f24fd2593dda388e4b833

SHA1
787f83e7e265a5e3756ed4aa2475bbff8d3230ca

SHA256
d269d51481735388301cd4877dfaa49f5fc6f93f6e9e52affa68e34f0a49916b

SHA512
e54379dc6bf5fa2a5fb4f5989b9eaa67a033ba0fd80b6c6dca052f8448b947c87f562f416900f688b0fe9d9d87141d63b62431a01c58eb167cf14f2e8aa5bac1

Download Submit
C:\Windows\SysWOW64\Mbkmlh32.exe

Filesize
280KB

MD5
841a551368fa97c711f6a3814c6a259d

SHA1
b1312139cfd55b47b54a9af602021b2f83b5b854

SHA256
9dcacacbc384f7b83912da4f9775e1b8ba02a28661c76e2a64b647caa28fc203

SHA512
f1687dbafda0fbfd4b70936a6b3c6ecd98db7cee6a0262274c497da5154d2ccaead1f46b1c1c72a253fa2220a1e4bda00ba2ddc916400c88da39283e4b40467f

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
280KB

MD5
6ac44c08c15f298b34ea493437abcaf0

SHA1
79f8871ef7e4fbee15705f6f359f7ab5390ed409

SHA256
efe743fe3bc3a8c803c6d602dced3ce477ba6be604af44e602f6b38752f99cb8

SHA512
b33a7427a9456966c5d503b900e0ac7a98122a9ca9aceda057e6c2b21767445afef5ffb730974aa80e87aa42fd4e795e72e70c99c6b78f8fd1df5736d57d8c11

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
280KB

MD5
0bb201933e33b69040d69eadf711b771

SHA1
685d584dea39c63de8b1f837052c4979b948e15d

SHA256
76300374d768a9e602d9895cacf4f760e7a867fb6d9a1d19e88ca745f1061e82

SHA512
846f29fc1ada130f8698a8918f4f326614d1c59f43feee4c7b3c3bb6a24f3c3ff56b94874c1b05a1839dab7afd5e3fadfb6d4d2f8cd73fd803822932363ce0c9

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
280KB

MD5
c0290f94276f018b40f9c789c4001f20

SHA1
1d1934be670dc72d810352525a23988fa816aea5

SHA256
ffc685d14436b150e2c3d06d45ce47ca109bc590bcb46df324469dd1ee8ce811

SHA512
3fd15d99909790355102d3349695ce094d1d827b0170d059fc96675b32d3eceece59ac27574b2243f0b99a0c134a9634290e17a9fd84eb76da1cba4fb7b2d5c8

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
280KB

MD5
ccb4bb97e09a719f32b9da9005db2a19

SHA1
c1833b489a07412e359787db9643c7ce420e5938

SHA256
4ccc0074d7d10dde527b5c4a6ced81efb968a565ded7d3c288c61d6512bda9c7

SHA512
48847b4e82a6c656f1acb71b021a2ebd6fe0ffc8a8e2977beb94467183c0bd7a1de43c361b836b91f07f23771a07430082bfe34f23862576ce1e4f5c2bc6a311

Download Submit
C:\Windows\SysWOW64\Mkhofjoj.exe

Filesize
280KB

MD5
f5585da64510e36cdda43c651fcbe706

SHA1
0c0f1192d693da52e2811f2745f5650d3369e419

SHA256
01988ef84a874008df3be057c183d4015c847507c7cc775dc5139ff51877fcd4

SHA512
145035558c3318a21f3ca49af1f2055305994bdbb01ee9841d57d75ac8fdaba0df31999d87971ff13143596d49df404af3274537210898ab451ae37181b7c339

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
280KB

MD5
26161360c84314921092c5665672b624

SHA1
16b11ec02334dffba658e1071152c567632382c6

SHA256
b0bfbb70184ed8f2c2322af2aff210b8bfc47979b551ebe5fd1868c72427309b

SHA512
347170269e95b3b3f2a2353e55de97fcfc7054211b202766b88bf9ec027ec3128c4ce20c5159fa58ff239d8c73aecfc8a314ea6849bffe3c6a077fd099095d16

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
280KB

MD5
76ad94a75be2a9781c751a2d9edc414d

SHA1
924a7001369d33c898af9e801fe84a335d709fc6

SHA256
62629d088a5adc7bcff7eb4bd1f2b4d35c2a49596fa909dac31e82c718ea4d4c

SHA512
00c61ce5f44fa76a5438abcc05397f51c0d27bd32763469548cd2996f583cc04c32fbe6dfca062cbe0d5464d9fbf0a7e45941c48a17d69bd66dccdb4453249b9

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
280KB

MD5
a04401218feff015b72aab56d4e88da7

SHA1
9a5b180bf3e7c99de238740904f427448843f8e9

SHA256
940a5370b2976ee170c94243e03874780f9cec94ffc904026fb8aa6620abe73c

SHA512
9b28a2e99185e45d0b610c4f2389c85cad2d7122df09ea98e9aa21d456c9bcab1391ce8611f38a44b481487f671788bfae10338208329d7d290fc820832f0913

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
280KB

MD5
c6b261a7d6ab0064a7830115e0efd455

SHA1
a0f1a59031ca40aa0cf9baa3a126d78b5677a790

SHA256
0a71ff5cf839ab16320d644fc39f6d97e0a3164bdc1b9043b587b3187ba04de5

SHA512
e639e8e3c5a3563eb68e8e0b6c610ab2e6b3954d85a9c20dd438ba5545f7cfdcf96d66bc75bb52c2c76db124e7947aabfa6f9e5ae439e8e25bff947c8627facf

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
280KB

MD5
c94d21c3ceb47381137ac0a4ede6407f

SHA1
6a02a1088c0f714a0cbe18ef10d1f538e6935188

SHA256
081622609526b8a4b2a9b6b53cd566669d67a406e5018c20cdef41e83c0dceb4

SHA512
21b804a4a4a8fc4b3f91a8687478d1941981bef3007c2e888bb132507eed3d2548a9f999cf34f9a668d515f62fcf43a52b2b692cc8de7fc29e9a07fc5af2f265

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
280KB

MD5
f12a7109ba2ccf543bebfe2448df4be5

SHA1
6af494b8e3bcad93bb2220e30d4850166a3cfd86

SHA256
6d5b18aa573a57597ba7db522651cc2da448e911f0c93f5a4ddbaa9b815e26b3

SHA512
a188a7211e6c6fbc722e9d96dd9fef70dffe3f74ebdbfc7b338c268007df37aefe4a4ce139d35796a6382a212c0929e27dac26c0c4f779f27dc736becee9db1e

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
280KB

MD5
63f12212ce69d41067f2a4a3e1ca40d5

SHA1
463c6be80f106645f70853948ecdccd725815692

SHA256
4e19b5cf3565b8a1657acbd12ff9555aadf01d0149eba58fb55dd4db1ecf3ab3

SHA512
13798970b3c8861736a2ce76714246ecc4402768e38e8a54394a31ab673bfe630c889c6419fd97ddda838178344417d2dc0692a2129c47b44d11e0a10c740c1b

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
280KB

MD5
5f1ab8d448a6fa44d711108f47bd41bc

SHA1
30885a62a71662c843ebee6db17eaaf44c66c5a1

SHA256
0e1659a86d3eeb48a5a04a0e4e60bbbae31e5d85c65d71dbaecd82f3a0b57fec

SHA512
8967478b1fa4af931b6dc82290e90fed41e69fcbe3a041486a12692688897ebbb57e4e750eecbc8199dc6565bbfcdd1c3982120470037239de7d8e61a3db16f1

Download Submit
C:\Windows\SysWOW64\Nhffdaei.dll

Filesize
7KB

MD5
6b1ea399db11b1d166ce4bc37c7f4765

SHA1
ec880ae378d7fc84dda1bcd26053ba2c16de790b

SHA256
9036cce125b1910b0495d5474ebba2639d3855ca4b98badb9604b0c400760162

SHA512
c3b720786af5d993a6baa6ae5d362385c879d4ea42f70ca73a3c978b5691be3b3ca0941867d675cdd6f8dcd19b003124be84cb31fd904c19924ec1c1b8f9c171

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
280KB

MD5
777747e1b54e4291a71eaa6bf9210afa

SHA1
33ee8f30ab1f65a0f3edeaf7bdc14334ecfef463

SHA256
9cccc8b02d8fa17dc7a17c47e0e897204348994308727b43ab97b35f9bf719fd

SHA512
7048a333d2bc21c1fd9a356fde67d76a78dee3ae03c3de50020e19c3a88f9ffa7ce4861e2e9b77890b597838c36087d4e44226bfa4adad61246cd676b4c4cc4b

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
280KB

MD5
75eca71e68ffe4c74cba168c51a42db8

SHA1
48d2bf5563cda10f3193ac6cad32215ab89e3e1d

SHA256
cbb451b888665fd489f2eeca407ed5cb0f3e1e12ecfb5b5f435c155e6e984112

SHA512
7eefc9c26bb977e03e7b36916fd7055dd25a16282d1f372d911fbc8e2e091b2947591f075a86d7cb3918f58fa489c1e1b40cff3c9abf9c4ab07a581a98cd2392

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
280KB

MD5
7c81fa81b8201211fbf73906addd4509

SHA1
2ae0c88800bb9b914d10b464f4bbcce08036f03a

SHA256
2c6be9830e56f18326d23b73af2744479666383b6497652136b5d013da6e2713

SHA512
c5030d43d4f98ec9607bc424f0b88bd6a433fcacd1290b12433c6fb16d826b4f640cc723b0a575328f4ebd4db4a4be62b42aea41e2b64e583009488504770791

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
280KB

MD5
4bbca805bec41174c94b4527bc75c368

SHA1
66c3c035a772e2ab16d43c0318c702c65a545b7e

SHA256
206e15b06fccaf316a95ae3d1ea11f37543f2c677c3e41331fbbbd5a0b4b729d

SHA512
3b292c7796b0e24a16006c6f7891256403c6a7270bba71315223445ca7a577d54e3645c0c26687bc65b520ef890187f0a62ffaa4ace87d33f2aa9580fc1f0b8d

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
280KB

MD5
e81864fdd342ff575df0f86ed3d69e8f

SHA1
3bf383232ad8ca610936873bb018d0d203a58ff8

SHA256
dbbaf426d0a9c8170748c2987e8fae606f3c684f6168d92f6065308c9bf26ce3

SHA512
9b267d72623f35872a9499a8ad769d603c2a7b7afb0125391e53704aa10ed3d988dce98a0a6be1dcea555a2a44507200677ed952f5679284dd61f09d3a6a1c20

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
280KB

MD5
383f2bba62223776ef2d9f44b0d5612a

SHA1
865fb404319e021bcee8ddfdd159228742af7025

SHA256
f657febc8d6d2b4e9ab9021e4262285d60fe5fa4047572d7828c93b8e0ae272e

SHA512
f97a2b141ca5f448fc01ad1ceaa377c70a86da22043bf16ef40aa538ad66ed754bf9f2bb94460d7ed7ddf03685043c53aa097cc754d71eec93816c36e9cf92bb

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
280KB

MD5
18d937e1ee738ad08eed92d0c76469f4

SHA1
da426437daff488057f54e97795edddf620a3ff6

SHA256
d44fca23c434e428491140ead398cd6e3f615d6b4b6b98dcef6eaf59f1dbed7c

SHA512
1de43a79616a5e0986750be099320b76930c73dec9cbea806f83f47aede910c1d6fb9398ebb3cbb7d14a2d0af02adef395b10aecb4e32236ae2715979a5adcdb

Download Submit
\Windows\SysWOW64\Echfaf32.exe

Filesize
280KB

MD5
b89ea56923085ea6bf7b456d237737af

SHA1
f5f1a0d946b7cdcded50f892865defb365515ab9

SHA256
c6e8ab092451e25d3d5826a6425faad7f03edc03c2b8f8d459a04dd8cd33292f

SHA512
3f7d8bbb9e906e6b01d1e10810658e63c9dbd6cc6eebfb44ccbae76155561fe044af3d4a7101c4950577f340b31e8f7b25146da9a72d58d178e68288652b2ad0

Download Submit
\Windows\SysWOW64\Egafleqm.exe

Filesize
280KB

MD5
e0b67bde436aceb79f9847b30210b8fa

SHA1
1e23c9f9a9c9e9b41871e728f2549f8717cc4bb3

SHA256
748de7f5f9d38590dd18e7afedb8bb70b6f3902abe977909f944e54715cee46e

SHA512
9c36bc9f5f3522bd5a7e8101bca776f47a93d29b96043d4a089e54aef61787ff6d2a7bc81cf9992ddd62179d93e2ac8c82000e732d256b55ebdfbe77c021d4dc

Download Submit
\Windows\SysWOW64\Fagjnn32.exe

Filesize
280KB

MD5
2b739e4527beea435bf4c8133efbf7b3

SHA1
e0e8cd1b17a58c95e30a4c81dab1837d7cd151be

SHA256
d4ff2dff09c6bc3ebb816722f2bba1d6e9526af0396b75ee2de3e32bbd8ce573

SHA512
29e80815111441e4bb180d0d0e6f154ad7a2c9a8f86613dd13f8783bcee58c3983f4b5d1c7f778ed40d308c5dbd5926b5b0323a72da4bf14e5ac5bf17e9292fb

Download Submit
\Windows\SysWOW64\Faigdn32.exe

Filesize
280KB

MD5
62ceffc1c0418bb8aff6664232d924bb

SHA1
6bfe8ffe867d59cc4665eb84674e29bf186c3a84

SHA256
a982dce907422940d8a372926df38137c61bcff249bb7d8c0d2a25cc926d7a30

SHA512
dd9d91a706632a17419d9831ed8ba1bbec049602be94f0a7fc30ca0d2798a7d81765f4ae23f915883dfc4c65a8837b4ad07fbd3924b27b4d3c35ac9e0dcc179e

Download Submit
\Windows\SysWOW64\Fbmcbbki.exe

Filesize
280KB

MD5
e09a555d13401622d57166dc175c50c7

SHA1
d82b9bf59dcf9918bea021e0d0f18689ffd6c8ff

SHA256
fa6a1e1b55c272c7cf1cbebbbdf381e5f887b2853c521186ab3a288a70a90bf7

SHA512
15caa905702780ad558add3ad4cf72973902d84b72a8d6a415d6dcf7cb9129f8068d576c963dc38ccb0329d7fc91b60a98ecc3439823c57a53634d33bcd2236d

Download Submit
\Windows\SysWOW64\Fepiimfg.exe

Filesize
280KB

MD5
3630fd0beffcfc981ef6b7e78e0d0aaf

SHA1
94a46f9d4487a43f28d2cf8e50bb4198b58340b1

SHA256
28b027d55be165b9b285c961c7a163a768ee71d8535a06e2302712bc6bb5c8de

SHA512
46ebdb7519c96288a36ad9621218869e830f175d14d1dd67cbf1ad65bb7f9eae63f7ad9ff50595bb38a4c646a570913ec7324f84f5e2379642c32bfaa8337714

Download Submit
\Windows\SysWOW64\Gffoldhp.exe

Filesize
280KB

MD5
d55c23c42acecdab3b2aebaa4579f67a

SHA1
3344124433bd2b5b23d6fb5c40da5e90b73b7708

SHA256
6a8e51dac3547e3d7cccc70b9699e31efb7b0ab45c28714e704a8f51d39269b6

SHA512
f1e77af28b7df00c5e0349210071c52d65c3c3472b8ccd451ab56a581012a0f2cf91f777fcf249376945d996deb4f9b2bdff67830e637e91d77df5ca9690810a

Download Submit
\Windows\SysWOW64\Gljnej32.exe

Filesize
280KB

MD5
46e05ab17c3db4da21aa6a7174983517

SHA1
20f9bc2d75bb02e85ff33e7cd211fcf056ce3dd1

SHA256
536b569ebb715ba5784506fe24a067e04be597615da9f23b2702456c6bd21432

SHA512
00d599c2737d7446db2c8474e345dbe6f23364007a2db54c3a90801ca123ec76c56e0421749b1450e027950a00f6f01e519cd233932210549b811f43cff03377

Download Submit
\Windows\SysWOW64\Gmbdnn32.exe

Filesize
280KB

MD5
216cff22fec47d2b42af54664c3accb7

SHA1
4263b80ae8807483cf81e4e089d831dc031efc41

SHA256
c237d6288baff17d7188e0747b87ef8112d2a28299c98ca2e3660c3cdcb08824

SHA512
dc1f15d266991872f12ae7d6258a331680cde4d3a39401b448827c5ae1cc2f46afc11e77f6ddda44d2e713c4bceb5f5af4ba0f1328562a1266a8fe7322d2e1b1

Download Submit
\Windows\SysWOW64\Gmdadnkh.exe

Filesize
280KB

MD5
2f8e1dfae4d7cf263179d5884a5c7db7

SHA1
e620edc6128cc87090f2b135f0c4276cab11eb61

SHA256
d1c9d30bd6761283f64b413b6a68461bd677d2afa76d0f5148255095be04e91a

SHA512
2eeef559b72724b05c03acfd0a480e9e3b080a60b5deb8e0cc084f2d242de82f41ec1e7d1bb11de6d0b52ac897a58b9d94bafc251b376a80a601bb577ffe5864

Download Submit
\Windows\SysWOW64\Gohjaf32.exe

Filesize
280KB

MD5
e1ad1dc1fcc4c936326b78b63c8f69de

SHA1
5b5c194ea75a011d1b262d8c1be778bec1a960f2

SHA256
1670b8fdb0c85d619aa845f0f2ae1b712e4d7f4003a12453834e275501267048

SHA512
54c0d23d894761f7a6ee9706f3789ce85dd2fd70b3827ffa00f1fbc6336b694bbde1f57cffcc7dd6e9090e8bef02f49c5787c83c6b1163de32691e64a8bd18a1

Download Submit
\Windows\SysWOW64\Hgjefg32.exe

Filesize
280KB

MD5
879bfefad0ef74a830b2619042721bca

SHA1
136e8ee19a8d4cf0da342b46cffa6a6b399b4e05

SHA256
578f3d8ce664210117b446942a75589dd68a8f2848960503734422eac215c359

SHA512
64ee4baab86e0321ba8e30ef0c3e4afc31eb5e468cffd5a635a7acc962aadad4eac222f7da06fb1abfab0e3c991e71af45f47f898574a6cc1c11e3838381186f

Download Submit
\Windows\SysWOW64\Hgmalg32.exe

Filesize
280KB

MD5
bd85e1b7bd732096fea53caedef7ea4a

SHA1
b63dd395729d3a30be7f36375cf32a4130f0b64a

SHA256
4ce640cc5c468dc3d03e9fa23c375aaa5ed3a6636b47681500bdadbdeee7211e

SHA512
c50e5522023b3b1db637562956b839ae38e1174fde9b021e69132a02ea42d07bf1629c83973adc0b0875919d7c63012035fca8c91509b0fe8bcada0e3f4c6672

Download Submit
\Windows\SysWOW64\Hipkdnmf.exe

Filesize
280KB

MD5
7807f3d9be1e7e2d448aed146d200c0c

SHA1
31a0e905f22b3e0219cb1ecc0cceb5f9d7243d5e

SHA256
40237fe64ddd819d618d864f73736c9c28538a05661d184c42af12d5c586f9c9

SHA512
f98ac2b2f85345e961d9f21a7948ae6b39086b963dcae22cbc43210cf43a9c35b588aaa272afc4adace75ecad36cf7b58ad29122a1290d4a312f42678e6eb2bc

Download Submit
memory/316-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-218-0x0000000000490000-0x00000000004C4000-memory.dmp

Filesize
208KB

Download
memory/884-321-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/884-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-320-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1060-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-275-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1152-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-256-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/1160-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-403-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1324-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-106-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1324-428-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1520-143-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1520-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-458-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1520-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-332-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1572-331-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1656-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-88-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1692-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-450-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1816-449-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1996-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-189-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2116-289-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2116-287-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2204-157-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2204-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-227-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2288-265-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2308-462-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2308-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-299-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2352-298-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2396-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-170-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2404-364-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2404-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-369-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2432-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-344-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2432-7-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2452-426-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2452-427-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2452-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-246-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2536-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-115-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2588-414-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2588-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-415-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2616-390-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2624-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-76-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2688-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-391-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2688-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-392-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2688-66-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2696-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-25-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2696-24-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2696-346-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2708-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-34-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2708-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-368-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2712-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-52-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2712-380-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2772-343-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2772-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-353-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2804-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-310-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2908-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-306-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-239-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/3024-376-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3060-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-204-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/3060-198-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads